Legal
Download Available
Download the entire Customer Agreement for Cloud Products
Click the icon to download a PDF.
Order Agreement for Cloud Products
Effective starting: July 5, 2023. See the legal archives for previous versions of this document.
This Order Agreement has been entered into between
-
55 Degrees AB, with Swedish company reg. no. 559201-6843, hereinafter referred to as the ”Supplier”, and
-
the company stated when starting the subscription, hereinafter referred to as the ”Customer”.
1. Background and General Terms
1.1. The Supplier and the Customer hereby agree that the Supplier will provide the Service to the Customer.
1.2. Words starting with capital letters are defined in this Order Agreement and at the end of the Terms in the appendix “definitions”.
1.3. The Agreement consists of this Order Agreement and the following appendices:
1.4. In the event of a conflict between this Order Agreement and the appendices, the terms set out in the Order Agreement shall apply, except for what is stated regarding the processing of personal data, where the DPA shall take precedence.
2. Pricing and Payment
2.1. The Customer shall pay the prices that are stated on the point-of-sale, for example on the Supplier’s website, when the parties enter into the Subscription Agreement.
2.2. The prices agreed on in this Order Agreement apply at the time when the Order Agreement is concluded. Any prices are stated excluding value-added tax.
3. Term and Termination
This Order Agreement becomes effective when the Customer has signed up to use the Service at (i) a third-party platform such as Atlassian or (ii) at the Supplier’s website, and this has been confirmed by the Supplier. The Order Agreement remains valid until terminated by either party according to the Terms.
APPENDIX 1
The Supplier's General Terms and Conditions - Cloud Subscription Products
1. Background
1.1. These general terms and conditions (the “Terms”) describes the legal terms and conditions that apply when the Customer subscribes to the Supplier’s Service.
1.2. The Customer is a company or organization and the individual representing the Customer warrants that he or she has authority to enter into a Subscription Agreement with the Supplier.
1.3. When entering into the Subscription Agreement, the Customer confirms that it is not listed on any official terrorist list or associated with any country or organization sanctioned by Sweden, the European Union, or the United States
2. The Service
2.1. The Supplier provides the Service to the Customer in accordance with the Subscription Agreement.
2.2. If the Customer purchased the Service at a third-party platform such as Atlassian, separate, additional terms may apply to the Customer’s use of such third party’s platform. The Supplier takes no responsibility for the Customer’s use of such third-party’s platform or any fault, damage or unavailability of the Service which is due to such third-party platform, regardless of whether such third-party takes responsibility according to its third-party terms. The Terms in this document apply only to the Customer’s use of the Service.
2.3. When the Customer purchases the Service, the Customer agrees to these Terms and is given a right to use the Service for the number of End-Users that has been agreed on in the Order Agreement and for the period for which the Subscription Agreement applies. The Customer can add more End-Users by placing additional orders. The Customer’s right to use the Service is non-exclusive, time-limited, and non-transferable and applies to the Customer’s own business, unless otherwise agreed in the Order Agreement. The right applies provided that the Customer fulfills its payment obligations and other obligations under the Subscription Agreement.
2.4. The Supplier is always trying to improve the Service and may from time to time make developments, additions and changes to the Service.
3. The Supplier's Obligations
3.1. The Supplier shall make the Service available as a SaaS service
3.2. The Supplier provides the Service according to the security practices stated on the website of the Supplier.
3.3. The Service is provided “as is”. The Service does not include any integrations to other systems or applications that the Customer may want to use together with the Service unless the parties have explicitly agreed otherwise in the Order Agreement. When integrations are included, the Supplier does not take responsibility for the continued functionality of such integrations if a third-party provider changes its service.
3.4. The Service shall be considered to have been made available when the Supplier has made it accessible to the Customer through the internet, e.g., by making it accessible for implementation.
4. Availability and Support
4.1. The Supplier’s intention is that the Service shall be fully available.
4.2. The Supplier may provide the Customer with online support services related to the Service at its discretion and for the sole purpose of addressing technical issues relating to the use of the Service. Any support is governed by the Supplier’s policies and programs described in any user manual, online documentation, and/or other materials provided by the Supplier.
4.3. Insignificant inconveniences shall not result in the Service being considered unavailable. In particular, the Service shall not be deemed unavailable when:
a) the Supplier performs scheduled upgrades that affect the availability of the Service, of which the Customer has been informed no less then forty-eight (48) hours in advance; or
b) the Service is down due to circumstances beyond the Supplier’s control, including, but not limited to, loss of network or communication, or due to third-party platforms such as Atlassian’s fault, disturbance, or lack of availability.
4.4. The Supplier shall rectify unavailability as soon as possible after becoming aware of such unavailability. The Supplier’s obligation to remedy the unavailability does not apply if the remedy would cause inconvenience and costs to the Supplier that are unreasonably large in relation to the significance of the unavailability for the Customer.
4.5. In the event the Service is unavailable or has an error which the Supplier deems critical for the functionality of the Service, the Customer’s sole and exclusive remedy shall, at the choice of the Supplier, be (i) either a refund of the monthly fee for using the Service, or (ii) a discount towards the cost of future purchases. Such remedy shall be calculated based on the month in which the error manifested itself and shall be in proportion to the effect for the Customer. The maximum remedy for a month shall be 50% of the price the Customer should have paid for the relevant time period.
5. The Customer's Obligations
5.1. Unless otherwise agreed, the Customer is responsible for the following:
a) act of its employees, consultants or other persons appointed by the Customer to use the Service, in particular, the Customer shall make sure that the Customer’s End-Users do not share account access to individuals without authority to use the Service and take actions to avoid End-Users from sharing login credentials;
b) not using the Service for competitive analysis or similar purposes;
c) only use the Service for the number of End-Users or similar limitations that have been set out and agreed on when concluding the Order Agreement;
d) keeping all passwords and login credentials confidential;
e) to maintain any equipment and software required to use the Service, maintain the security of its IT-environment and to always use the Service in accordance with the Supplier’s Documentation;
f) to provide the Supplier with information about the Customer and its use of the Service reasonably required by the Supplier to be able to provide the Service and make improvements, additions and changes to the Service, the Customer can be required to provide information about connection details and information about authorized user;
g) notify the Supplier immediately at the Supplier’s support portal if the Service is unavailable; and
h) to use the Service in accordance with all applicable laws, regulations and guidelines issued by a competent authority.
5.2. The Customer shall not use, copy, modify or give access to the Service to a greater extent than has been agreed on or is considered within the intended use of the Service.
5.3. The Supplier is not responsible for changes in the Service that occur because of the Customer’s actions.
5.4. If the Customer does not comply with the terms of the Subscription Agreement and does not rectify within ten (10) days of the Supplier notifying the Customer of the non-compliance, the Supplier is entitled to suspend the Service until rectification is made. The Supplier has the right to suspend the Customer immediately if the Customer’s actions impact on how the Service works. The Customer shall indemnify the Supplier for any costs or claims by a third-party based on the Customer’s use of the Service in violation of the terms of the Subscription Agreement.
6. Prices and Payment
6.1. The Customer shall pay the prices that the parties specifically have agreed on in the Order Agreement.
6.2. Unless otherwise explicitly agreed, the Supplier has the right to adjust prices at any time, such adjustments will take effect on the coming Subscription Term, i.e., when the Subscription Agreement is renewed. In addition, the Supplier may at any time adjust prices due to changes in regulations, taxes, fees, or similar circumstances beyond the Supplier’s control.
6.3. All fixed fees for the use of the Service shall be paid in advance. The first notification of payment is received together with the conclusion of the Order Agreement, if the Customer uses a Trial Period, the first notification of payment is received when the Trial Period ends, and the first Subscription Term starts.
6.4. Payment shall be made within thirty (30) days from the notification of payment was issued, unless otherwise agreed in writing.
6.5. If payment is late or incomplete, the Supplier is entitled to interest on overdue payment in accordance with the Swedish applicable interest act and a late payment charge and/or a debt collection fee according to applicable laws.
6.6. If full payment is not received by the Supplier and the Customer has not on reasonable grounds disputed the claim of payment, the Supplier has the right to (i) immediately suspend the use of the Service, and/or (ii) terminate the Subscription Agreement in accordance with section 8.3.
7. Trial Period and Early Access
7.1. If the Customer registers to use the Service for a free Trial Period, these Terms shall apply, in applicable parts, during the Trial Period. Sections that by their nature are not applicable during the Trial Period shall be inapplicable during such period, including but not limited to sections 4.1, 6, 8, 13.3, 13.4, 13.5, and 13.7.
7.2. When the Supplier offers a Trial Period or Early Access, the Supplier’s obligation is limited to providing the Customer with access to use the Service. Thus, the Supplier has no responsibility for the Service functioning in a certain way, or responsibility for providing the Customer with support or remedying any unavailability. However, the Supplier will usually make sure that the Service works as intended. The Supplier is neither liable for any direct or indirect damages due to the Customer’s use of the Service.
7.3. The term of the Subscription Agreement for the Customer’s Trial Period is stated when the Customer starts to use the Trial Period. When the term of the Trial Period has expired, the Customer may choose to continue using the Service and then pay for it in accordance with what is stated in the Terms. When the Trial Period has ended, the Customer will no longer have access to the Customer Data in the Service.
7.4. The Customer does not have the right to use more than one free Trial Period unless explicitly allowed by the licensing platform or the Supplier. The Customer shall reimburse the Supplier for any unallowed continued use of the Service during an additional Trial Period. Such reimbursement shall be coherent with the Supplier’s highest prices for the Service at that point in time.
7.5. The parties may at any time choose to end the Trial Period and the Customer will in that case no longer have access to the Service. The parties may as well at any time choose to end the Early Access and the Customer shall in such case have access to the Service without the Early Access features.
8. Term and Termination
8.1. The Subscription Agreement is provided for the Subscription Term.
8.2. If the parties have not agreed otherwise, the Subscription Agreement shall enter into force when the Order Agreement has been concluded (for example when the Customer has signed up to using the Service at the Supplier’s website and this has been confirmed by the Supplier). The Subscription Agreement is automatically renewed for an additional Subscription Term, unless otherwise agreed upon.
8.3. Either party can terminate the Subscription Agreement at any time. Such termination shall take effect immediately if termination is made by the Customer and shall take effect thirty (30) days after the termination if the termination is made by the Supplier.
8.4. The Supplier has the right to terminate the Subscription Agreement with immediate effect if:
a) the Customer has committed a material breach of the Subscription Agreement and does not take full correction of such breach within thirty (30) days of the other party giving written notice thereof; or
b) the Customer is declared bankrupt, enters into liquidation, cancels its payments, or can otherwise reasonably be assumed to have become insolvent.
8.5. When the Subscription Agreement has been terminated, the Customer shall immediately cease to use the Service and both parties shall return or delete such information that is covered by confidentiality in accordance with section 11, including Documentation. Unless the Customer explicitly asks for the Customer Data to be deleted immediately, any Customer Data that exists is stored for up to thirty (30) days after the Subscription Agreement has been terminated in case the Customer wants to reactivate the Subscription Agreement. The Supplier’s responsibility to delete Customer Data is limited to the Customer Data which the Supplier continues to have access to.
8.6. The Customer can in some cases be able to download the Customer Data prior to ending the Subscription Agreement. The Customer must reimburse the Supplier for the reasonable costs the Supplier has for aiding with the return.
9. Amendments
9.1. The Supplier may at any time make changes to the Subscription Agreement or the Service that do not impair the Subscription Agreement or the Service by giving the Customer thirty (30) days prior written notice.
9.2. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions, or regulations regarding the application of the GDPR during the term of the DPA, with the result that the DPA does not meet the requirements for a data processing agreement, the parties shall change the DPA to meet the requirements.
9.3. The Supplier may at any time make changes to the Subscription Agreement, other than according to sections 9.1 and 9.2, by giving the Customer a three (3) month’s prior written notice. The Customer may terminate the Subscription Agreement if the Customer has a reasonable explanation for not accepting the new Subscription Agreement by giving notice at latest one (1) month before the new Subscription Agreement will come into force. In such case, the Supplier shall pay back the amounts corresponding to the period the Customer has not been able to use the Service. The Customer may not terminate the Subscription Agreement if the grounds for a significant change to the Subscription Agreement is due to changes in law, constitution, by authority decision, or changes in other circumstances outside of the Supplier’s control. The Customer has the right to terminate the Subscription Agreement with immediate effect if such change entails a significant inconvenience for the Customer.
10. Personal Data
10.1. Within the scope of fulfilling the obligations under the Subscription Agreement, the Supplier will process personal data on behalf of the Customer. Within the scope of such processing, the Customer is the controller for personal data and the Supplier is the processor. For this purpose, the parties have entered into a DPA (Appendix 2).
10.2. The Supplier may gather and in other ways process personal data as data controller in order to improve the Service.
11. Confidentiality
11.1. Both parties hereby agree not to, without the other party’s prior written approval, publish or otherwise disclose to third parties any information relating to the other party’s business which is or can be reasonably presumed to be confidential, with the exemption for:
a) information that is or becomes publicly known, except through a breach of this Subscription Agreement by the receiving party;
b) information from third-party that is public to the receiving party without obligation of confidentiality;
c) information that was known to the receiving party prior to receipt from the disclosing party, without obligation of confidentiality; or
d) the disclosure or use of information is required by law, regulations or any other regulatory body. In the event of such disclosure, the disclosing party shall, if possible, notify the other party before such disclosure takes place.
11.2. Specifically, the Supplier shall keep any Customer Data secret and ensure that employees only have access to the Customer Data if it is necessary to perform the Services, e.g., support- and maintenance (“need to know basis”).
11.3. Information that a party has stated as confidential shall always be regarded as confidential information.
11.4. Each party is responsible for compliance with this confidentiality undertaking by its respective subcontractors, consultants, and employees. The confidentiality undertaking under this section applies during the term of the Subscription Agreement and for a period of three (3) years after the Subscription Agreement has expired. The confidentiality undertaking for Customer Data applies for an indefinite period of time.
12. Publicity and Marketing
12.1. Unless the Customer has objected according to section 12.2, the Supplier may publicly state that the Customer is a customer of the Supplier. The Customer grants the Supplier the right to include the Customer’s name, trademark, logo, or similar identifying material in a listing of customers on the Supplier’s website and/or promotional material in relation to the Service.
12.2. The Customer may, via the Supplier’s support portal, ask the Supplier not to include information about the Customer in any publicly available material. Such a request can be made at any time, even before the Supplier has published information according to section 12.1. After a request from the Customer, the Supplier shall stop including information about the Customer in any publicly available material within thirty (30) days and as far as possible delete any already publicized information about the Customer.
13. Intellectual Property Rights
13.1. The Supplier or its licensors hold all rights, including intellectual property rights, to the Service and the Documentation (including, without limitation to, such development or improvements specifically performed on behalf of the Customer) including software and source code. Nothing in the Subscription Agreement shall be construed as a transfer of such rights, or any part thereof, to the Customer.
13.2. The Customer has all rights, including intellectual property rights, to the Customer Data. During the term of the Subscription Agreement, the Supplier may use the Customer Data and data related to the Customer’s use of the Service (personal data excluded) in order to provide the Service to the Customers successfully.
13.3. The Supplier shall compensate the Customer for damage suffered by the Customer as a result from claims from third parties regarding infringement of such third-party’s intellectual property rights. The limitation of liability as set out in in this section 13 and in section 14 shall however apply, except for what is stated in section 14.5.
13.4. The Supplier’s obligation to indemnify the Customer pursuant to section 13 applies only provided that the Customer:
a) without undue delay notifies the Supplier in writing of claims made against the Customer;
b) allows the Supplier to control the defence and make decisions alone in all related settlement negotiations; and
c) acts in accordance with the Supplier's Documentation and cooperates with and assists the Supplier to the extent that the Supplier reasonably requests.
13.5. If it comes to the Supplier’s knowledge or is finally settled that there is an infringement of a third-party’s intellectual property rights, the Supplier may choose to either:
a) ensure the Customer a continued right to use the Service;
b) change the Service so that infringement no longer exists;
c) replace the Service, or any part thereof, with any other non-infringing equivalent service; or
d) terminate or temporarily cease to provide the Service and, after deducting the Customer’s reasonable benefit, repay the Customer’s fee paid for the Service, without interest.
13.6. The Supplier has the right to freely use the know-how, professional knowledge, experience, and skills that the Supplier acquires through or in connection with providing the Service.
13.7. The Supplier’s obligations under this section 13 are conditional upon the Customer’s use of the Service exclusively in accordance with the terms of the Subscription Agreement.
13.8. This section 13 constitutes the Supplier’s total liability towards the Customer for infringement of third parties’ intellectual property rights.
14. Limitation of Liability
14.1. The Supplier’s responsibility for the provision of the Service is limited in accordance with what is stated in these Terms.
14.2. The Supplier is – with the limitations set out below – liable towards the Customer for damages caused due to the Supplier’s negligence. However, the Supplier is not liable for damages caused by third-party platforms as Atlassian, including any fault, disturbance or unavailability caused by such third-party platform, or any integrations to other systems or applications that the Customer may want to use the Service together with, or modifications or changes to the Service made according to the Customer’s instructions or performed by anyone other than the Supplier (including but not limited to the Customer and Customer’s suppliers).
14.3. The Service is provided on an “as-is” basis without any express or implicit promises or guarantees.
14.4. Notwithstanding the above, the Supplier shall under no circumstance be liable for indirect damages (Sw. indirekt skada), including damages caused by loss of profit, revenue, anticipated savings or goodwill, loss of information or Customer Data, loss due to operational, business, power or network interruptions, loss due to modifications of the Service made in accordance with the Customer’s instructions or performed by anyone other than the Supplier, as well as any claims due to the Customer’s possible liability to third parties; without prejudice to section 13.3. The Supplier is neither liable for any claims deriving from the Customer’s relationship with any third-party platform such as Atlassian where the Service was purchased or integrated with.
14.5. The Supplier’s total and aggregate liability under the Subscription Agreement regardless of the number of incidents, is limited to the amount paid by the Customer according to the Subscription Agreement during the twelve (12) months prior to the time the damage occurred.
14.6. The Customer shall, in order not to lose its right, submit a claim for compensation in writing no later than ninety (90) days after the Customer noticed, or should have noticed, the actual damage or loss, however in no case later than six (6) months from when the loss arose.
14.7. In case of a claim from a third-party, the party responsible for such claim shall indemnify and hold the other party harmless.
15. Force Majeure
15.1. Each party shall be relieved from liability for damages for a failure to perform any obligation under the Subscription Agreement to the extent that the due performance is prevented by reason of any circumstance beyond the control of the party. Such as internet limitation or slow connection, power outages, network intrusion, lawsuits, pandemics, labor disputes, loss of communications, mobilization or large-scale military recruits, ordinances, rationing of fuel, goods or energy, and defects and delays in deliveries from subcontractors caused by any party outside the party’s control provided that the other party is notified immediately.
15.2. The parties have the right to terminate the Subscription Agreement immediately if force majeure continues or will obviously continue for more than sixty (60) days.
16. Miscellaneous
16.1. The Supplier is entitled to assign subcontractors to accomplish its obligations under the Subscription Agreement. The Supplier is liable for the work of the subcontractors as well as its own.
16.2. The primary means of communication between the parties concerning the Service shall be the support portal.
16.3. The content of the Subscription Agreement and its appendices shall supersede all previous written or oral commitments and undertakings.
16.4. The documents described in the definition of the Subscription Agreement shall have mutual priority in the following order: (i) the Order Agreement, (ii) the Terms and (iii) any annexes. Any annexes shall have priority over each other in accordance with the order set out in the Order Agreement.
16.5. The Subscription Agreement may not be transferred to a third-party without the other party’s prior written consent. However, the parties are allowed to transfer the Subscription Agreement to companies within the same corporate group and in a situation of transferring the Supplier’s operation or a part thereof, the Supplier is admissible to transfer the Subscription Agreement to a third-party.
16.6. The failure of a party to exercise any right under the Subscription Agreement or the failure to point out any particular condition attributable to the Subscription Agreement shall not constitute a waiver by a party of such right.
16.7. The following sections apply even after the termination of the Subscription Agreement: 8 (Term and termination), 11 (Confidentiality), 13 (Intellectual Property Rights), 14 (Limitation of Liability), and 17 (Governing Law and Disputes).
17. Governing Law and Disputes
17.1. The Subscription Agreement shall be governed by and construed in accordance with the laws of Sweden.
17.2. Any dispute arising out of or in connection with the Subscription Agreement shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC Institute”).
17.3. The Rules for Expedited Arbitrations shall apply, unless the SCC Institute, considering the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.
17.4. The place of arbitration shall be Malmö. The language of the proceedings shall be Swedish and Swedish law shall apply to the dispute. Regardless of what has just been said, the Supplier shall always have the right to apply for an injunction to payment or bring an action regarding non-payment in a general court.
Definitions
”Customer” means the company specified in the Order Agreement as a customer or the person who otherwise agrees with the Supplier to use the Service.
”Customer Data” means any data that is provided to the Supplier by or on behalf of the Customer through the use of the Service.
”Documentation” any instruction or other documentation that the Supplier provides to the Customer at any time.
“DPA” means the data processing agreement concluded between the parties.
“End-Users” means the individual who uses the Service as part of the Customer’s Subscription Agreement.
“Early Access” means a time limited period for which the parties have agreed that the Customer shall test new features or a beta version of the Service. The version of the Service used during Early Access is under ongoing development by the Supplier and therefore not complete or equivalent to the Service.
“Order Agreement” means the contract between the Customer and the Supplier that includes Customer details and specific terms in relation to the Customer’s purchase of the Service or Subscription Agreement to use the Service. The Order Agreement may be constituted by a document signed by the Customer, an offer accepted by the Customer, an e-mail or a web form at the Supplier’s website where the Customer has provided its credentials and signed up to use the Service.
“Service” means the products or services provided to the Customer according to the Subscription Agreement.
“Subscription Term” means the term agreed upon in the Order Agreement.
”Subscription Agreement” means the contractual agreement between the parties no matter in what form, including the Order Agreement, these Terms, the DPA and any appendices mentioned in the Order Agreement, in the Terms or in the DPA.
“Supplier” means the company providing the Service which the Customer has concluded the Subscription Agreement with.
“Trial Period” means a time limited period for which the parties have agreed that the Customer is entitled to use the Service for the sole purpose of evaluation prior to purchase.
Data Processing Agreement
APPENDIX 2
Effective July 5, 2023
1. Background and Interpretation
1.1. The Supplier will upon performance of the Subscription Agreement when providing its Service process personal data on behalf of the Customer, in the capacity of the Customer’s processor. The Supplier will process personal data for which the Customer is the controller.
1.2. This Data Processing Agreement (the "DPA") forms an integral part of the Subscription Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Subscription Agreement.
1.3. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the European Parliament and the Council Regulation (EU) 2016/679 (the "GDPR") and otherwise in accordance with the Subscription Agreement, unless otherwise clearly indicated by the circumstances.
1.4. In light of the above, the parties have agreed as follows:
2. Instructions and Responsibilities
2.1. The type of personal data and categories of data subjects processed by the Supplier under this DPA and the purpose, nature, duration, and objects of this processing, are described in the instructions on processing of personal data in Appendix 2A or the written instructions that the Customer provides from time to time. The Supplier shall not process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix 2A.
2.2. The Customer is responsible for complying with the GDPR. The Customer shall in particular:
a) be a contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;
b) ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;
c) provide the Supplier with documented instructions for the Supplier’ processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;
d) immediately inform the Supplier of changes that affect the Supplier’s obligations under this DPA;
e) immediately inform the Supplier if a third-party takes action or lodges a claim against the Customer as a result of the Supplier’s processing under this DPA; and
f) immediately inform the Supplier if anyone else is a joint controller with the Customer of the relevant personal data.
2.3. When processing personal data, the Supplier shall:
a) only process personal data in accordance with the Customer’s documented instructions, which at the time of the parties entering into this DPA are set out in Appendix 2A;
b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 3 below;
d) respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor;
e) taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
f) assist the Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Supplier;
g) at the choice of the Customer, delete or return all the personal data to the Customer after the end of the Subscription Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and
h) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor agreed upon by the parties.
2.4. The Supplier shall notify the Customer without undue delay, if, in the Supplier’s opinion, an instruction infringes the GDPR. In addition, the Supplier is to immediately inform the Customer of any changes affecting the Supplier’s obligations pursuant to this DPA.
3. Security
3.1. The Supplier shall implement technical and organisational security measures in order to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The Supplier may amend its technical and organisational measures.
3.2. The Supplier shall notify the Customer of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that the Supplier has committed any wrongful act or omission, or that the Supplier shall become liable for the personal data breach.
3.3. If the Customer during the term of this DPA requires that the Supplier takes additional security measures, the Supplier shall as far as possible meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures.
4. Sub-processors and Transfers to Third Countries
4.1. The Customer hereby grants the Supplier with a general authorization to engage sub-processors. Sub-processors are listed in the list of sub-contractors in Appendix 2B. The Supplier shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor.
4.2. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after the Supplier has informed the Customer about the intended changes. If the Customer objects to the Supplier engaging a sub-processor and the parties cannot agree, within reasonable time, on the new sub-processor’s engagement in the processing of personal data, the Supplier can terminate the Subscription Agreement.
4.3. If the Supplier and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. The Supplier shall keep the Customer informed about the legal grounds for the transfer.
4.4. The Customer is aware that, if they use the Service within a host product, the vendor of the host product (e.g. Atlassian or Microsoft) from time to time may update or change its data processing agreement, including but not limited to its list of used sub-processors or regarding transfers to third countries. The Customer acknowledges that the Supplier cannot control or impact any such update or change and that a change to such third party's data processing agreement, including any addition or change of a sub-processor, may be effective immediately. The Customer understands that it therefore will be practically impossible for the Customer to successfully object to such changes or updates and still continue to use the Service.
5. Compensation and Limitation of Liability
5.1. The Supplier is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Subscription Agreement also encompasses the measures in this DPA.
5.2. Each party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.
5.3. Notwithstanding any limitation of liability in the Subscription Agreement, each party’s liability under this DPA shall be limited to direct damages. In addition, the Supplier’s liability shall be limited to an amount corresponding to the fees paid by the Customer to the Supplier under the Subscription Agreement for a period of six (6) months before the damage occurred.
6. Term and Termination
6.1. This DPA becomes effective when the Subscription Agreement has been entered into.
6.2. Upon termination of the Subscription Agreement, the Supplier shall at the choice of the Customer, delete all the personal data or return it to the Customer, and ensure that each sub-processor does the same.
6.3. This DPA remains in force as long as the Supplier processes personal data on behalf of the Customer, including deletion or returning of personal data according to section 6.2 above. This DPA shall thereafter cease to apply. Sections 5 and 6.2 shall continue to apply even after this DPA has been terminated.
APPENDIX 2A
Instructions on Processing of Personal Data
Purposes
The Supplier processes personal data in order to fulfil the Subscription Agreement. This means that the Supplier processes personal data for the following purposes:
-
Provide the Service to End-Users,
-
Provide products features of the Service to End-Users,
-
Authenticate and authorize End-Users, and
-
Handle customer support cases.
Categories of personal data
Categories of personal data that will be processed by the Supplier include:
-
Name,
-
E-mail address,
-
Unique identifier of the device using the Service, and
-
Information about how the Service is used, and
-
Pseudonymized End-User data, such as ID.
Categories of data subjects
End-Users.
Retention time
Personal data about End Users will be processed and deleted according to the Customer’s instructions. The Customer is responsible for and can choose when such data shall be deleted.
Processing operations
The Supplier process the personal data of End-Users in the following ways.
All products:
-
To technically enable the Service to be used by End-Users.
-
To enable product features, such as enabling sharing of protected content.
-
To provide customer support when the Customers open a support request via e-mail or via the Supplier’s support portal.
ActionableAgile Analytics (SaaS):
-
To authenticate and authorize users for the application.
-
To identify active entitlement to support
ActionableAgile for Azure DevOps:
-
To authorize End-Users for the application.
-
To identify active entitlement to support.
Information Security Measures
APPENDIX 2B
Sub-Processors
The tables below list sub-processors used by the Supplier for the specific purposes listed in this DPA. Specific information about what data is processed for these purposes and a full list of the Supplier’s sub-processors used for various purposes are described on the Supplier’s support portal.
General sub-processors
Name | Purpose | Location of processing |
|---|---|---|
The Customer and End-User support management service provider | Europe.* * Customer Account data (name, email address) is stored across the Global AWS Regions. Read more | |
RefinedWiki (Refined) DPA upon request | Authentication and Request Management for our Customer support portal | Europe |
Additional product-specific sub-processors
ActionableAgile Analytics (analytics.actionableagile.com)
Name | Purpose | Location of processing |
|---|---|---|
Storage for configurations required for operation of applications or features | Europe | |
Authentication and License authorization | Europe |
ActionableAgile for Azure DevOps
Name | Purpose | Location of Processing |
|---|---|---|
Storage for configurations required for operation of applications or features | Europe | |
License authorization | Europe (storage), USA (processing) |
ActionableAgile for Jira Cloud
Name | Purpose | Location of processing |
|---|---|---|
Storage for configurations required for operation of applications or features | Europe |
Klar for Jira Cloud
Name | Purpose | Location of processing |
|---|---|---|
Hosting Platform used for Customer Data Storage | USA |
Koppla for Jira Cloud
Name | Purpose | Location of processing |
|---|---|---|
Hosting Platform used for Customer Data Storage | USA |
Portfolio Forecaster for Jira Cloud
Name | Purpose | Location of processing |
|---|---|---|
Storage for configurations required for operation of applications or features | Europe |