Terms of service for PocketLaw
Last updated: 9 December 2022
Information about PocketLaw
These terms of service (the "Terms") are applicable to all services provided by Pocket Solutions AB (a limited liability company incorporated under the laws of Sweden with company registration number 559169-9623) and its subsidiaries PocketLaw Limited (an entity registered in the United Kingdom with company number 13149151) and PocketLaw GmbH (a German entity registered with the German commercial company register under HRB 243960), as well as Pocket Solution AB’s Norwegian branch office PocketLaw NUF (Norwegian organisation number 929 046 714), jointly "PocketLaw", "us", "our" or "we"). You may contact us at email@example.com.
By "you" we mean the legal entity that is ordering Services under these Terms, any of your affiliates together with your and your affiliates’ directors, employees and representatives.
When we refer to the "parties" we mean you and us together.
PocketLaw enables companies to manage and do legal work themselves by automating legal knowledge and simplifying consumption of legal services and know-how. With PocketLaw, companies can manage their day to day legal themselves. For the avoidance of doubt, PocketLaw is not a law firm, does not provide legal, tax or book-keeping advice and is not responsible for any document created or decision taken based on the Services (as defined below). Please find more information on this topic under section “Not legal advice” below.
Agreeing to the Terms
By creating an Account, accessing the App and/or using the Services you agree to the Terms. Please make sure that you have read and understood the Terms beforehand. If you do not agree to these Terms, do not create an Account, access the App or use the Services.
"Account" means the account that you register and create on the Site and/or in the App.
"App" means our applications accessible via computer or mobile device (app.pocketlaw.com) relating to the Services.
"Contact Information" means firstname.lastname@example.org.
"Functions" means the Site, the App, your Account and the Services, together.
"Order Confirmation" means a written order confirmation sent by us to you to confirm an order of Services.
“PocketLaw Content” means information, guidance, templates, documents, instructions and any other content contained in the App and/or on the Site (excluding any Uploaded Content).
"Services" is defined in section “Description of Services” below.
"Site" means our website (https://pocketlaw.com) relating to the Services.
"Third Party Applications" means, in these Terms, online, web-based applications and offline software products or services that are a) provided by third parties, b) accessible through or interoperate with the App, and c) may be either separate or integrated with the App and whether or not such are indicated by us as being third-party applications.
"Subscription Period" means the subscription period for the Services, which is twelve (12) months, unless otherwise agreed between the parties in writing.
“Uploaded Content” is defined in section “Your provision of content” below.
Description of the Services
PocketLaw enables companies to manage and do legal work themselves by automating legal knowledge and simplifying consumption of legal services and know-how, such services being made available through the Site and the App, together with any related services and information made available by us to you (the "Services"). More information about the Services can be found on the Site and in the App.
The Services are offered in different plans with different PocketLaw Content and different pricing. We reserve the right to include and exclude any PocketLaw Content and/or App functionalities in the different plans at our discretion.
Please note that PocketLaw Content is generally prepared for a specific jurisdiction, with such specific jurisdiction usually indicated in the App or on the Site. You should not use PocketLaw Content for or in relation to any jurisdiction other than the intended jurisdiction.
Setting up an Account
To use the Services, you must create an Account. You confirm that all information provided to us in the creation of your Account is correct and agree to ensure that the information is accurate at all times. We are entitled to decline or adjust an order from you or shutdown your Account and/or limit the other Functions in the event that you provide us with untrue, inaccurate, not current, or incomplete information when creating your Account.
Once an Account has been successfully created, and payment has been made where prepayment is required, the Services will be available and ready to use or order, as detailed on the Site and in the App.
Credentials for your Account must be kept secure at all times. You may only create one (1) Account. You are not allowed to transfer the Account to another person or to share data relating to your Account with any third parties. Should you suspect that your Account or your credentials have been or are being used by a third party you must contact us immediately by using our Contact Information.
The Services shall be ordered in accordance with the instructions on the Site and the App.
Our confirmation of your order will take place when we send you an invoice and/or send you an Order Confirmation, at which point a legally binding contract will come into existence between you and us.
Third Party Applications
Certain Services may be provided by third parties or Third Party Applications and the provision of such Services may be subject to further terms. In such case, the provision of such Service is governed by such terms and conditions agreed between you and the relevant provider. You undertake towards PocketLaw to comply with such terms and conditions when using the Third Party Applications through or interoperationally with the App. We are not responsible for any Third Party Applications.
Maintenance and updates of the Functions
We may have to restrict your access to and/or use of the Functions to:
Deal with technical problems or make minor technical changes;
Carry out general maintenance and/or updates of the Functions; or
Update the Functions to reflect changes in applicable laws or satisfy a regulatory requirement.
We will endeavour to contact you in advance in the event we need to suspend the supply of any Function but may not be able to if the problem in our opinion is urgent or an emergency.
PocketLaw e-signing feature
PocketLaw's own e-signing service (the "E-signing Service") utilises Signicat AS' ("Signicat") service Signicat Sign Express (an API solution for digital signing) for the purpose of allowing our customers to electronically sign documents through the App. You are not permitted to let any third party use or gain access to the E-signing Service and you may only use the E-signing Service for its intended purposes and in accordance with Signicat's Terms and Conditions (https://developer.signicat.com/express/docs/terms-conditions/#_3-the-customer-s-rights-and-obligations).
We offer the Services to companies and other legal entities. You warrant that you are authorised to enter into these Terms on the behalf of the legal entity as well as to use all Functions.
You warrant that the persons (e.g. employees and representatives) you authorise to create Accounts and use the Services have read and understand these Terms. You are at all times responsible for the use of Functions under these Terms, including by such persons - as if it was you using the Functions.
Use of the Functions
When you use the Functions, you must always comply with all applicable laws, regulations and public orders. You shall not access the Site or the App other than through interfaces provided by us and as otherwise expressly authorised under these Terms. You may not use the Functions in a manner contrary to our, or any third party’s, rights and interests. You agree to comply with all instructions and recommendations provided by us from time to time.
You are responsible for all activities that occur under your Account, including activities by e.g. your employees and representatives.
You also agree not to:
Defame, abuse, harass, threaten or otherwise violate the legal rights of any third party or us;
Publish, post or - in any other way express - any material or information that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, indecent or unlawful;
Contribute to destructive activities such as dissemination of viruses, spam or any other activity that might harm us, the Site and/or the App in any way;
Monitor the Services’ availability, performance or functionality for any competitive purpose, meaning, for example that you agree not to access the Services for the purpose of developing or operating a competitive product or service or copying the Services’ features or user interface;
Copy, duplicate or extract any PocketLaw Content or results generated in the App, other than for bona fide back-up purposes and/or bona fide ordinary course business operations; or
Resell or in any way redistribute PocketLaw Content or results generated in the App or use the Services in order to create a competing service or product.
Your provision of content
The Site and/or the App include(s) functions for uploading and storing of files and other information provided or created by you ("Uploaded Content"). You are responsible for all distribution and other actions by you and in your name.
By adding Uploaded Content to the Site and/or the App, you warrant that you are a) the owner of the Uploaded Content, or, b) entitled to manage the Uploaded Content in such a way, and c) that the Uploaded Content or your use of the Uploaded Content in no way violates any applicable legislation or any third party rights. We will not supervise whether any Uploaded Content is lawfully uploaded or distributed through the Site and/or the App.
By adding Uploaded Content to the Site and/or the App, you are aware that, depending on the settings of your Account, such Uploaded Content might be shared with others. We are not liable for any loss of Uploaded Content, and we advise you to always keep your own backup of your Uploaded Content. We do not take any responsibility with regards to the validity of Uploaded Content provided or created by you.
We do not take any responsibility for any customised templates made available to you in the App. We do not review any customised templates, and we do not update or amend any such templates other than as instructed or agreed to by you. You are solely responsible for the legality, validity and content of any customised templates.
PRICES AND PAYMENT
You must pay all applicable fees for the Services periodically in advance or in arrears. The prices for the Services are set out and described on the Site. The prices for the Services include any explicitly set out relevant delivery costs, but excludes value added tax (VAT) or other fees and taxes. The price of the Services provided to you will be indicated on the order pages when you placed your order or as otherwise notified by us to you in writing and confirmed by an Order Confirmation. If you have been offered Services for a specific term, price and/or discount, that price will apply for the agreed time, after which the price may increase.
We have the right to change the prices for the Services. If we change the prices, we will notify you in advance. Unless otherwise agreed between the parties in writing, any change in the price of your subscription will take effect from the start of the Subscription Period after the price change took effect. By continuing to use or access the Services after the price changes come into effect, you agree to be bound by the new charges.
If you have been offered the Services at a discounted price, unless otherwise agreed in writing, the discounted price will apply during only one (1) Subscription Period, after which the prices for the Services on the Site will automatically apply (without us having to notify you).
Payment for the Services can be made in one of the following ways.
We offer payments in cooperation with Stripe through:
Invoice (when paying an aggregate annual or monthly fee upfront); or
On your payment, the third party processor's/provider’s terms and conditions will apply (https://stripe.com/en-se/ssa). You may be requested to identify yourself and credit reports may be pursued by the third party processor/provider. Where we use a third party for payments, we will not have access to or store any payment information.
The Services may be paid for by credit or debit card. You must keep the payment information provided to us accurate and up-to-date.
We may invoice you for the Services in advance or in arrears, with the frequency agreed for the period contracted. You agree that we may issue electronic invoices, which will be sent to the email address you have provided in your Account. You must keep the payment information provided to us accurate and up-to-date.
We may invoice you from Pocket Solutions AB, or from any of our subsidiaries. Payment shall be made (with discharging effect) to the PocketLaw entity issuing the invoice.
We are entitled to perform a credit control when this is needed in order to be able to offer you a credit period.
You agree to pay within the set time for the payment method you choose. We have the right to close down your Account and/or limit the Services until you have paid for all the charges incurred by you. During such closing down or limitation, you will continue to incur the applicable fees for the Service.
Payment after the due date can entail late payment fees and interest.
Unless otherwise expressly set out in these Terms, we do not provide refunds, right to return a purchased subscription or Service, credits for any partially used subscription or Service, credits for any unused Account or credits by reason of your dissatisfaction with the Services and/or the Functions.
TERM AND TERMINATION
The term for the Services commences upon creation of an Account with us and shall remain in force until terminated in accordance with these Terms.
If you purchase a subscription from us, the Subscription Period is always twelve (12) months, unless communicated differently by us to you in writing.
At the end of each Subscription Period, your subscription will automatically renew for an additional twelve (12) months unless terminated by you by giving at least 90 days’ written notice before the end of your current Subscription Period.
You may downgrade your subscription by providing at least 90 days’ written notice before the end of your current Subscription Period. Your new subscription will take effect from the start of the subsequent Subscription Period. If you upgrade your subscription, your new subscription will take effect immediately, and the new Subscription Period will be twelve (12) months from the date of the upgrade.
To terminate the Services, you need to notify us in writing to email@example.com, or by contacting us via the in-App chat service.
If you notify us of your intention to terminate the Services during a current Subscription Period, the Services will terminate at the end date of the current Subscription Period, and we will continue to provide the Services until the end of the Subscription Period. In no event will your termination relieve you of the obligation to pay any amounts payable to us for the remainder of the current Subscription Period.
If you notify us of your intention to terminate the Services and you do not currently subscribe to the Services, we will terminate our provision of the Services immediately.
Upon termination, your right to access the Services will be revoked. We will also delete or anonymise any personal information about you, with exception for any personal information that we are required to keep by law.
Any Services still ongoing upon termination shall be carried through in accordance with these Terms. Obligations arising from any breach of contract during the term of these Terms shall not be affected by termination.
Termination for cause
We reserve the right to terminate or limit the Services if you:
Breach or otherwise violate these Terms or any other provisions set up by us;
Use the Functions in any way that does not comply with the intended purposes or is otherwise harmful for us or any third person; or
In our reasonable opinion, use the Functions in violation of any applicable law or regulation.
Upon occurrence of any of these events, we may contact you and request that you remedy your breach of these Terms before terminating or limiting the Services. In the event that we limit the Services for cause, you are still obligated to pay the applicable price for the Services regardless of such limitation. In the event that we terminate the Services for cause, you will pay any unpaid fees covering the remainder of the term of your Subscription Period.
If you are using the Services on our free plan, we may terminate the Services and your Account at our sole discretion.
LIABILITY – YOUR ATTENTION IS PARTICULARLY DRAWN TO THIS SECTION.
Disclaimer of warranties
Except as expressly provided for in these Terms, the Functions and all related components and information are provided on an "as is" and "as available" basis without any warranties of any kind, and we expressly disclaim any and all warranties, whether express or implied, including the implied warranties of merchantability, title, fitness for a particular purpose and non-infringement. You acknowledge that we do not warrant that the Functions will be uninterrupted, timely, secure or error-free, or that the PocketLaw Content is accurate, complete or up to date.
Limitation of Liability
In no event shall PocketLaw, its subsidiaries, affiliates or any of their respective employees, officers, directors, agents, partners be liable to you for: (a) loss of contracts; (b) loss of reputation and/or goodwill; (c) loss of profit, loss of revenue, loss of anticipated savings, loss of business and/or loss of opportunities; (d) your duty to compensate any third party; or (e) indirect, consequential or special loss, damage or liability even if such loss or damage was reasonably foreseeable.
Our total liability to you, whether arising from a breach of contract, negligence or otherwise, shall be limited to the total sums paid by you for the Services during the 12 month period preceding the date of the first incident giving rise to the liability. If you are using the Functions during a trial period or otherwise free of charge, our total liability to you for all other losses, whether arising from a breach of contract, negligence or otherwise, is limited to SEK 1000.
Nothing in these Terms shall exclude or limit a party’s liability for: (a) fraud, theft, willful misconduct or gross negligence; (b) death or personal injury attributable to that party; or (c) for any other matter which cannot be excluded by law.
Nothing in these Terms shall limit your duty at law to mitigate any loss suffered by you.
Notice of claim
We shall not be liable for any loss or damages unless notice in writing summarising the nature of the damages (in so far as it is known by you) and, as far as is reasonably practicable, the amount of damages claimed, has been provided to us within three (3) months of you becoming aware of the loss or, if earlier, within six (6) months from when the loss occurred.
You agree to defend, indemnify and hold harmless PocketLaw, its subsidiaries and affiliates and their respective directors, officers, employees and agents from and against all claims and expenses, including legal fees, arising out of or related to:
any Uploaded Content;
fraud you commit or your intentional misconduct or gross negligence in connection with any use of the Functions;
your violation of any terms for Third Party Applications; or
your violation of any applicable law or regulation, or rights of a third party.
Defects and delays beyond our control (force majeure)
We are not responsible for delays and defects outside our control. If any of the Functions are impaired by or due to an event outside our control (for example, a delay or interruption caused by any of our suppliers or service providers), then we will endeavour to contact you as soon as possible to let you know, and we will take commercially reasonable steps to minimise the effect of the impairment.
Not legal advice
Whilst our goal is to ensure that PocketLaw Content is up to date and current, this is not a contractual commitment and we make no representations, warranties or guarantees, whether express or implied, that the PocketLaw Content is accurate, complete or up to date.
PocketLaw Content can be used as a source of legal information but does not substitute taking legal, tax or book-keeping advice. The PocketLaw Content has been created for a wide audience and may not be appropriate or applicable to your situation. We always recommend that you take legal, tax and book-keeping advice before making any decisions in relation to any PocketLaw Content.
In this section, “Confidential Information” means any information regarding the parties and/or the Services, that a party has learned as a result of the Services or the entering into of an agreement for the Services, whether written or oral and irrespective of form.
During the term of the Services and thereafter, the parties undertake not to disclose to any third party any Confidential Information.
The parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of their respective obligations to each other and not for any other purpose. The parties further agree to use, and cause its respective directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care that it uses to protect the confidentiality of its own confidential information (but not less than reasonable care) to avoid disclosure or use of Confidential Information.
The confidentiality undertaking above shall not apply to any Confidential Information that is or becomes available to the public (other than by breach of these Terms or any other confidentiality undertaking).
Each party also undertakes to ensure that any information disclosed under this section, to the extent possible, shall be treated confidentially by anyone receiving such information.
This confidentiality undertaking shall remain in force three (3) years after the termination of the Services.
CHANGES AND ADDITIONS
We may modify these Terms at any time. In the event of changes which are not minor and may affect you, you will be notified via email or via the App. You are responsible for keeping yourself informed of any changes to the Terms. The latest version of the Terms will be available on the Site. Amendments to the Terms become effective the business day following the day they are posted.
All new functionalities, features and PocketLaw Content introduced and added to the Services, the Site or the App will be subject to what is stipulated in these Terms.
COMPLAINTS AND CUSTOMER SUPPORT
If you have any complaints, please contact our support department at firstname.lastname@example.org.
You acknowledge that you are the data controller for any personal data processed by us on your behalf in conjunction with your use of the Services. You also acknowledge that we are considered as your data processor; therefore, by agreeing to these Terms we enter into the data processing agreement attached to these Terms as “Appendix DPA”, which shall remain in effect for as long as we process personal data on your behalf.
PROPERTY AND INTELLECTUAL PROPERTY RIGHTS
The Site and the App are owned and operated by PocketLaw. All copyrights, trademarks, trade names, logos and other intellectual or industrial property rights owned or licensed by us as well as those presented in the Functions (including titles, graphics, icons, scripts, source codes etc.) are our property or third party licensors’ property and must not be reproduced, distributed, sold, used, modified, copied, limited or used (in whole or in part) without our written consent.
You must not tamper with, attempt to gain unauthorised access to, modify, hack, repair or otherwise adjust any of our material, source-codes or other information for any purposes.
PocketLaw grants you a revocable, non-exclusive, non-transferable and limited licence to use the Functions for the sole purpose of us providing the Functions to you. Upon expiry or termination of the Services, this right and licence shall end.
You agree that we may use your company name and/or logo in our marketing and publicity material as examples of current users of the Site unless you notify us by email at the Contact Information.
No failure or delay by either party in exercising any right under the Terms will constitute a waiver of that right. No waiver under the Terms will be effective unless made in writing and signed by an authorised representative of the party being deemed to have granted the waiver.
These Terms, any Order Confirmation, and any other documents referred to in such Order Confirmation and in these Terms, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover.
In case of discrepancy between an Order Confirmation and these Terms, the Order Confirmation shall prevail.
You acknowledge and agree that when entering into an agreement for the Services, you do not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person relating to the Services or any of the other Functions.
You may not assign any of your rights or obligations under these Terms to any person without our prior written consent.
We may assign the Terms, and we may assign, transfer or subcontract any of our rights or obligations under the Terms, to any person without your prior consent.
GOVERNING LAW AND DISPUTES
These Terms and all non-contractual obligations arising in any way whatsoever out of or in connection with these Terms are governed by and construed in accordance with substantive Swedish law, without regard to any principles concerning the choice of law.
Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the SCC Arbitration Institute (the “SCC”).
The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.
The seat of arbitration shall be Stockholm. The language to be used in the arbitral proceedings shall be English.
The parties agree that all arbitral proceedings conducted under this arbitration clause shall be kept confidential, and all information, documentation, materials in whatever form disclosed in the course of such arbitral proceedings shall be used solely for the purpose of those proceedings.
Pocket Solutions AB is a limited liability company registered in Sweden.
Registered address: Drottninggatan 98, 111 60 Stockholm, Sweden
Company registration number: 559169-9623
VAT registration number: SE559169-962301
PocketLaw Limited is an entity registered in the United Kingdom (UK)
Registered address: 78 York Street, London, United Kingdom, W1H 1DP
Company No: 13149151
PocketLaw GmbH is an entity registered in Germany
Address: c/o Maschinenraum GmbH, Zionskirchstraße 73a, 10119 Berlin, Germany
Commercial company register: HRB 243960 B
PocketLaw NUF is a branch office (No. Norskregistrert utenlandsk foretak) registered in Norway
Registration number 929 046 714
Address: Drottninggatan 98, 111 60 Stockholm, Sweden
This Data Processing Agreement with Schedules (the “Agreement”) has been entered into between:
Data Controller: You (“Customer”, “Controller” “You”); and
Data Processor: Pocket Solutions AB (company reg. no. 559169-9623) (“PocketLaw”, “Processor”, “us”, “our” or “we”)
Each a “Party” and together “the Parties".
1.1 The Agreement forms part of the PocketLaw Terms of Service and sets out the additional terms, requirements and conditions on which the Processor will process Personal Data (each as defined below) when providing services under the Terms. The Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation (EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation (EU) 2016/679).
1.2 The Agreement includes the following Schedules:
Schedule 1 - Existing and Approved Sub-Processor
Schedule 2 - Technical and Organisational Security Measures
Schedule 3 - Contact Details
2. DEFINITIONS AND INTERPRETATION
2.1 The terms used in this Agreement shall have the same meaning as ascribed to them in Article 4 of the GDPR. Furthermore the following definitions and rules of interpretation apply in the Agreement:
“Applicable Law” refers to the legislation applicable to the processing of Personal Data under the Agreement, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a Supervisory Authority.
"Supervisory Authority'' means a supervisory authority within the EU, such as the Swedish Authority for Privacy Protection, or another supervisory authority which on the basis of law has the authority to conduct supervisory activities over the Controllers operation.
“Personal Data” means any information relating to an identified or identifiable living individual that is processed by the Processor on behalf of the Controller as a result of, or in connection with, the provision of the services under the Terms (in the Agreement “Personal Data” is used synonymously with “Personal Data for which the Data Controller is responsible for and which the Data Controller processes on behalf of the Data Processor).
“Data Processor” means the company/organisation that sets out the purposes for which data is processed and is thereby held responsible for ensuring that Personal Data is processed in accordance with Applicable Law. The parties agree and acknowledge that for the purpose of the Data Protection Legislation the customer is the Controller.
“Data Controller” is the company/organisation that processes personal data on behalf of the Data Processor and is therefore only permitted to process data in accordance with the Controller’s written instructions. The Parties agree and acknowledge that for the purpose of the Data Protection Legislation, PocketLaw Limited is the Processor.
"Data Subject" is the identified or identifiable living individual to whom the Personal Data relates.
“Applicable Law” refers to the legislation applicable to the processing of Personal Data under the Agreement, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a Supervisory Authority.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.2 Unless otherwise defined in the Agreement, capitalised terms used in this Agreement shall have the same meaning as those given in the Terms.
2.3 In the case of conflict or ambiguity between the Terms and any provision contained in the body of the Agreement or the Schedules, the provisions in the Agreement will prevail.
2.4 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this agreement includes the Schedules.
2.5 A reference to a clause, paragraph or schedule is, unless stated otherwise, a reference to a clause or paragraph of, or schedule to this Agreement.
3. PERSONAL DATA TYPES AND PROCESSING PURPOSES
3.1 Data subject types. The Controller appoints the Processor to process data which identifies the Controller’s:
Board members; and
All other data subject types as determined by the Controller in accessing and using the Services provided by us
3.2 Categories of personal data. The Controller may submit Personal Data to the Processor, the extent of which is determined and controlled by the Controller in compliance with Applicable Laws and which may include:
National Insurance Number;
Employee salary details;
Location data; and
All other categories of personal data as determined by the Controller in accessing and using the Services provided by us.
3.3 Source. The Processor processes personal data which:
The Controller’s employees or authorised users add to any PocketLaw Services
The Controller collects from its Data Subjects
3.4 The purpose for processing personal data (the “Purpose”):
To enable the Controller to easily manage, upload, and access their legal, contractual and other types of documents via our App.
3.5 Processing activities:
Storage and other Processing necessary to provide, maintain, and update the Services.
4. DATA PROCESSOR’S OBLIGATIONS
4.1 The Processor will observe and abide by the principles set out in Article 5 of the GDPR in connection with each and every Processing.
4.2 The Processor confirms that the Controller is not required to take any further action to ensure that the Processor fulfils its obligations in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements under Applicable Law, including for the security of Processing.
4.3 The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with the Controller’s written instructions. The Processor will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation.
4.4 The Processor will, upon the request of the Controller, reasonably assist the Controller, at no additional cost, with meeting the Controller’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Supervisory Authority or other relevant regulator under the Data Protection Legislation.
4.5 The Processor must promptly notify the Controller if, in its opinion, the Controller's instructions do not comply with Applicable Law. If the Processor deems any written instructions provided by the Controller as incomplete, deficient, or false, the Processor must promptly inform the Controller. The Processor is permitted to refrain from following the Controller's instructions if they contravene Applicable Law.
5. CONTROLLER’S OBLIGATIONS
5.1 The Controller determines the purposes and means for processing Personal Data. The Controller retains control of the Personal Data and remains responsible for its regulatory and compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor.
5.2 The Controller retains responsibility for relations with data subjects in the processing of personal data.
5.3 The Controller is responsible for ensuring that personal data is accurate and up to date.
6. DATA BREACH
6.1 In the event of a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the personal data (“Personal Data Breach”), the data controller must, without undue delay and latest within eight (8) hours from the time of discovering the Personal Data Breach, provide written notice to the Controller via the contact details set out in Schedule 3.
6.2 The information will, to the extent that it is available to the Processor, contain the following:
A description of the circumstances surrounding the Personal Data Breach
A description of the nature of the Personal Data Breach and, where possible, the categories and the approximate number of data subjects affected by the incident.
A description of the potential consequences of the Personal Data Breach in question
A description of the measures taken or proposed to remedy the Personal Data Breach, as well as when implementing such measures may be appropriate, and measures for reducing the potential negative effects of such an incident.
Contact details of the Data Protection Officer (“DPO”) or other relevant contact person who can provide further information to the Controller
6.3 Where it is initially not possible for the Processor to provide information to the Controller, the information may be provided in instalments without further undue delay.
7. AUDIT RIGHTS
7.1 On the Controller’s written request, the Processor must provide the Controller with any information reasonably required for the Controller to confirm the Processor’s compliance with its obligations under this Agreement and Applicable Law.
7.3 The Controller must give the Processor at least ten (10) business days written notice of any planned audits or inspections.
7.4 Any audit conducted in accordance with this clause may only be conducted:
during normal business hours;
after the Controller has confirmed that any appointed representative, whether working for the Controller or acting an authorised third party, carrying out the audit is subject to a confidentiality agreement that is appropriate in relation to the Personal Data and the information to be audited; and
in accordance with the Processor’s internal policies and security-related procedures.
7.5 Each party shall bear its own costs incurred in relation to the audit.
7.6 In the event that the Controller is reasonably required to conduct more than one audit in accordance with this clause within any twelve (12) month period, the Controller shall bear all costs reasonably incurred by the Controller in conducting the audit.
8.1 The Processor may only authorise a third-party (a sub-processor) to process the Personal Data if:
the Controller is provided with an opportunity to object to the appointment of each sub-processor within five (5) working days after the Processor supplies the Controller with full details in writing regarding such sub-processor;
the Processor enters into a written contract with the sub-processor that contains data protection obligations that provide at least the same level of protection for Personal Data as those contained in the Agreement, to the extent applicable to the services provided by the sub-processor;
the Processor maintains control over all of the Personal Data it entrusts to the sub-processor; and
the sub-processor’s contract terminates automatically on termination of this Agreement for any reason.
8.2 The Processor shall keep an up to date list of all its approved sub-processors. The list must be made available to the Controller upon request. Those sub-processors approved as at the commencement of this Agreement are as set out in Schedule 1. If the Controller reasonably objects to the appointment of a sub-processor it must provide written details of the reasonable grounds for its objection and the Processor will use commercially reasonable efforts to make a change to the services to avoid Processing of Personal Data by the objected to sub-processor or to appoint an alternative sub-processor. If the Processor is unable to make such a change to the services or appoint an alternative sub-processor within thirty (30) business days, either party shall have the right to terminate this Agreement and (if applicable) the Terms.
8.3 On the Controller’s written request, the Processor shall provide copies or relevant extracts (at the Processor’s sole discretion) of the Processor’s data processing agreements with sub-processors.
8.4 The Processor shall keep an up to date list of all its approved sub-processors. The list must be made available to the Controller upon request.
8.5 If a sub-processor fails to comply with its obligations under the data processing agreement between the sub-processor and the Processor, the Processor remains fully liable to the Controller for the sub-processor’s performance of the Controller’s obligations under the Agreement.
9. RECORDS AND DATA PROTECTION OFFICER
9.1 The Processor will keep written records (“Records”) of all data processing activities related to the Agreement. The Records will be made accessible to the Controller upon request.
9.2 In the event that the Processing or nature of business activities require the Processor to appoint a DPO in accordance with Applicable Law, the contact details of the DPO will be provided in Schedule 3.
10. CONTACT WITH AUTHORITIES, DATA SUBJECT REQUESTS
10.1 The Processor will inform the Controller without undue delay of any contact from Data Subjects, relevant authorities, courts or regulators (including the Supervisory Authority), or third parties concerned with the Processor’s Processing of Personal Data on behalf of the Controller.
10.2 If the Data Subject makes a request to exercise their Data Protection Legislation rights to the Processor, the Processor will refer the Data Subject to the Controller.
10.3 The Processor will accommodate inspections as required by domestic law, courts or regulators (including the Supervisory Authority).
10.4 The Processor is not permitted to represent the Controller’s interests or in any other way act on behalf of the Controller towards any Data Subject, authority or any other relevant third party.
11. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
11.1 The Controller will adopt the appropriate organisational and technical security measures in order to protect personal data under the Agreement from unauthorised and illegal access. This includes ensuring sufficient physical access controls, system access controls, data access controls and data backups.
11.2 The suitability of technical and organisational measures will be assessed with regard to the latest technology available, associated costs for adoption, sensitivity of data concerned by the processing acts of the Processor, in addition to any risks to the rights and freedoms of data subjects.
11.3 If the Controller assesses the risk level of Processing by the Processor as high, and thereby conduct an impact assessment, the Controller must share the result of such an assessment so that this can be factored into a decision of what is a sufficient level of technical and organisational measures.
11.4 The Processor must follow any decisions issued by the Supervisory Authority or any other supervisory authority on measures to meet the security requirements in Applicable Law and all other requirements relating to the Personal Data Assistant in accordance with Applicable Law.
11.5 The Processor must comply with any decisions and consultation opinions issued by the supervisory authority on measures necessary to meet the security standards in accordance with Applicable Law and all other requirements relating to the Controller’s obligations under Applicable Law.
11.6 The Processor must ensure its employees, sub-processors and, where applicable, the employees of its sub-processors only have access to the Personal Data to the extent to which it is necessary and that those who have access to the Personal Data maintain the confidentiality of such information (e.g. by signing an individual confidentiality agreement).
11.7 Only employees or assigned individuals of the Processor deemed to have the necessary level of knowledge in relation to the nature and scope of the Personal Data processing may process the Personal Data.
11.8 Computer equipment, storage media and other equipment used in the processing of personal data performed by the Processor must be stored so that unauthorised persons cannot gain access to them.
11.9 The security in the Processor’s physical premises where personal data is processed must be suitable and secure with regard to locking equipment, functioning alarm equipment, protection against fire, water and burglary, and protection against power outages. The equipment used to process Personal Data must have good protection against theft and events that may destroy the equipment and/or Personal Data.
12. CONTROL OVER PERSONAL DATA
12.1 The Processor must ensure that the Personal Data remains protected against unauthorised, unlawful and unintentional destruction, modification and distortion. The Personal Data must be protected from unauthorised access during storage, transfer and other treatment. The Controller must not access Personal Data unless the identity of the recipient has been verified.
13. DATA TRANSFERS OUTSIDE THE EU/EES
13.1 The Processor primarily processes the Personal Data of the Controller within the EU/EES. In the event that Personal Data is not processed within the EU/EES, the Processor must ensure that processing takes place according to Applicable Law by ensuring that one of the following criteria is met:
13.1.1. There is a decision from the European Commission that the country ensures an adequate level of protection for the Personal Data;
13.1.2. The Processor applies the European Commission's standard contractual clauses (SSCs) for third country transfers; and
13.1.3. The Processor has adopted other appropriate safeguards which fulfil requirements under Applicable Law.
14. LIABILITY AND INDEMNITIES
14.1 The Parties are free from liability for obligations arising under the Agreement in cases where performance is hindered by a circumstance of an extraordinary nature beyond the Party's control which the Party could not reasonably be expected to have taken into account and whose consequences the Party could not reasonably have avoided.
14.2 The Processor’s liability arising out of or relating to this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise is subject to the “Our Liability” section of the Terms, and any reference in such section to our total liability means our aggregate liability under the Terms and this Agreement together.
14.3 The Processor agrees to indemnify the Controller for any damages incurred by the Controller as a direct result of the Processor processing Personal Data against the Controller’s instructions according to the Agreement and Applicable Law.
14.4 For the avoidance of doubt, we shall not be liable for any loss of profit, or any indirect or consequential loss arising in connection with this Agreement.
15.1 The Processor is not permitted to use information or any other material which they are provided access to in order to fulfil the Agreement or the Terms for any other purpose than those which are necessary to fulfil their obligations under this Agreement or the Terms.
15.2 The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Controller or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Supervisory Authority). The agreement of confidentiality between the parties is valid from the date on which the Parties enter into the Terms until the Processor returns or destroys the Personal Data in accordance with this Agreement. The Processor will ensure that confidentiality is maintained by its employees and all other parties involved with the business or work undertaken on their behalf.
16. VALIDITY AND TERMINATION
16.1 This Agreement will remain in full force and effect so long as the Processor is processing Personal Data on behalf of the Controller or until the Agreement is replaced by a different data processing agreement.
16.2 The duties and obligations of the Processor in relation to agreement will remain in full force and effect in spite of the Agreement being terminated, so long as the Processor is Processing Personal Data on behalf of the Controller.
17. DELETION AND RETURN OF PERSONAL DATA
17.1 Upon termination of the Agreement, the Processor and any other potential sub-processors will either destroy or return the Personal Data concerned by the Agreement to the Controller.
17.2 In the event that the Controller has not requested destruction or return of the Personal Data concerned by the Agreement within twelve (12) months from the date of which the Agreement has terminated as agreed by the Parties, the Processor must destroy the Personal Data.
18. APPLICABLE LAW AND DISPUTE RESOLUTION
18.1 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Sweden.
18.3 The specified dispute resolution mechanism applicable in the Terms will be applicable in this Agreement.
SCHEDULE 1 - EXISTING AND AUTHORISED SUB-PROCESSORS
Name: Amazon Web Services (AWS)\ Type of Service: Data storage and distribution network (CDN)\ Website: https\://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf\ Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal data is processed within the EU/EES
Name: Compose\ Type of Service: Cache database\ Website: https\://www.compose.com/DPA-exhibit.html\ Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
Name: Hetzner\ Type of Service: Server\ Website: https\://www.hetzner.com/de/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
Type of Service: E-signature\
Personal Data Processed: Name, contact information, national identity number and customer engagement details.
Supplementary Measures: Personal Data is processed within the EU/EES
SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The Processor has adapted the following technical and organisational measures to ensure that personal data is processed securely and that they are protected from loss, misuse and unlawful or unauthorised access.
Technical security measures are measures which are adopted through technical solutions.
Access control level
Regular security inspection
Password management software for all passwords
Organisational security measures are measures which are adopted in working methods and routines within the organisation.
Internal policies and procedures
Login and password management
Physical security (premises etc.)
SCHEDULE 3 - CONTACT DETAILS
Email address: email@example.com