Terms of Service

Updated 28st March 2023

These Terms of Service (the “Agreement“) between the Customer and React & Share Oy (a Finnish limited liability company with a business ID 2726694-1, Address: Teollisuuskatu 21, 00510 Helsinki, the “Supplier”) set forth the terms and conditions for the use of the React & Share and/or Askem feedback and analytics service developed and supplied by the Supplier (the “Service”). The Customer and the Supplier are collectively referred to in this Agreement as the “Parties” and separately as the “Party”.

IT IS IMPORTANT THAT YOU READ AND UNDERSTAND THE FOLLOWING TERMS AND CONDITIONS. BY REGISTERING WITH THE SERVICE AND/OR BY CLICKING AN “I ACCEPT” BUTTON OR BY OTHERWISE ENTERING INTO THIS AGREEMENT YOU CONFIRM THAT YOU HAVE READ AND UNDERSTOOD THE TERMS AND CONDITIONS SET OUT BELOW AND THAT YOU AGREE, AND YOU ARE AUTHORIZED, TO BIND THE CUSTOMER BY THIS AGREEMENT. IF YOU DO NOT ACCEPT OR UNDERSTAND THIS AGREEMENT, PLEASE DO NOT USE OR ACCESS THE SERVICE.

Any referral to the “Agreement” shall include these Terms of Service and the documents referred to herein. In addition to these Terms of Service, you agree to abide by any supplemental policies, procedures or operating rules of the Service, such as any usage restrictions and usage limits, that may be published from time to time on the Service, each of which is incorporated herein by reference. These Terms of Service shall be applied to all services rendered by the Supplier to the Customer unless otherwise expressly agreed in writing between the Parties. 

1. Definitions

1.1 For the purpose of this Agreement, the following capitalized terms shall have the meanings defined below:

1.1.1 "Affiliate" shall mean any corporation, firm, partnership, or other entity, whether de jure or de facto, that directly or indirectly owns, is owned by, or is under common ownership with a party to this Agreement to the extent of at least fifty percent (50 %) of the equity having the power to vote on or direct the affairs of the entity, and any person, firm, partnership, corporation or other entity actually controlled by, controlling, or under common control with a party to this Agreement.

1.1.2 "Authorized User" shall mean the Customer's and its Affiliates' employees, agents, contractors, consultants, suppliers or other individuals who are authorized by the Customer to use the Service under this Agreement.

1.1.3 "Customer" shall mean the entity that, upon agreeing to this Agreement, registers to use the Service.

1.1.4 "Customer Data" shall mean all data obtained and saved from the internet site of the Customer for the purpose of providing the Service to the Customer. Customer Data may include personal data.

1.1.5 "Intellectual Property Rights" shall mean all intellectual property rights, including copyrights, trademarks, trade names, patents, utility models, designs, database rights, methods, processes and inventions, and any other intellectual property rights, whether registered or unregistered and including all applications (or rights to apply) for, and renewals or extensions of, such rights and all similar or equivalent rights.

1.1.6 “Service” shall mean the feedback and analytics service developed and supplied by the Supplier, in the form provided by the Supplier from time.

2. Use of the SERVICE

2.1 Upon registering with the Service and subject to the terms of this Agreement and the Supplier’s price list in force from time to time, the Supplier hereby grants to the Customer and the employees or other individuals authorized by the Customer (the “Authorized Users”) a limited, non-exclusive, non-transferable license to access and use the Service, as it is made available by the Supplier from time to time, solely for the Customer's internal business purposes during the Term of this Agreement. The scope and content of the Service are further specified in the order confirmation [or otherwise on the Service] .

2.2 The person signing or otherwise accepting this Agreement represents that it has the authority to bind the Customer to this Agreement.

2.3 The use of  features included in the Service requires an application programming interface key ("API key"). The use of the analytics tools of the Service requires user credentials ("Credentials"). Credentials are personal to each Authorized User. The Customer may change or add Authorized Users on the Service during the term of the Agreement.

2.4 The Customer and the Authorized Users shall maintain confidential and secure the Credentials and other identifying codes. The Customer shall ensure that all Authorized Users use the Service in accordance with this Agreement and comply with the applicable laws, regulations and the obligations set out herein. The Customer shall notify the Supplier promptly of any unauthorized access or use of the Service or if the Credentials have been disclosed to an unauthorized third party.

2.5 The Customer is responsible for acquiring and maintaining any and all network, internet and telecommunications connections and all technical equipment required for using the Service.

3. Changes to the Service

The Supplier develops the Service constantly and provides the Service “as is”. The Supplier may, from time to time, under its sole discretion, modify and/or update the Service and its functionalities without the Customer’s consent. This Agreement will automatically apply to all updates, modifications and amendments to the Service.

4. Restriction on use of the Service

4.1 The Service is licensed to the Customer only under the terms of this Agreement, and the Supplier reserves all rights not expressly provided herein. Except as expressly set forth in this Agreement, the Customer shall not sell or otherwise transfer the rights granted under this Agreement to any third party.

4.2 The Customer may not:

(i) interrupt or otherwise disrupt or attempt to interrupt or disrupt the operation of the Service or any part thereof;

(ii) copy, modify, distribute, make available to the public, lease or sublicense the Service or otherwise use the Service or any part or content thereof in a way not expressly authorized in this Agreement;

(iii) decompile, reverse engineer, disassemble, modify, or otherwise attempt to derive the source code of any software constituting part of the Service, or otherwise use the Service or any part thereof to create derivative works of any such software;

(iv) circumvent or try to circumvent the copy protection of the Service; or

(v) use the Service for illegal purposes.

4.3 The Customer agrees that the Supplier may terminate the Customer’s access to the Service immediately if the Customer is found to be in violation of this Section 4.

5. Customer data

5.1 Rights to and use of Customer Data

5.1.1 Customer Data shall mean all data obtained and saved from the internet site of the Customer for the purpose of providing the Service to the Customer (the “Customer Data”). The Customer Data may include personal data, in which case the Supplier shall process such personal data on behalf of the Customer solely in accordance with the data processing agreement attached hereto as Appendix A (the “DPA”) and the Customer’s documented instructions, and shall use the Customer’s personal data solely for the purpose of and only to the extent necessary for providing the Service to the Customer as provided for under this Agreement.

5.1.2 The Customer shall retain all Intellectual Property Rights in and to the Customer Data.

5.1.3 The Supplier shall have the right to use the Customer Data solely for the purpose of providing the Service to the Customer.

5.1.4 Saved Customer Data shall be used only for the provision of the Service and shall not be transferred to any other party unless otherwise expressly agreed with the Customer.

5.1.5 The Supplier may process Service usage data and Customer Data to create and compile anonymized, aggregated datasets and/or statistics for marketing purposes.

5.1.6 The Customer shall have sole responsibility for the legality of the Customer Data and intellectual property ownership of, or right to use, all Customer Data.

5.2 Storage of Customer Data
Customer Data shall be stored on databases hosted by Amazon Web services on servers located in the EU. The database contains a role-based access control based on usernames and passwords. The developers of the Supplier have access to the databases. However, the Supplier does not guarantee the availability of back-up functionality or back-up copies in all cases. 

5.3 DPA
To the extent the Customer Data includes personal data, the processing of personal data shall be subject to the applicable data protection legislation, the data processing agreement attached hereto as Appendix A (the "DPA") and this Agreement.

6. OWNERSHIP

6.1 Copyright and all other Intellectual Property Rights in and to the Service and works created by the Supplier in connection with the provision of the Service (including copyrights, registered and unregistered trademarks and design rights, patents, domain names, business secrets and database rights) belong to the Supplier, its partners or other assignees.

6.2 The Supplier hereby reserves all rights to the works included in the Service or produced by the Supplier. The Supplier grants to the Customer a royalty-free, limited and non-transferrable right to use said material. The Customer shall have the right to use the Service and its results, which are delivered to the Customer, for its internal purposes.

7. FEES AND PAYMENT

7.1 The Customer is entitled to use the Service to the extent further specified in this Agreement and the applicable order confirmations [or otherwise on the Service] subject to the payment of the applicable Service fees set forth in the Supplier’s price list in force from time to time. All prices quoted are net amounts and exclusive of VAT or any other applicable sales tax, as the case may be, which will be added to the invoices where applicable.

7.2 The Customer shall pay the applicable fees in accordance with the payment terms provided by the Supplier through the Service. Unless otherwise specified therein, Service fees are invoiced upon the commencement of each ongoing contract term. The payment term is fourteen (14) days net from the date of the invoice. Interest for delayed payments is 8 %.

7.3 Except as expressly set forth herein, all fees are non-refundable once paid. Already paid fees shall not be refunded to the Customer upon cease of use of the Service or termination of this Agreement during an ongoing contract term.

7.4 The Supplier shall have the right to adjust the  applicable Service fees from time to time. . Any change in the pricing for the Service shall be notified by the Supplier to the Customer in writing at least three (3) months prior to such change taking effect. In the case the Customer does not accept the price amendment, the Customer shall have the right to terminate the Agreement as of the effective date of the price amendment by a written notice to the Supplier,  which notice shall be issued at least thirty (30) days prior to the effective date of the price amendment. Any price list changes shall not apply to ongoing contract terms that have already been paid for by the Customer, but they shall be applied to any renewals of such contract terms. If the Customer does not issue a termination notice as set out above, the price amendment shall be deemed to be approved by Customer.

8. AVAILABILITY OF THE SERVICE

8.1 The Service shall be provided "as is", without warranty of any kind, express or implied, including but not limited to any warranty as to the quality, content or fitness for a particular purpose.

8.2 The Service shall be available for use on the server of the Supplier. The Supplier strives to provide the Service error-free without interruptions. The Supplier reserves right to temporary interruptions in the availability of the Service for technical reasons such as maintenance breaks. The Supplier strives to notify the Customer of any extended maintenance breaks beforehand.

9. LIABILITIES AND LIMITATION OF LIABILITY

9.1 The Customer shall be solely responsible for its use of the Service. The Customer shall be responsible for the legality and appropriateness of the use of the Service and shall ensure that the use of the Service does not infringe any intellectual property rights of any third parties or cause harm or disturbance to the Supplier, the Supplier’s partners, other users of the Service or other third parties. The Customer shall indemnify the Supplier and third parties for any loss or damage suffered by them arising out of or relating to the Customer’s use of the Service in breach of this clause.

9.2 The Customer shall use and exploit the Service at its own risk. To the extent permitted by applicable laws, in no event shall the Supplier be liable towards the Customer or any third party for any indirect or consequential damages arising out of or related to the use or delivery of the Service. Indirect or consequential damage shall mean, inter alia, loss of profits, loss of customers, or damage caused due to decrease in or interruption of production or turnover. The Supplier shall not be liable for the Customer’s decisions made based on the use of the Service or the Customer’s reduced performance resulting from the introduction of the Service.

9.3 The Supplier shall have no responsibility (or related liability) for backing up Customer Data or any information that the customer provides to the Supplier. To the extent permitted by applicable law, the Supplier does not warrant that the Customer Data will be protected against loss, misuse, or alteration by third parties. To the extent permitted by applicable laws, the Supplier shall not be liable for the destruction or loss of Customer Data, nor for any damages and expenses incurred to the Customer as a result. 

9.4 For the avoidance of doubt, the Supplier does not warrant the continued availability of the Service and it shall not be liable to compensate the Customer for any downtime of the Service.

9.5 Neither Party shall have any liability whatsoever for any delays or damages caused by circumstances beyond its reasonable control, which the Party cannot be reasonably expected to have taken into account at the time of entering into this Agreement, and the consequences of which the Party could not have reasonably avoided or overcome. The Party shall without delay inform the other Party in writing of a force majeure event and the cessation thereof.

9.6 The aggregate maximum liability of the Supplier towards the Customer shall be limited to the amount of total fees paid by the Customer for the Service during the ongoing contract term. A written claim for damages shall be presented within three (3) months of the moment when the Customer became aware or should have become aware of the grounds for damages.

9.7 Notwithstanding and without limiting the generality of the foregoing, the limitations of liability shall not apply to damages caused intentionally or by gross negligence.

10. TERM AND TERMINATION

10.1 This Agreement shall enter into force on the date the Customer first accepts it.

10.2 Unless otherwise agreed, the Agreement shall remain in force for a period of twelve (12) months, after which it will be automatically renewed for additional contract terms of twelve (12) months, unless and until terminated by either Party by providing a written notice of termination to the other Party thirty (30) days prior to the end of the ongoing contract term. The ongoing contract term stipulated herein shall automatically apply to any additional Service featured that may be ordered by the Customer during the course of such ongoing contract term.

10.3 The Supplier may terminate this Agreement with immediate effect, in whole or in part, if the Customer:

(i) materially breaches the provisions of this Agreement and fails to correct the breach within fifteen (15) days of having received a written notice of the breach from the Supplier; or
(ii) becomes bankrupt, liquidated or insolvent or otherwise ceases to make payments under this Agreement.

10.4 If this Agreement is terminated by the Supplier due to the Customer’s material breach, the Customer is liable to pay any unpaid Service fees for the ongoing contract term, and the Supplier shall not be liable to refund any already paid fees to the Customer.

10.5 Within reasonable time from the expiry or termination of this Agreement, the Supplier shall either destroy or anonymize the Customer Data (including personal data included in the Customer Data). If separately agreed upon between the Parties, the Supplier may, in its sole discretion, make reasonable efforts to return the Customer Data to the Customer at the Customer’s expense. Notwithstanding the foregoing, the Supplier shall have the right to retain copies of the Customer Data to the extent that the applicable laws require storage of the copies of data and shall not be required to delete copies of personal data from its backup servers until such time that the backup copies are scheduled to be deleted.

11. CONFIDENTIALITY

11.1 The Parties undertake to keep confidential all confidential information received from the other Party, and refrain from using such information for any other purpose than for the proper fulfilment of the obligations under this Agreement. The Parties shall have the right to:

(i) copy the other Party’s confidential information only to extent that it is necessary for the purpose of this Agreement;

(ii) disclose the other Party’s confidential information only to such employees who have a need to know for carrying out the purpose of this Agreement.

11.2 The foregoing non-disclosure obligation shall not apply to information which:

(i) was in the public domain at the time of the disclosure of such information or later became part of the public domain without breach of these confidentiality obligations;

(ii) the receiving Party has received lawfully from any third party without restriction on disclosure;

(iii) was in the possession of the Party receiving confidential information prior to the disclosure by the other Party;

(iv) can be shown to have been independently developed by the personnel of the receiving Party having no access to information received from the other Party; or

(v) is required to be disclosed pursuant to a regulation, law or court order.

11.3 The confidentiality obligation under this Section shall survive termination of this Agreement.

12. MISCELLANEOUS

12.1 Reference use
The Supplier's use of the Customer's name and logo in its marketing of the Service is always agreed on separately. Reference use permits approved prior to March 31, 2021 will remain unchanged.

12.2 Assignment

Neither Party may assign the Agreement, or any of its rights or obligations under the Agreement, to any other party without the other Party’s prior written consent. Notwithstanding the foregoing, both Parties may assign receivables under the Agreement to a third party. The Supplier shall also have the right, upon written notice to the Customer, to assign this Agreement, or any of its rights or obligations under this Agreement, to any of its Affiliates or to a third party as a part of a sale of its business pertaining to this Agreement.

12.3 Amendments

The Supplier is entitled to amend this Agreement by notifying the Customer by email and by making the amended Agreement available to the Customer on the Supplier’s website. Continued use of the Service by the Customer constitutes the Customer’s acknowledgement and acceptance to be bound by the amended Agreement as of the beginning of the next contract term.

12.4 Entire Agreement

This Agreement and its appendices constitute the entire agreement and understanding between the Parties with respect to the subject matter hereof and supersede all prior and contemporaneous agreements, negotiations and correspondence between the Parties with respect hereto. In the event that there are differences or discrepancies between this Agreement and its appendices, the wording of this Agreement shall prevail

.12.5 Partial invalidity

Should any of the provisions of this Agreement be, or become invalid or unenforceable, in whole or in part, this shall not affect the validity of the remaining provisions.

13. Governing law AND DISPUTE RESOLUTION

13.1 This Agreement shall be governed by and construed in accordance with the laws of Finland, excluding its conflict of law rules.

13.2 Any dispute, controversy or claim arising out of or relating to this Agreement, a breach, termination or invalidity thereof shall be attempted to be amicably settled through negotiations between the Parties and failing the same, shall be finally settled by arbitration in accordance with the arbitration rules of the Finnish Central Chamber of Commerce by one (1) arbitrator. The place of arbitration shall be Helsinki and the English language shall be used throughout the proceedings. Notwithstanding the previous sentence, claims for non-payment of monetary charges may be resolved in the district court of the respondent’s place of domicile if the respondent does not contest its payment obligation.

APPENDICES

Appendix A - Data Processing Agreement (DPA)


DATA PROCESSING AGREEMENT
(Appendix A to the Terms of Service)

The purpose of this Data Processing Agreement (hereinafter the “DPA”) is to agree on the  rights and obligations of React & Share Oy (Business ID: 2726694-1, (hereinafter the ”Processor” or the ”Supplier”) and the customer as signatory to the Agreement hereunder defined (hereinafter the ”Controller” or the ”Customer”) with regards to the processing of personal data.

This DPA shall be applicable to the processing of personal data by the Supplier on behalf of the Customer in relation to the React & Share and/or feedback and analytics service (hereinafter the ”Service”) and in accordance with the agreement concerning the Service (the “Agreement”)

In case of any discrepancies between the terms of this DPA and the Agreement, the terms of this DPA shall prevail.

1. Background and Purpose

1.1 The Supplier processes the personal data on behalf of the Customer. the Supplier acts as a data processor and the Customer acts as a data controller, within the meaning of the applicable data protection legislation.

1.2 For the purposes of this DPA, “controller”, “processor”, “personal data” and “processing” shall have the meanings given to them in them in the applicable data protection legislation.

1.3 For the purposes of this DPA, the applicable data protection legislation shall mean the applicable laws and regulations in respect of the processing of personal data and data protection, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”) as well as supplementary legislation, case-law and guidance from supervisory authorities.

2. DATA PROTECTION AND PROCESSING OF PERSONAL DATA

2.1 The subject-matter, nature, and purpose of the processing, the type of personal data and the categories of the data subjects are described in the appendix to this DPA (Annex 1: Description of processing).

2.2 The Customer is entitled to issue documented instructions to the Supplier concerning the data processing. Unless otherwise separately agreed in writing, this DPA shall be deemed to form the entire documented instructions issued by the Customer to the Supplier concerning the processing of such personal data, and the Customer shall be deemed to have instructed the Supplier to process personal data in accordance with this DPA and as specified in Appendix 1.

3 Rights and responsibilities of the controller

3.1 The Customer acts as a data controller under the applicable data protection legislation. The Customer commits to ensuring compliance with the data controller’s obligations under the applicable data protection legislation.

3.2 In particular, the Customer shall be responsible for ensuring that:

3.2.1 the Customer has the right to disclose personal data to the Supplier in accordance with the purposes of the Agreement; 

3.2.2 a valid legal ground for the processing exists, as provided in the applicable data protection legislation;

3.2.3 the processing and the purposes of the data collected or processed have been specified prior to the processing activities;

3.2.4 the data collected is accurate, correct and necessary for each specific purpose of the processing, and no unnecessary data is collected, and any personal data that is inaccurate or incorrect is rectified or erased without delay;

3.2.5 the Customer instructs the Supplier lawfully in the processing of personal data, and the Customer is responsible for the lawfulness, maintenance and availability of the instructions;

3.2.6 the Customer provides access rights to the persons designated by the Customer and removes access rights when they are no longer necessary;

3.2.7 personal data has been protected against unauthorized access, and accidental or unlawful destruction, alteration, disclosure, transport or other unlawful processing;

3.2.8 personal data that has become outdated or unnecessary will not be processed, but disposed of in a reliable manner, unless Union or Member State law requires storage of the personal data; and  

3.2.9 the data subjects have the opportunity to obtain transparent information regarding the processing of their personal data, which is easily accessible and understandable and provided using clear and plain language.

4. Rights and responsibilities of the processor

4.1 The Supplier acts as a data processor under the applicable data protection legislation. The Supplier processes the Customer’s personal data on behalf of the Customer solely in accordance with this DPA and the Customer’s documented instructions. 

4.2 The Supplier shall implement appropriate technical and organizational measures for ensuring the security of the processing to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

4.3 The Supplier shall not use the Customer’s personal data for any other purpose than the purposes of the Agreement.

4.4 The Supplier commits to ensuring that all the persons processing personal data under the authority and supervision of the Supplier have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in addition to which such persons shall process personal data only pursuant to this DPA, the Agreement and the Customer’s instructions.

4.5 The Supplier commits, to the extent reasonably possible and considering the nature of the processing, to assist the Customer to ensure compliance with the provisions on the data subject's rights by appropriate technical and organizational measures and to inform the Customer about the requests received from the data subjects.

4.6 The Supplier commits, to the extent reasonably possible, to provide the Customer all information necessary to demonstrate compliance with the obligations concerning the processing of personal data. The Supplier shall allow the Customer, at the Customer’s expense, either on their own or using a third party, to conduct audits in the presence of the Supplier. The Customer shall have the right to audit the headquarters of the Supplier and the documentation relating to the processing of personal data by notifying the Supplier in writing at least thirty (30) days in advance, after which the Parties shall mutually agree on the extent and timing of the audit, always conducted during the Supplier’s normal working hours and provided that such audit shall not disturbance to the regular business activities of the Supplier as well as on condition that the audit shall not cause a breach of any confidentiality undertakings of the Supplier towards any third parties or in any way jeopardise its data security. The Supplier shall have the right to approve the party conducting the audit and any such person commit to a confidentiality agreement with the Supplier prior to conducting the audit.

4.7 The Supplier shall, to the extent reasonably possible and considering the nature of the processing, assist the Customer in completing possible data protection impact assessments, notifications of personal data breaches and prior consultation requests to data protection authorities to the extent they relate to the processing of personal data performed by the Supplier in connection with the Service provided by the Supplier.

4.8 After the end of the provision of the Service under the Agreement, the Supplier undertakes to either delete or return all the personal data under the Customer’s responsibility to the Customer, in accordance with the Terms of Service. The Supplier deletes existing copies of the personal data, unless legislation requires storage of the personal data.

4.9 Should the Supplier need information or other assistance from the Customer in order to fulfil its assistance obligations pursuant to this Clause 4, the Customer shall be obliged to provide such information or other assistance requested by the Supplier without undue delay and without cost.

4.10 The Supplier shall be entitled to charge labour and other costs incurred from assisting the Customer pursuant to this Clause 4 in accordance with its then valid price list.
5. Location of personal data

5.1 The Supplier is entitled, for the purposes of the provision of the Service, to transfer personal data within the European Union or the European Economic Area. Unless otherwise separately agreed in writing, the Supplier is also entitled to transfer personal data outside the European Union or the European Economic Area in compliance with the applicable data protection legislation. The Customer shall, at any time, have the right to the information regarding the location of the processing from the Supplier.

5.2 Where personal data is processed outside the European Union or the European Economic Area, each Party shall, for their part, ensure that the personal data is processed in compliance with the applicable data protection legislation.

6. Processing by third parties

6.1 Unless otherwise separately agreed in writing, the Supplier is entitled to use subcontractors in the processing of personal data. The data protection obligations under this DPA shall be applied to all such subcontractors. The subcontractors used by the Supplier taking part in the processing of personal data, also act as data processors on behalf of the Customer. 

6.2 The Customer accepts the third parties listed in Appendix 1 to this DPA to be used as subcontractors of the Supplier, taking part in the processing of personal data for the purposes of the Agreement.

6.3 The Supplier shall inform the Customer in a suitable manner in writing of any intended changes concerning the addition or replacement of the subcontractors listed in Appendix 1. The Customer has the opportunity to object to such changes and terminate this DPA and the Agreement in accordance with the Agreement by notifying the Supplier thereof within thirty (30) days of receiving the Supplier’s notification concerning the changes to its subcontractors. If the Customer does not terminate the Agreement, the Supplier shall be entitled to use the new subcontractors included in the notification.

7. Data security

7.1 The Supplier shall document and notify the Customer of any personal data breach without undue delay after becoming aware of such breach. The notification shall contain all the information necessary for the Customer to fulfil its own notification obligations, to the extent they are in the possession of the Supplier.

7.2 Unless applicable legislation requires otherwise, the personal data breach notification shall contain at least the following:

(i) a description of the nature of the personal data breach including, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned;

(ii) the name and contact details of the Data Protection Officer or other person able to provide additional information;

(iii) a description of likely consequences and/or realized consequences of the personal data breach; and

(iv) a description of the measures taken by the Supplier to address the personal data breach and to mitigate its possible adverse effects.

To the extent all such information may not be delivered at the same time, the information may be given in phases without undue delay.

7.3 The Supplier shall be entitled, at its own initiative, to take measures to ensure the security of personal data and to mitigate possible adverse effects of the data breach.

7.4 The Customer must inform the Supplier without undue delay if the Customer becomes aware of a personal data breach which may concern the personal data which the Supplier processes on behalf of the Customer. Should the Supplier need information in the event of a personal data breach in order to fulfil its obligations under this DPA and the applicable data protection legislation, the Customer must give such information to the Supplier without undue delay.

8. LIABILITY FOR DAMAGE AND LIMITATION OF LIABILITY

8.1 Each Party is liable for any administrative fines imposed by the supervisory authority and/or any damages adjudged by the competent court against such Party based on its infringement of the applicable data protection legislation. If a Party has paid full compensation to a data subject for the damage suffered pursuant to Article 82(4) of the GDPR, such Party shall be entitled to claim back from the other Party the part of the compensation corresponding its part of the responsibility for such damage.

8.2 In other respects, liability for damage and limitation of liability under clause 9in the Agreement shall be applied.

9. Other terms

9.1 Except as otherwise explicitly agreed in this DPA, and to the extent permitted by the applicable data protection legislation, the Agreement shall be applied to this DPA.

APPENDIX 1: Description of Processing

Subject-matter, nature and purpose of processing

The subject-matter and nature of processing are set out in the Agreement. The Supplier processes personal data on behalf of the Customer for the purpose of providing the Service as set out in the Agreement.

Categories of data subjects and types of personal data

Personal data processed by the Supplier may include:

Personal data regarding visitors of the Customer’s website The personal data may include IP-addresses.

Customer’s instructions

At the signature date of the Agreement, the Customer’s instructions to the Supplier are the processing of personal data only for providing Service under the Agreement in accordance with the DPA.


Approved subcontractors:


Subcontractor

Location of personal data

Description

Omen Solutions

(Business ID: 2635246-9)

Finland

Development of the Service

Sellai Oy

(Business ID: 2930187-8)

Finland

Asiakaspalvelu:

Customer service: The analytics dashboard and demonstration of customer reports

Montel Intergalactic Oy

(Business ID: 2784357-7)

Finland

Development of the Service

Amazon Web Services EMEA SARL

Ireland

Cloud infrastructure