Terms of service for Pocket Solutions AB
Information about Pocket Solutions AB
These terms and conditions (the "Terms") are applicable to all services provided by Pocket Solutions AB (Reg. No. 559169-9623) "Pocket Solutions AB", "us", "our" or "we").
By "you"" we mean the legal entity that is ordering Services under these Terms, any of your affiliates together with your and your affiliates’ employees and representatives.
When we refer to the "parties" we mean you and us together.
You may contact us by sending an email to firstname.lastname@example.org (" Contact Information").
Agreeing to the terms
By creating an Account and using the Services you agree to the Terms. Please make sure that you have read and understood the Terms beforehand. If you do not agree to these Terms, you must not create an Account or use the Services.
"Account" means the account that you register and create on the Site and/or in the App.
"App" means our application is accessible via computer or mobile device relating to the Services.
"Contact Information" means the information set out above.
"Functions" means the Site, the App, your Account and the Services, jointly.
"Services" means the services described under section "Services" below which we have made available through the Site and the App, together with any such other related goods, equipment, services and information made available by us to you.
"Site" means our website (https://pocketlaw.se) relating to the Services.
"Subscription Period" is defined under section "Term and termination" below.
Description of the services
We provide a technical platform that provides legal information, guidance and an opportunity to create and store agreements and policies. However, we are not a law firm or legal service and we do not provide legal advice (the "Service"). More information about the Services can be found on the Site and in the App. (the "Services"). More information about the Services can be found on the Site and in the App.
Setting up an account
For ordering of the Services, you must create an Account. You are not allowed to transfer the Account to others, and you may only sign up one (1) Account. Once an Account has been successfully created, and payment has been made where prepayment is required, the Services will be available and ready to use or order, as instructed on the Site and in the App.
The Services shall be ordered in accordance with the instructions on the Site and the App.
Our confirmation of your order will take place when we email you and/or send you a confirmation in the App, at which point a contract will come into existence between you and us.
Delivery of services
During the order process we will let you know when and where we will provide the Services to you.
We offer the Services to companies and other legal entities. You warrant that you are authorised to enter into these Terms on the behalf of the legal entity as well as to use all Functions.
These Terms constitute the entire agreement between us in relation to the Services. You warrant that the persons ( e.g. employees and representatives) you authorise to create Accounts and use the Services have read and understand the Terms. You are at all times responsible for the use of Services under these Terms, including by such persons - as if it was you using the Services.
Use of the functions
When you use the Functions, you must always comply with all applicable laws, regulations and public orders. You shall not access the Site or the App other than through interfaces provided by us and as otherwise expressly authorised under these Terms. You may not use the Functions in a manner contrary to our, or any third party’s, rights and interests. You agree to comply with all instructions and recommendations provided by us from time to time.
You agree to be responsible for all activities that occur under your Account. Credentials for your Account must be kept secure at all times and you are forbidden to share data relating to your Account with any third parties. Should you suspect that your Account or your credentials have been or are being used by a third party you must contact us immediately by using any of our Contact Information.
You also agree not to:
- Defame, abuse, harass, threaten or otherwise violate the legal rights of any third party or us;
- Publish, post or - in any other way express - any material or information that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, indecent or unlawful;
- Contribute to destructive activities such as dissemination of viruses, spam or any other activity that might harm us, the Site and/or the App in any way;
- Monitor the Services’ availability, performance or functionality for any competitive purpose, meaning, for example that you agree not to access the Services for the purpose of developing or operating a competitive product or service or copying the Services’ features or user interface; or
- Resell or in any way redistribute results generated in the Site and/or the App or use the Services in order to create a competing service or product.
We may have to suspend the supply of any of the Functions to:
- Deal with technical problems or make minor technical changes; or
- Update changes to the Functions to reflect changes in applicable laws regulatory requirement.
We will contact you in advance in the event we need to suspend the supply of any Service. This does not apply if the problem is urgent or an emergency.
We are entitled to decline or adjust an order from you and close down your Account in the event that you provide us with untrue, inaccurate, not current, or incomplete information when creating your Account. This shall also apply if you fail to comply with these Terms (for example if you have not paid for the Services in time) or other mandatory provisions by law. Upon occurrence of any of these events, we will contact you and request that you remedy your breach of these Terms.
Your provision of content
The Site and/or the App include(s) functions for uploading and storing of files and other information provided or created by you ("Content"). You are responsible for all distribution and other actions by you and in your.
By adding Content to the Site and/or the App, you warrant that you are a) the owner of the uploaded Content or b) entitled to manage the Content in such way and that the Content or your use of the Content in no way violates any applicable legislation. We will not supervise whether any Content is lawfully uploaded or distributed through the Site and/or the App.
By adding Content to the the Site and/or the App, you are aware that, depending on the settings of your Account, such Content might be shared with others. We are not liable for any loss of Content and we advise you to always keep your own backup of your Content. We do not take any responsibility with regards to the validity of Content provided or created by you.
PRICES AND PAYMENT
Payment for use of the Services are made periodically in advance or in arrears. Each payment will cover a Subscription Period during which you will have access to the Services.
You must pay all applicable fees as set out and described on the Site and/or the App for the Services that you have selected. The prices for the Services are set out on the Site and/or in the App and include any explicitly set out relevant delivery costs, value added tax (VAT) or other fees and taxes. The price of the Services provided to you will be the price indicated on the order pages when you placed your order.
We have the right to change the prices for the Services. If we change the prices, we will notify you in advance. Price changes will take effect at the start of the Subscription Period following the date the prices where changed. By continuing to use or access the Services after the price changes come into effect, you agree to be bound by the new charges. You are entitled to cancel your subscription at any time, and you will continue to have access to the Services throughout your current Subscription Period. If you have been offered Services for a specific term and price, that price will remain in force for that agreed time.
Where you have signed up to use the Services during a trial period, you will have access to all or some of the Services (as further described on the Site and in the App) free of charge during such trial period.
Payment for the Services can be made in accordance with what is set out below.
We offer payments in cooperation with by way of:
- Invoice (when paying an aggregate annual fee upfront)
- Card payment
On your payment, the third party processor's/provider’s terms and conditions will apply (). You may be requested to identify yourself and credit reports may be pursued by the third party processor/provider. Where we use a third party for payments, we will not have access to or store any payment information.
The Services may be paid for by credit or debit card. You must keep the payment information provided to us accurate and up-to-date.
We may invoice you for the Services in advance or in arrears, with the frequency agreed for the period contracted. You agree that we may issue electronic invoices, which will be sent to the email address you have provided in your Account. You must keep the payment information provided to us accurate and up-to-date.
We are entitled to perform a credit control when this is needed in order to be able to offer you a credit period.
You agree to pay within the set time for the payment method you choose. We have the right to close down your Account until you have paid for all the charges incurred by you. Payment after due date can entail late payment fees and interest.
Unless otherwise expressly set out in these Terms, we do not provide refunds, right to return for a purchased subscription, credits for any partially used subscription, credits for any unused Account or credits by reason of your dissatisfaction with the Products and/or the Functions.
TERM AND TERMINATION
The term for our Services commences upon creation of an Account with us and shall remain in force during the subscription period ("Subscription Period"). A Subscription Period is twelve (12) months ahead unless otherwise stated ("Subscription Period").
You can cancel your Subscription at any time and it will then expire automatically after your current Subscription Period. Note that you are bound by the Subscription, including the cost that you committed to in connection with the purchase during the outstanding Subscription Period, even if you cancel the Subscription prematurely.
At the end of each Subscription Period, your subscription will be automatically renewed for twelve (12) months subscription unless terminated by you by giving 30 days days’ notice before the end of your current Subscription Period. The same applies if you upgrade your Account, then the subscription is automatically extended by 12 months.
To terminate the Services you need to notify us in writing to email@example.com or by contacting us using the Contact Information. Your subscription will not be renewed if you cancel it in writing no later than 30 days before the last day of your current Subscription Period.
Upon termination, your right to access the Services will be revoked immediately. We will also delete or anonymise any personal information about you, with exception for any personal information that we are required to keep by law.
Any Services still ongoing upon termination shall be carried through in accordance with these Terms. Obligations arising from any breach of contract during the term of these Terms shall not be affected by termination.
We reserve the right to terminate the contract with you if you:
- Breach or otherwise violate these Terms or any other provisions set up by us; or
- Use the Site, the App or the Services in any way that does not comply with the intended purposes or is otherwise harmful for us or any third person.
You may sign up to use the Services during a trial period in which case you will have access to all or some of the Services (as further described on the Site and the App). If you would like to continue using the Services following the agreed trial period, you shall notify us upon the expiration of such trial period.
Not legal advice
Whilst our goal is to ensure that the content on the Site and the App are up to date and current, this is not a contractual commitment and we make no representations, warranties or guarantees, whether express or implied, that the content on the Site and the App is accurate, complete or up to date .
Our content, templates and guidance on the Site and the App can be used as a source of legal information but does not substitute taking legal advice. The content (including the documents and any guidance) on the Site and the App have been created for a wide audience and may not be appropriate or applicable to your situation. We would always recommend that you take legal advice before making any decisions in relation to any content, templates and guidance on the Site and the App.
We are not a law firm or legal service and we do not provide legal advice. We do not review the choices you make in the platform or review the agreements and documents you create and are not responsible for the end result or the values you make when you use the Service. Your use of the Service does not create a client-attorney relationship between you and us. If you seek legal advice from a law firm, law firm or other person acting as our partner, their own terms and conditions apply to the advice you receive from / via them. If you need legal advice, you should contact a lawyer.
Our liability to you will be limited as follows:
- we shall not be liable to you, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any loss of profit, or any indirect or consequential loss arising under or in connection with any contract between us; and
- our total liability to you for all other losses arising under or in connection with any contract between us, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be limited to the total amount you have paid for the Service according to the current order / agreement. If you use the Service during a test period or otherwise free of charge, our liability is limited to SEK 1,000.
We are only responsible for damages that are notified in writing, no later than three (3) months after you discover or should have discovered the damage, but no later than six (6) months from the time the damage occurred.
Defects and delays beyond our control (force majeure)
We are not responsible for delays and defects outside our control. If our suppliers are delayed by an event outside our control, then we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided that we do this we will not be liable for defects and delays caused by the event, but if there is a risk of substantial defect or delay you may contact us to end the agreement and receive a refund for any Services you have paid for but not received.
During the term of these Terms and thereafter, the parties undertake not to disclose to any third party information regarding these Terms, nor any other information that the parties have learned as a result of these Terms, whether written or oral and irrespective of form ("Confidential Information").
The parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of the obligations under these Terms and not for any other purpose. The receiving party further agrees to use, and cause its directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care (but not less than reasonable care) to avoid disclosure or use of Confidential Information.
The confidentiality undertaking above shall not apply to any Confidential Information that the Receiving Party can establish is or becomes available to the public (otherwise than by breach of this Agreement or any other confidentiality undertaking.
Each party also undertakes to ensure that any information disclosed under this section, to the extent possible, shall be treated confidentially by anyone receiving such information. This confidentiality undertaking shall remain in force three (3) years the termination of the Terms.
CHANGES & ADDITIONS
We may modify these Terms at any time. In the event of changes which are not minor and may affect you, you will be notified via email or via the App.You are responsible for keeping yourself informed of any changes to the Terms. The latest version of the Terms will be available on the Site. Amendments to the terms and conditions become effective the business day following the day they are posted.
All new functionalities, features and content introduced and added to the Services, the Site or the App will be subject to what is stipulated in the Terms.
COMPLAINTS AND CUSTOMER SUPPORT
If you have any complaints, please contact our support department by using any of our Contact Information.
You acknowledge that you are the data controller for any personal data processed by us on your behalf in conjunction with your use of the Services. You also acknowledge that we are considered as your data processor; therefore, by agreeing to the terms we enter into the data processing agreement (Appendix DPA), which shall remain in effect for as long as we process personal data on your behalf.
PROPERTY AND INTELLECTUAL PROPERTY RIGHTS
The Site and the App are owned and operated by Pocket Solutions AB. All copyrights, trademarks, trade names, logos and other intellectual or industrial property rights held and used by us as well as those presented in the Functions (including titles, graphics, icons, scripts, source codes etc.) are our property or third party licensors’ property and must not be reproduced, distributed, sold, used, modified, copied, limited or used (in whole or in part) without our written consent.
The Pocket Solutions AB grants you a non-exclusive right and licence to use the Site, the App and the Services for the sole purpose of us providing the Site, the App and the Services to you. Upon expiry or termination of this agreement, this right and licence shall end.
Respect for our property
You must not tamper with, attempt to gain unauthorised access to, modify, hack, repair or otherwise adjust any of our material, hardware, source-codes or other information for any purposes.
Respect for our intellectual property
You agree that the Service and other information, including all related intellectual property rights, provided and made available by us constitute our exclusive property. You may not in any way use our exclusive property for any commercial purpose or for any other purpose without our written consent.
GOVERNING LAW AND DISPUTES
Swedish law shall apply to these Terms.
Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (SCC). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless the parties have agreed otherwise. The SCC shall appoint the arbitrators. All arbitral proceedings shall be kept strictly confidential.
Pocket Solutions AB is an entity registered in Sweden.
Registered address: Norrlandsgatan 21, 111 43 Stockholm
Reg. No.: 559169-9623
VAT No.: SE559169-962301
In the event of a conflict between the translation of the terms and conditions, the Swedish version shall prevail.
This Data Processing Agreement with Schedules (the “Agreement”) has been entered into between:
Data Controller: You (“Customer”, “Controller” “You”); and
Data Processor: PocketLaw Solutions AB (Reg. No. 559169-9623) (“PocketLaw”, “Processor”, “us”, “our” or “we”)
Each a “Party” and together “the Parties".
1.1 The Agreement forms part of the PocketLaw Terms of Service found at https://pocketlaw.com/nb-no/terms/vilkar-og-betingelser (the “Terms”) and sets out the additional terms, requirements and conditions on which the Processor will process Personal Data (each as defined below) when providing services under the Terms. The Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
1.2 The Agreement includes the following Schedules:
- Schedule 1 - Existing and Approved Sub-Processor
- Schedule 2 - Technical and Organisational Security Measures
- Schedule 3 - Contact Details
- DEFINITIONS AND INTERPRETATION
2.1 The terms used in this Agreement shall have the same meaning as ascribed to them in Article 4 of the GDPR. Furthermore the following definitions and rules of interpretation apply in the Agreement:
“Applicable Law” refers to the legislation applicable to the processing of Personal Data under the Agreement, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a Supervisory Authority.
"Supervisory Authority" means Norwegian Data Protection Authority or an EU authority, such as the Swedish Authority for Privacy Protection, or another supervisory authority which on the basis of law has the authority to conduct supervisory activities over the Controllers operation.
“Personal Data” means any information relating to an identified or identifiable living individual that is processed by the Processor on behalf of the Controller as a result of, or in connection with, the provision of the services under the Terms (in the Agreement “Personal Data” is used synonymously with “Personal Data for which the Data Controller is responsible for and which the Data Controller processes on behalf of the Data Processor).
“Data Processor” means the company/organisation that sets out the purposes for which data is processed and is thereby held responsible for ensuring that Personal Data is processed in accordance with Applicable Law. The parties agree and acknowledge that for the purpose of the Data Protection Legislation the customer is the Controller.
“Data Controller” is the company/organisation that processes personal data on behalf of the Data Processor and is therefore only permitted to process data in accordance with the Controller’s written instructions. The Parties agree and acknowledge that for the purpose of the Data Protection Legislation, PocketLaw Limited is the Processor.
"Data Subject" is the identified or identifiable living individual to whom the Personal Data relates.
“Applicable Law” refers to the legislation applicable to the processing of Personal Data under the Agreement, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a Supervisory Authority.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.2 Unless otherwise defined in the Agreement, capitalised terms used in this Agreement shall have the same meaning as those given in the Terms.
2.3 In the case of conflict or ambiguity between the Terms and any provision contained in the body of the Agreement or the Schedules, the provisions in the Agreement will prevail.
2.4 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this agreement includes the Schedules.
2.5 A reference to a clause, paragraph or schedule is, unless stated otherwise, a reference to a clause or paragraph of, or schedule to this Agreement.
- PERSONAL DATA TYPES AND PROCESSING PURPOSES
3.1 Data subject types. The Controller appoints the Processor to process data which identifies the Controller’s:
- Business contacts;
- Board members; and
- All other data subject types as determined by the Controller in accessing and using the Services provided by us
3.2 Categories of personal data. The Controller may submit Personal Data to the Processor, the extent of which is determined and controlled by the Controller in compliance with Applicable Laws and which may include:
- Contact details;
- National Insurance Number;
- Employee salary details;
- Location data; and
- All other categories of personal data as determined by the Controller in accessing and using the Services provided by us.
3.3 Source. The Processor processes personal data which:
- The Controller’s employees or authorised users add to any PocketLaw Services
- The Controller collects from its Data Subjects
3.4 The purpose for processing personal data (the “Purpose”):
- To enable the Controller to easily manage, upload, and access their legal, contractual and other types of documents via our App.
3.5 Processing activities:
- Storage and other Processing necessary to provide, maintain, and update the Services.
- DATA PROCESSOR’S OBLIGATIONS
4.1 The Processor will observe and abide by the principles set out in Article 5 of the GDPR in connection with each and every Processing.
4.2 The Processor confirms that the Controller is not required to take any further action to ensure that the Processor fulfils its obligations in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements under Applicable Law, including for the security of Processing.
4.3 The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with the Controller’s written instructions. The Processor will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation.
4.4 The Processor will, upon the request of the Controller, reasonably assist the Controller, at no additional cost, with meeting the Controller’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Supervisory Authority or other relevant regulator under the Data Protection Legislation.
4.5 The Processor must promptly notify the Controller if, in its opinion, the Controller's instructions do not comply with Applicable Law. If the Processor deems any written instructions provided by the Controller as incomplete, deficient, or false, the Processor must promptly inform the Controller. The Processor is permitted to refrain from following the Controller's instructions if they contravene Applicable Law.
- CONTROLLER’S OBLIGATIONS
5.1 The Controller determines the purposes and means for processing Personal Data. The Controller retains control of the Personal Data and remains responsible for its regulatory and compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor.
5.2 The Controller retains responsibility for relations with data subjects in the processing of personal data.
5.3 The Controller is responsible for ensuring that personal data is accurate and up to date.
- DATA BREACH
6.1 In the event of a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the personal data (“Personal Data Breach”), the data controller must, without undue delay and latest within eight (8) hours from the time of discovering the Personal Data Breach, provide written notice to the Controller via the contact details set out in Schedule 3.
6.2 The information will, to the extent that it is available to the Processor, contain the following:
- A description of the circumstances surrounding the Personal Data Breach
- A description of the nature of the Personal Data Breach and, where possible, the categories and the approximate number of data subjects affected by the incident.
- A description of the potential consequences of the Personal Data Breach in question
- A description of the measures taken or proposed to remedy the Personal Data Breach, as well as when implementing such measures may be appropriate, and measures for reducing the potential negative effects of such an incident.
- Contact details of the Data Protection Officer (“DPO”) or other relevant contact person who can provide further information to the Controller
6.3 Where it is initially not possible for the Processor to provide information to the Controller, the information may be provided in instalments without further undue delay.
- AUDIT RIGHTS
7.1 On the Controller’s written request, the Processor must provide the Controller with any information reasonably required for the Controller to confirm the Processor’s compliance with its obligations under this Agreement and Applicable Law.
7.3 The Controller must give the Processor at least ten (10) business days written notice of any planned audits or inspections.
7.4 Any audit conducted in accordance with this clause may only be conducted:
- during normal business hours;
- after the Controller has confirmed that any appointed representative, whether working for the Controller or acting an authorised third party, carrying out the audit is subject to a confidentiality agreement that is appropriate in relation to the Personal Data and the information to be audited; and
- in accordance with the Processor’s internal policies and security-related procedures.
7.5 Each party shall bear its own costs incurred in relation to the audit.
7.6 In the event that the Controller is reasonably required to conduct more than one audit in accordance with this clause within any twelve (12) month period, the Controller shall bear all costs reasonably incurred by the Controller in conducting the audit.
8.1 The Processor may only authorise a third-party (a sub-processor) to process the Personal Data if:
- the Controller is provided with an opportunity to object to the appointment of each sub-processor within five (5) working days after the Processor supplies the Controller with full details in writing regarding such sub-processor;
- the Processor enters into a written contract with the sub-processor that contains data protection obligations that provide at least the same level of protection for Personal Data as those contained in the Agreement, to the extent applicable to the services provided by the sub-processor;
- the Processor maintains control over all of the Personal Data it entrusts to the sub-processor; and
- the sub-processor’s contract terminates automatically on termination of this Agreement for any reason.
8.2 The Processor shall keep an up to date list of all its approved sub-processors. The list must be made available to the Controller upon request. Those sub-processors approved as at the commencement of this Agreement are as set out in Schedule 1. If the Controller reasonably objects to the appointment of a sub-processor it must provide written details of the reasonable grounds for its objection and the Processor will use commercially reasonable efforts to make a change to the services to avoid Processing of Personal Data by the objected to sub-processor or to appoint an alternative sub-processor. If the Processor is unable to make such a change to the services or appoint an alternative sub-processor within thirty (30) business days, either party shall have the right to terminate this Agreement and (if applicable) the Terms.
8.3 On the Controller’s written request, the Processor shall provide copies or relevant extracts (at the Processor’s sole discretion) of the Processor’s data processing agreements with sub-processors.
8.4 The Processor shall keep an up to date list of all its approved sub-processors. The list must be made available to the Controller upon request.
8.5 If a sub-processor fails to comply with its obligations under the data processing agreement between the sub-processor and the Processor, the Processor remains fully liable to the Controller for the sub-processor’s performance of the Controller’s obligations under the Agreement.
- RECORDS AND DATA PROTECTION OFFICER
9.1 The Processor will keep written records (“Records”) of all data processing activities related to the Agreement. The Records will be made accessible to the Controller upon request.
9.2 In the event that the Processing or nature of business activities require the Processor to appoint a DPO in accordance with Applicable Law, the contact details of the DPO will be provided in Schedule 3.
- CONTACT WITH AUTHORITIES, DATA SUBJECT REQUESTS
10.1 The Processor will inform the Controller without undue delay of any contact from Data Subjects, relevant authorities, courts or regulators (including the Supervisory Authority), or third parties concerned with the Processor’s Processing of Personal Data on behalf of the Controller.
10.2 If the Data Subject makes a request to exercise their Data Protection Legislation rights to the Processor, the Processor will refer the Data Subject to the Controller.
10.3 The Processor will accommodate inspections as required by domestic law, courts or regulators (including the Supervisory Authority).
10.4 The Processor is not permitted to represent the Controller’s interests or in any other way act on behalf of the Controller towards any Data Subject, authority or any other relevant third party.
- TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
11.1 The Controller will adopt the appropriate organisational and technical security measures in order to protect personal data under the Agreement from unauthorised and illegal access. This includes ensuring sufficient physical access controls, system access controls, data access controls and data backups.
11.2 The suitability of technical and organisational measures will be assessed with regard to the latest technology available, associated costs for adoption, sensitivity of data concerned by the processing acts of the Processor, in addition to any risks to the rights and freedoms of data subjects.
11.3 If the Controller assesses the risk level of Processing by the Processor as high, and thereby conduct an impact assessment, the Controller must share the result of such an assessment so that this can be factored into a decision of what is a sufficient level of technical and organisational measures.
11.4 The Processor must follow any decisions issued by the Supervisory Authority or any other supervisory authority on measures to meet the security requirements in Applicable Law and all other requirements relating to the Personal Data Assistant in accordance with Applicable Law.
11.5 The Processor must comply with any decisions and consultation opinions issued by the supervisory authority on measures necessary to meet the security standards in accordance with Applicable Law and all other requirements relating to the Controller’s obligations under Applicable Law.
11.6 The Processor must ensure its employees, sub-processors and, where applicable, the employees of its sub-processors only have access to the Personal Data to the extent to which it is necessary and that those who have access to the Personal Data maintain the confidentiality of such information (e.g. by signing an individual confidentiality agreement).
11.7 Only employees or assigned individuals of the Processor deemed to have the necessary level of knowledge in relation to the nature and scope of the Personal Data processing may process the Personal Data.
11.8 Computer equipment, storage media and other equipment used in the processing of personal data performed by the Processor must be stored so that unauthorised persons cannot gain access to them.
11.9 The security in the Processor’s physical premises where personal data is processed must be suitable and secure with regard to locking equipment, functioning alarm equipment, protection against fire, water and burglary, and protection against power outages. The equipment used to process Personal Data must have good protection against theft and events that may destroy the equipment and/or Personal Data.
- CONTROL OVER PERSONAL DATA
12.1 The Processor must ensure that the Personal Data remains protected against unauthorised, unlawful and unintentional destruction, modification and distortion. The Personal Data must be protected from unauthorised access during storage, transfer and other treatment. The Controller must not access Personal Data unless the identity of the recipient has been verified.
- DATA TRANSFERS OUTSIDE THE EU/EES
13.1 The Processor primarily processes the Personal Data of the Controller within the EU/EES. In the event that Personal Data is not processed within the EU/EES, the Processor must ensure that processing takes place according to Applicable Law by ensuring that one of the following criteria is met:
13.1.1. There is a decision from the European Commission that the country ensures an adequate level of protection for the Personal Data;
13.1.2. The Processor applies the European Commission's standard contractual clauses (SSCs) for third country transfers; and
13.1.3. The Processor has adopted other appropriate safeguards which fulfil requirements under Applicable Law.
- LIABILITY AND INDEMNITIES
14.1 The Parties are free from liability for obligations arising under the Agreement in cases where performance is hindered by a circumstance of an extraordinary nature beyond the Party's control which the Party could not reasonably be expected to have taken into account and whose consequences the Party could not reasonably have avoided.
14.2 The Processor’s liability arising out of or relating to this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise is subject to the “Our Liability” section of the Terms, and any reference in such section to our total liability means our aggregate liability under the Terms and this Agreement together.
14.3 The Processor agrees to indemnify the Controller for any damages incurred by the Controller as a direct result of the Processor processing Personal Data against the Controller’s instructions according to the Agreement and Applicable Law.
14.4 For the avoidance of doubt, we shall not be liable for any loss of profit, or any indirect or consequential loss arising in connection with this Agreement.
15.1 The Processor is not permitted to use information or any other material which they are provided access to in order to fulfil the Agreement or the Terms for any other purpose than those which are necessary to fulfil their obligations under this Agreement or the Terms.
15.2 The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Controller or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Supervisory Authority). The agreement of confidentiality between the parties is valid from the date on which the Parties enter into the Terms until the Processor returns or destroys the Personal Data in accordance with this Agreement. The Processor will ensure that confidentiality is maintained by its employees and all other parties involved with the business or work undertaken on their behalf.
16 VALIDITY AND TERMINATION
16.1 This Agreement will remain in full force and effect so long as the Processor is processing Personal Data on behalf of the Controller or until the Agreement is replaced by a different data processing agreement.
16.2 The duties and obligations of the Processor in relation to agreement will remain in full force and effect in spite of the Agreement being terminated, so long as the Processor is Processing Personal Data on behalf of the Controller.
- DELETION AND RETURN OF PERSONAL DATA
17.1 Upon termination of the Agreement, the Processor and any other potential sub-processors will either destroy or return the Personal Data concerned by the Agreement to the Controller.
17.2 In the event that the Controller has not requested destruction or return of the Personal Data concerned by the Agreement within twelve (12) months from the date of which the Agreement has terminated as agreed by the Parties, the Processor must destroy the Personal Data.
- APPLICABLE LAW AND DISPUTE RESOLUTION
18.1 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Sweden.
18.3 The specified dispute resolution mechanism applicable in the Terms will be applicable in this Agreement.
SCHEDULE 1 - EXISTING AND AUTHORISED sub-processorS
- Name: Amazon Web Services (AWS)\ Type of Service: Data storage and distribution network (CDN)\ Website: https\://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf\ Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal data is processed within the EU/EES
- Name: Compose\ Type of Service: Cache database\ Website: https\://www.compose.com/DPA-exhibit.html\ Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
- Name: Hetzner\ Type of Service: Server\ Website: https\://www.hetzner.com/de/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
- Name: Scrive\ Type of Service: E-signature\ Website: https\://www.scrive.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
- Name: DocuSign\ Type of Service: E-signature\ Website: https://www.docusign.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: the sub-processor abides by binding corporate rules/EES
- Name: Hubspot\ Type of Service: CRM platform\ Website: https://www.hubspot.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\Supplementary Measures: the sub-processors rely on the European Commission's standard contractual clauses (or SCCs).
- Name: Stripe:\ Type of Service: Online payment processing\ Website: https://www.stripe.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\Supplementary Measures: the sub-processors rely on the European Commission's standard contractual clauses (or SCCs).
SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The Processor has adapted the following technical and organisational measures to ensure that personal data is processed securely and that they are protected from loss, misuse and unlawful or unauthorised access.
Technical security measures are measures which are adopted through technical solutions.
- Access control level
- Access log
- Secure network
- Regular security inspection
- Two-factor authentication
- Password management software for all passwords
Organisational security measures are measures which are adopted in working methods and routines within the organisation.
- Internal policies and procedures
- Login and password management
- Physical security (premises etc.)
SCHEDULE 3 - CONTACT DETAILS
Email address: firstname.lastname@example.org