Upsales General Terms and conditions

 

1.      General


1.1   These general terms and conditions (the “Terms”) apply to all agreements regarding the use of the Upsales software service or part thereof, provided as a cloud based software, and the related Upsales mobile application (the “Service”). The Service is provided by Upsales Nordic AB, with Swedish company reg. no. 556641-2507, (“Upsales”) to the Customer, in accordance with the Agreement.

1.2   These Terms shall also apply to any other or additional service provided by Upsales to the Customer, such as consultancy services, unless separate terms are provided.

1.3   The Agreement consists of (i) the Main Agreement, (ii) these Terms, (iii) Appendix 1 - Data Processor Agreement, and (iv) any appendices mentioned in the Main Agreement or in these Terms (collectively referred to as the “Agreement”).

2.      Definitions


“Customer”: The company defined as Customer in the Main Agreement.

“Customer Data”: Any data or information, including personal data and technical information relating to the Customer, or its customers, employees or equipment, provided to Upsales by, or on behalf of, the Customer, by use of the Service.

“Documentation”: Any manual, instruction or other documentation related to the Service (including Security White Paper), provided at Upsales’ website www.upsales.com or otherwise disclosed by Upsales to the Customer, including updates of such documents that Upsales duly notifies the Customer about.

“Regular User Support”: General information and guidance that Upsales provides to the Customer in response to support requests by the Customer in relation to the Service as prescribed in the Main Agreement or any agreed upon support level agreement. For the avoidance of doubt, Regular User Support shall not include further services provided by Upsales in connection with the Customer’s support requests, such as specific configurations, integrations or adaptions of the Service or other consultancy services.

“Third Party Applications”: Any web or other software services or applications that utilize or interact with the Service, including all software, content, services, technology, data and other digital materials included or made available therein, created, offered, supported and maintained by third parties.

“Security White Paper”: The document named Security White Paper provided to the Customer at Upsales’ website www.upsales.com.

“Main Agreement”: The contract between Upsales and the Customer that includes prices, term of the Agreement and other terms in regard of the Service.

3.      The Service and Upsales’ obligations


3.1   Upsales gives the Customer a non-exclusive, time limited and non-transferrable license and right to use the Service for the Customer’s own business only, with a maximum number of user licenses as specified in the Main Agreement.

3.2   Upsales shall provide the Customer with accounts and user licenses to the Service as specified in the Agreement. Upsales shall be considered to have delivered the Service at the time when Upsales connects the Service to the internet and activates the Customer’s account and user licenses. A detailed description of the latest version of the Service is provided at Upsales’ website www.upsales.com (the “Service Description”).

3.3   Upsales shall provide the Service in accordance with the methods and standards that Upsales normally uses for the Service (as set out in the Service Description) and in compliance with applicable rules and principles which constitutes good practice in the area that Upsales operates.

3.4   Upsales is constantly working to improve the Service and the Customer’s user experience. Upsales shall make updates to the Service (including the Service Description) as it deems fit and inform the Customer with one week’s written notice prior to such update being released. Changes in layout or graphics as well as other updates that are not expected by Upsales to materially restrict the Customer’s use of the Service may, however, be made without notice.

3.5   Upsales shall assist the Customer with connecting to the Service and provide with customer support as prescribed in section 6.

3.6   Upsales may provide additional services as agreed upon, e.g. analytical tools, database services, consultancy services or specific customizations, subject to separate terms and prices. Upsales may decide on how to integrate such additional services at its own discretion.

4.      Use of the Service


4.1   The Customer shall comply with and always use the Service in accordance with the Agreement, the Documentation and relevant laws and regulations and bears sole responsibility for such compliance. The Customer is entirely responsible for all Customer Data and activities that occur under its account and user licenses.

4.2   Upsales’ “Fair Usage Policy”, as updated from time to time and made available at Upsales’ website www.upsales.com, contains principles for certain Service functions, such as the number of e-mails that can be sent by use of the Service, and will at all times apply to the Customer’s use of the Service.

4.3   The Customer shall not in any way attempt to obtain unauthorized access to the Service or any information included in the Service.

4.4   The Service may not be used (i) for any unlawful or other purpose for which it is not intended, including to transmit, upload or post any computer viruses or other harmful files or codes; (ii) in any way so that the functionality of the Service is impaired, or in a way that is damaging or disruptive to other users or their use of the Service or equipment; (iii) in a manner that could be perceived as defamatory or offensive in any way; or (iv) in any other way that could reasonably be expected to affect Upsales or the Service adversely or reflect negatively on the goodwill, name or reputation of Upsales or the Service.

4.5   The Customer shall not copy, modify, create derivative work, reverse engineer or otherwise attempt to discover any source code of, or assign, sub-license or transfer any right in, the Service or part thereof. Further, the Customer shall not copy, disturb or in any unauthorized way use certificates or other equipment belonging to a third party.

4.6   The Customer shall indemnify Upsales from and against any costs or claims, resulting from the Customer’s use of the Service in violation of the Agreement, including this section 4.

5.      Information and Security etc.


5.1   The Security and reliability of the Service are utmost important to Upsales. Upsales shall ensure sufficient security for the Service by taking the measures prescribed in the Security White Paper.

5.2   The Customer shall provide Upsales with all information reasonably requested in order to set up and provide the Service, and promptly notify Upsales of any change in such information.

5.3   Upsales is responsible for providing the Customer with valid passwords and account details and, in case such details are compromised, for ensuring that passwords and account details are inactivated and exchanged.

5.4   The Customer is responsible for (i) keeping all passwords and account details confidential; (ii) immediately notifying Upsales if suspected or unauthorised access to the Service occurs, or any other breach of security; and (iii) maintaining all equipment, software, applications, communication services and routines, including the security of the Customer’s IT environment’s, required in order to use the Service or otherwise reasonably instructed by Upsales from time to time. For the avoidance of doubt, Upsales is not liable for the Customer’s hardware or software, including uploaded files or data, or unauthorised use of the user accounts or of the Service.

6.      Availability and Support


6.1   Upsales strives to ensure that the Service operates in accordance with its specifications twenty-four (24) hours a day. Unless otherwise agreed, Upsales shall make the Service available no less than 99.8 % of the time in any given quarter of a calendar year.

6.2   The Service shall be considered available if the login to the cloud based software is operational and the Service can be used in accordance with the Agreement. Insignificant inconveniences shall not result in the Service being unavailable. In particular, the Service shall not be deemed unavailable when (i) Upsales performs scheduled service or maintenance on the Service, of which the Customer has been informed no less then forty-eight (48) hours in advance; (ii) the downtime is caused by emergency shutdowns, necessary to protect the Service from viruses, DDoS or other hacker attacks, etc; or (iii) the Service is down due to circumstances beyond Upsales’ control, including, but not limited to, loss of electricity, network or communication. Scheduled service or maintenance, pursuant to item (i) above, shall, to the extent possible, occur outside of usual business hours and not more often than twice a month, unless otherwise agreed.

6.3   If the availability of the Service, according to the above, is below 99.8 % during a quarter of a calendar year, the Customer shall be entitled to claim compensation in accordance with the below, where the Quarterly Fee shall correspond to a quarter of the total amount payable by the Customer per contract period of twelve (12) months, as set out in the Main Agreement:

 

Down-level Availability (%) Compensation
1 Below 99.8 %, above 99.0 % 10 % of the Quarterly Fee
2 Below 99.0 %, above 98.0 % 20 % of the Quarterly Fee
3 Below 98.0 %, above 97.0 % 30 % of the Quarterly Fee
4 Below 97.0 %, above 96.0 % 40 % of the Quarterly Fee
5 Below 96.0 %, above 95.0 % 50 % of the Quarterly Fee

 

An availability below 95 % during a quarter of a calendar year shall be considered a material breach and entitle the Customer to terminate the Agreement with immediate effect in accordance with section 8.3.

6.4   Availability under section 6.3 above shall be measured in accordance with the following formula:

 A = (M - D) * 100/M , where

A = Availability indicated in percentages,

M = Minutes during a quarter of a calendar year,

D = Downtime during the period “M”, indicated in minutes (excluding scheduled service or maintenance, etc.). Downtime means a material failure leading to the unavailability of the Service for the Customer, subject to what is set out in section 6.2 above. The Customer shall report any downtime to Upsales.

6.5   Upsales performs Regular User Support in accordance with the Main Agreement and, if applicable, any agreed upon support level agreement.

6.6   The Customer shall request support as prescribed in the Main Agreement and any applicable support level agreement.

6.7   This section 6 shall constitute the entire obligation of Upsales towards the Customer in respect of Upsales’ performance and liability in regard of the service level and Regular User Support of the Service, unless otherwise agreed.

7.      Prices and Payment


7.1   Applicable prices for the Service are set out in the Main Agreement. All prices are exclusive of VAT and similar taxes. As regards any services for which no specific price has been agreed in writing, Upsales’ standard fees, applicable at the time of delivery, shall apply.

7.2   Unless otherwise agreed in writing, Upsales’ standard fees, as applicable from time to time, shall apply to any additional services and work for which prices are not specified in the Main Agreement. Except for Regular User Support, services provided by Upsales in connection with support requests by the Customer are not included in the prices for the Service set out in the Main Agreement.

7.3   Any overdue payment shall carry interest in accordance with the Swedish Interest Act (SFS 1975:635) and Upsales shall have the right to collect a reminder fee and/or collection fee in accordance with applicable laws. In addition to other available remedies, Upsales may, if full payment is not received when due and the Customer has not made correction despite Upsales’ reminder, suspend the Service, and/or terminate the Agreement with immediate effect pursuant to section 8, provided that such obligation to pay is not disputed on objective and reasonable grounds due to Upsales’ breach of the Agreement.

7.4   Upsales may annually (with effect from the Customer’s next yearly payment period) adjust the prices set out in the Main Agreement in accordance with changes in the SCB Labour Cost Index for non-manual workers preliminary index, SNI2007-code J (Information and Communication business). The base period shall be the first quarter of the year when the Agreement was concluded.

8.      Term and Termination


8.1   The Agreement shall enter into force on the start date specified in the Main Agreement or, if no such date is specified, on the date the parties enter into the Agreement by e.g. signature. The Agreement shall remain in force for the period specified in the Main Agreement. If no period is specified it shall remain in force for an initial period of twelve (12) months. If neither Upsales nor the Customer terminates the Agreement, the Agreement term shall automatically be prolonged with one (1) year at the time, with corresponding terms and conditions. Termination of the Agreement shall be made by written notice to the other party three (3) months prior to the end of the initial Agreement term or each subsequent term of the Agreement.

8.2   The Service is provided for the Term of the Agreement.

8.3   Besides as provided for in the Main Agreement, either party shall be entitled to terminate the Agreement with immediate effect by written notice to the other party, if:

a.          the other party has committed a material breach of the Agreement and does not, where possible, fully rectify such breach within thirty (30) days of the other party giving written notice thereof; or

b.          the other party is declared insolvent, is subject to an application or order of bankruptcy or company reorganization, suspends its payments or otherwise can be presumed to be insolvent.

8.4   Upsales is also entitled to terminate the Agreement with immediate effect if the Customer’s use of the Service violates the Agreement, including sections 4-5.

8.5   The following sections shall survive termination of the Agreement: this section 8, section 9, section 10, section 11, section 13, section 14 and section 16.

8.6   Upon termination, the Customer shall not be entitled to recover any excess amount of payments made in advance, unless the Customer terminates the Agreement with immediate effect in accordance with section 8.3 a. above.

8.7   Upon termination, the Customer shall immediately cease its use of the Service and both parties shall, subject to section 8.8, return or delete confidential information or Documentation received from the other party.

8.8   The Customer shall be entitled to retrieve any Customer Data on the medium chosen by Upsales and reasonably accepted by the Customer, provided that the Customer requests this from Upsales in writing within thirty (30) days from termination of the Agreement and pays Upsales for any reasonable work associated with this.

9.      Customer Data


9.1   Within the scope of fulfilling the obligations under this Agreement, Upsales will process personal data on behalf of the Customer. Within the scope of such processing, the Customer is the controller for processing of personal data and Upsales is the processor. The parties have for that matter entered into a data processor agreement as set out in Appendix 1. Upsales may use Customer Data in aggregated or anonymous form, for uses in statistics and product development purposes, for example to develop and improve the Service.

10.   Confidentiality and Solicitation


10.1Neither party may disclose to a third party any information received from the other party which is confidential, or can reasonably be assumed to be confidential, including, without limitation, any technical information, information on business secrets, source codes, login information or security methods for access to the Service, and the terms of the Agreement. This does not apply to information that (i) is or becomes publicly known without the breach of the Agreement; (ii) was known to the receiving party prior to receipt from the disclosing party or disclosed by a third party without any obligation of confidentiality; or (iii) the disclosure is required by law, regulatory body or an agreement with a stock exchange where the party is listed, or similar. Each party is responsible for ensuring that their sub-contractors, consultants and employees respect corresponding confidentiality obligations.

10.2If the Customer during the term of the Agreement, and for twelve (12) months thereafter, solicits the employment or other engagement of any person who is or has been directly involved with the performance of the Service, Upsales shall be entitled to compensation. Such compensation shall be constituted by a fixed fee from the Customer corresponding to five (5) price base amounts (Sw: prisbasbelopp), as provided for in the Swedish Social Insurance Code (SFS 2010:110), for each and every breach of this section 10.2.

11.   Intellectual Property Rights


11.1The Customer retains the ownership of all intellectual property rights to the data, information and files, including Customer Data, uploaded by the Customer to the Service. Nothing in this Agreement shall be interpreted as a transfer of such rights, or part thereof, with the exception of Upsales’ right to use Customer Data in accordance with section 9.1.

11.2Upsales and/or its licensors hold all intellectual property rights to the Service and Upsales’ website, including any updates, files or data being uploaded to or performed on the Service by Upsales, as well as to the software and source code included in the Service. This includes, without limitation, any patents, copyrights, design rights and trademark rights related thereto. Nothing in this Agreement shall be interpreted as a transfer of such rights, or part thereof.

11.3If a third party makes an intellectual property claim against the Customer based on the Customer’s use of the Service, the Customer shall immediately notify Upsales in writing of the claim and relevant circumstances. Thereafter the Customer shall either (i) offer Upsales at its sole discretion and expense, to control the defense of the claim and decide on conciliation in the Customer’s name, including issuing any and all documents (such as powers of attorney) needed without any cost for Upsales; or (ii) at its own sole discretion and expense, control the defense of the claim and decide on conciliation in its own name.

11.4If a competent court finally determines that the Customer’s use of the Service in accordance with the Agreement constitutes an intellectual property infringement, Upsales shall compensate the Customer, subject to section 13, for direct costs and damages that the Customer is found liable to pay, provided that the Customer has adhered to its obligations under section 11.3 above and have not at its own sole discretion chosen to control the defense of the claim in accordance with item (ii) in section 11.3. For the avoidance of doubt, under no circumstances shall Upsales be liable for compensating the Customer in accordance with this section 11.4 if the Customer decides to control the defense of a claim arisen in accordance with section 11.3. Upsales may further, at its own discretion ensure the Customer’s right to continued use of the Service or corresponding non-infringing service, or cancel the Service and repay the Customer any fees paid for the remaining term of the Agreement, without interest and with deduction of any reasonable benefit the Customer has had from the Service. This section 11.4 constitutes Upsales’ entire obligation towards the Customer with respect to any infringement in a third party’s intellectual property rights.

11.5If a third party makes an intellectual property claim, including claims attributable to Customer Data, against Upsales based on the Customer´s use of the Service, the Customer shall act in order for such claim being transferred to the Customer or, if such transfer is not possible, defend Upsales, at the Customer´s own expense, against any such claim. Upsales shall immediately notify the Customer of an intellectual property claim under this section 11.5 including the relevant circumstances in connection thereto. The Customer will indemnify and hold Upsales harmless against any costs or damages that Upsales may become liable to pay in relation to such infringement claim.

12.       Third Party Applications


12.1 Through the Service and/or Upsales’ website www.upsales.com, the Customer may be able to access and install Third Party Applications for use within the Service. The Customer is aware that such Third Party Applications are provided and licensed to the Customer by the applicable third parties, which are unaffiliated with Upsales.

12.2 The Customer acknowledges that (i) the Customer must use its own discretion when accessing, installing and using any Third Party Applications; and (ii) the Customer’s use of any Third Party Application will be governed by terms and conditions of an agreement between the Customer and the applicable third party (which may include fees and costs), to which Upsales is not a party. The Customer shall always use any Third Party Applications in accordance with the agreements between the Customer and the applicable third parties as well as all relevant laws and regulations, and bears sole responsibility for such compliance. The Customer shall indemnify Upsales from and against any costs or claims, arising out of the Customer’s use of any Third Party Applications.

12.3 Furthermore, the Customer agrees and acknowledges that any Third Party Applications, and applicable third parties, may obtain access to Customer Data, and to store, process and transmit Customer Data outside the Service, as well as data pertaining to the Customer’s use and/or configuration of the Service. Upsales is not responsible for any collection, transmission, disclosure, use or deletion of Customer Data by or through any Third Party Applications or such third parties. Any processing of personal data by third parties in connection with Third Party Applications will be subject to processing agreements to be entered into between the Customer and such third parties.

12.4 Upsales does not own or control any of the Third Party Applications, and the Customer shall not hold Upsales responsible for any Third Party Applications under any circumstances. Upsales does not in any way warrant the functionality, quality, reliability, security, completeness, usefulness or non-infringement of a Third Party Application. Consequently, the Customer bears all risk associated with accessing, installing and using any Third Party Applications. Any support and maintenance of Third Party Applications is to be provided by the applicable third parties, only, in accordance with the agreement between the Customer and such third party. Failure of applicable third parties to provide support, maintenance or other services shall not entitle the Customer to any refunds or other compensation by Upsales.

12.5 Any additional services provided by Upsales to the Customer in relation to Third Party Applications, including without limitation integration and similar consultancy services, shall be governed by separate service agreement(s) to be entered into between the Parties.

13.   Limitations of Liability and Warranties


13.1No party shall be liable to the other party for failure to perform its obligation under this Agreement if such performance is prevented by circumstances beyond the control of the party, including, but not limited to, acts of authorities, strikes or other difficulties on the labour markets, general shortage of supplies, fire or loss of electricity, communications or data.

13.2Upsales is not in any event liable for any cost, damage or loss of any kinds caused by or related to (i) any third parties, third party products or services for which Upsales is not responsible for according to the Agreement (including but not limited to Third Party Applications); (ii) modifications or changes to the Service made by anyone other than Upsales or made according to the Customer’s or its suppliers’ instructions, or (iii) the Customer’s loss of customers, business, profit, revenue, savings, or goodwill, loss due to operational, power or network interruptions, loss of data or information, the Customer’s potential liability towards a third party or other indirect or consequential damage of any kind.

13.3Upsales’ total and aggregated liability under the Agreement is limited to the amount paid by the Customer for the Service or for any other service that the claim relates to, during the twelve (12) month period prior to the time the damage occurred.

13.4A party shall not in any event be liable to pay damages if the other party does not notify the party at default in writing thereof within three (3) months after the party noticed, or should have noticed, the actual damage or loss, however in no event later than six (6) months from when the damage occurred.

13.5Except for what is expressly set out in the Agreement, the Service is provided on an “as is” basis and Upsales makes no warranties or representations, whether express or implied, in relation to the Service, including to the completeness, accuracy, reliability, satisfactory quality, and/or fitness for a particular purpose of the Service.

14.   Audit


14.1Upsales shall have the right, during the term of the Agreement and for a period of six (6) months thereafter, to have an independent audit firm, selected by Upsales, to perform an audit, to verify that the Customer uses the Service and/or any Documentation in compliance with the Agreement. Such audits may occur up to two (2) times a year (a maximum of once per half year), and shall be conducted during normal business hours and at Upsales’ own expense, unless the audit reveals a breach by the Customer. The Customer shall reasonably cooperate if Upsales performs any audit pursuant to this section 14.

15.   Miscellaneous


15.1The Agreement constitutes the entire agreement between the parties, with respect of the subject matter thereof. It supersedes all prior or contemporaneous Agreements or understandings.

15.2The parties may not assign any of their rights or obligations under the Agreement to a third party without the other party’s prior written approval. However, Upsales may assign its right to receive payment to any third party, without the Customer’s approval.

15.3Upsales may make amendments to these Terms by giving the Customer four (4) months’ written notice. Amendments will be effective as from the next yearly payment period.

16.   Governing Law and Disputes


16.1This Agreement shall be governed by and construed in accordance with Swedish law. Any dispute, controversy or claim arising out of, or in connection with, in connection with the Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall be composed of a sole arbitrator. The place of arbitration shall be Stockholm, Sweden, and the language used shall be English, unless otherwise agreed. All such proceedings, information disclosed and decisions made in such proceedings shall be kept strictly confidential. Notwithstanding the foregoing, Upsales may take any legal action necessary at any competent court for collection of delayed payments.


 

APPENDIX 1 - Data Processor Agreement

 

1.          Background and Interpretation


1.1   In order to fulfil the Agreement between the Customer and Upsales, Upsales will as a processor process personal data on behalf of the Customer which is controller, except when the Customer acts as a processor on behalf of a third-party controller, in which case Upsales is a sub-processor to the Customer. When a third party is controller of personal data processed by Upsales under this DPA, the obligations that Upsales has towards the Customer under this DPA shall apply towards such third-party controller, insofar as is necessary in order to comply with existing data protection laws, including the General Data Protection Regulation (EU) 2016/679 (the “GDPR“).

1.2   This Data Processor Agreement (“DPA”) forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processor agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.

1.3   Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the GDPR and otherwise in accordance with the Agreement, unless otherwise is clearly indicated by the circumstances.

2.          Instructions and Responsibilities


2.1   The subject-matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, are described in the instructions on processing of personal data in Appendix 1A or the written instructions that the Customer provides from time to time.

2.2   The Customer is responsible for complying with the GDPR. The Customer shall in particular:

a.                      be contact person towards data subjects and respond to their inquiries regarding the processing of personal data;

b.                      ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;

c.                       provide Upsales with documented instructions for Upsales’ processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;

d.                      immediately inform Upsales of changes that affect Upsales’ obligations under this DPA;

e.                      immediately inform Upsales if a third party takes action or lodges a claim against the Customer as a result of Upsales’ processing under this DPA; and

f.                       immediately inform Upsales if anyone is joint controller with the Customer of the relevant personal data.

2.3   When processing personal data on behalf of Customer, Upsales shall:

a.                      only process personal data in accordance with the Customer’s documented instructions, which at the time of the Parties’ entering into this DPA are set out in Appendix 1A, unless required to do so by EU law or applicable national law of an EU Member State to which Upsales is subject; in such a case, Upsales shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b.                      ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c.                       take all measures required pursuant to Article 32 of the GDPR as further set out in section 4 below;

d.                      respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

e.                      taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;

f.                       assist the Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Upsales;

g.                      at the choice of the Customer, delete or return all the personal data to the Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and

h.                      make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor agreed upon by the Parties. Such audits may occur up to four (4) times a year (a maximum of one time per quarter of a year) and shall be conducted during normal business hours and at the Customer’s expense. Upsales may use external auditors to verify and demonstrate compliance with its obligations following from the GDPR. Upsales will then, upon the Customer’s request, make available a confidential summary report to the Customer of such audits.

2.4   Upsales shall notify the Customer without undue delay, if, in Upsales’ opinion, an instruction infringes the GDPR. In addition, Upsales is to immediately inform the Customer of any changes affecting Upsales’ obligations pursuant to this DPA.

3.          Disclosure of Personal Data etc.


3.1   [A1] Upsales shall without undue delay forward any request to the Customer from a data subject, supervisory authority or any other third party, who is requesting receipt of information regarding personal data that Upsales processes on behalf of the Customer. Upsales, or anyone working under Upsales’ supervision, shall not disclose personal data, or information about the processing of personal data, without the Customer’s instruction, unless required by EU law or applicable national law of an EU Member State.

3.2   Upsales shall without undue delay inform the Customer of any contacts from supervisory authority that concern the processing of personal data on behalf of the Customer. Upsales is not entitled to represent the Customer or act on the Customer’s behalf towards the supervisory authority.

4.          Security


4.1   Upsales shall implement technical and organizational security measures in order to protect the personal data against destruction, alteration, unauthorized disclosure and unauthorized access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Upsales may amend its technical and organizational measures.

4.2   Upsales shall notify the Customer of accidental or unauthorized access to personal data or any other personal data breach without undue delay after becoming aware of such data breach. Such notification shall not in any manner imply that Upsales has committed any wrongful act or omission, or that Upsales shall become liable for the personal data breach.

4.3   If the Customer during the term of this DPA requires that Upsales takes additional security measures, Upsales shall as far as possible meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures.

5.          Sub-processors and Transfers to Third Countries


5.1   The Customer hereby gives Upsales a general authorization to engage sub-processors provided at Upsales website www.upsales.com. Upsales shall enter into an agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor. Upsales shall remain fully responsible to the Customer for the performance of the sub processor’s obligations in accordance with its contract with Upsales. The sub-processors used from time to time are listed in Upsales Security White Paper.

5.2   Upsales shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes. Such information shall at least include full legal name of the sub-processor, the type(s) of service(s) provided by the sub-processor and the location of the sub-processor’s processing of personal data on behalf of the Customer. In the event that the Customer wants to object to changes concerning sub-processors, the Customer shall make such objection in writing and within thirty (30) calendar days after Upsales has informed the Customer about the intended changes. If Upsales receives such objection, Upsales shall use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid processing of personal data by the sub-processor that the Customer has objected to. If Upsales is unable to make such change within a reasonable period of time, Customer may terminate the applicable part of the Service which cannot be provided by Upsales without the use of the sub-processor that the Customer has objected to, by giving Upsales thirty (30) days’ notice. If the Service is terminated, the Customer shall be reimbursed for any in advance paid fees for the applicable part of the Service corresponding to the remaining term of the Agreement.

5.3   If Upsales and/or sub-processors transfer personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR. Upsales shall inform the Customer at least thirty (30) days prior to such transfer. The Customer is entitled to object to such transfer, based on objective grounds relating to the security of the processing under the DPA. If the Customer makes such legitimate objection and Upsales cannot by reasonable means satisfy such objection, both Parties shall be entitled to terminate the Agreement and/or the DPA, including in relation to specific additional services, by giving the other Party thirty (30) days’ notice. If the Agreement is terminated in accordance with this section 5.3, the Customer shall be reimbursed for any in advance paid fees for the Service corresponding to the remaining term of the Agreement.

6.          Compensation and Limitation of Liability


6.1   Upsales is entitled to reasonable compensation for all work, costs and expenditures stemming from Upsales’ performance of sections 2.3 e, 2.3 h, 4.2, 7 and 8 as well as for all work, costs and expenditures stemming from Upsales following the Customer’s instructions for processing, which are not clearly documented in the Agreement, when this results in work that goes beyond functions and the level of security following from the services that Upsales normally provides to its Customers.

6.2   Subject to the limitation of liability that follows in the Agreement, each Party shall be responsible for and bear any damages and administrative fines imposed on it under articles 82 and/or 83 of the GDPR.

6.3   This section 6 shall remain in force after termination of this DPA.

7.          Term and Termination


7.1   The DPA enters into force upon the effective date of the Main Agreement and shall remain in force as long as Upsales processes personal data on behalf of the Customer including deletion or returning of personal data according to section 7.2 below. This DPA shall thereafter cease to apply. Sections 6, 7.1 and 10.1 shall continue to apply even after this DPA has been terminated.

7.2   Upon termination of the Agreement or the DPA (depending on which is first terminated), Upsales shall, at the choice of the Customer, delete or return the personal data that the Customer has transferred to Upsales and any existing copies, where appropriate, unless storage of the personal data is required by EU law or applicable EU Member State law.

8.          Changes


8.1   If competent authority issues decisions or judgment, or if provisions of the GDPR change, or if a supervisory authority or the European Data Protection Board issues guidelines, recommendations or similar, with the result that this DPA, or part thereof does not meet the requirements in the GDPR, the Parties shall change this DPA to meet such requirements. Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of any necessary changes to the other Party, or otherwise no later than prescribed by the GDPR, guidelines, decisions or regulations of the supervisory authority.

8.2   Changes to this DPA made by Upsales other than following from section 8.1, shall start to apply within thirty (30) days after Upsales notifying the Customer in writing, provided that the changes made are not of material effect.

8.3   Any other changes to this DPA than following from section 8.1 or section 8.2 above or changes in the Customer’s documented instructions, shall be made in writing and signed by the Parties’ authorized representatives, to be binding.

9.          Miscellaneous


9.1   In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement.

9.2   This DPA supersedes and replaces all data processor agreements between the Parties potentially existing prior to this DPA.

10.       Governing Law and Dispute Resolution
10.1Swedish law applies in all aspects to Upsales’ processing of personal data under the DPA. Any dispute arising out of or in connection with the DPA shall be settled in accordance with the dispute resolution provision in the Agreement.

* * * *


 

APPENDIX 1A – instructions on processing of personal data

 

Purposes

Please specify all purposes for which the personal data will be processed by Upsales as processor

Upsales will process personal data on behalf of the Customer for the purpose of providing the Service to the Customer.

Types of personal data

Please specify the personal data that will be processed by Upsales as processor

The Service has a number of standard fields to which the Customer can submit and store personal data; contact name, telephone number, title and e-mail. In addition, the Customer may choose to submit other personal data in free text fields. Such text fields in the Service should not be used to submit or store “special” or “sensitive” categories of personal data (as defined under the GDPR).

Categories of data subjects

Please specify the categories of data subjects whose personal data will be Processed by Upsales as processor

- Contact persons of the Customer´s prospects and customers

- The Customer’s employees and any other persons that the Customer accepts to use the Service

Retention time

Please specify the retention time that applies for the personal data processed by Upsales

Personal data are processed as long as necessary to provide the Services under the Agreement between the Parties.

Processing operations

Please specify all processing activities to be conducted by Upsales as processor

Processing means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Location of processing operations

Please specify all locations where the personal data will be processed by Upsales as processor and - when applicable – by sub-processor

Upsales and its sub-processors will as a main rule only process personal data within the EU/EEA. Personal data are only stored within the EU/EEA.

 

Upsales’ sub-processor Sendgrid (Twilio) may however, by way of exception, transfer personal data outside the EU/EEA in cases where this is necessary for Upsales to provide certain parts of the Service or for Upsales or Sendgrid to meet legal requirements. A transfer will only take place if the Customer makes use of the e-mail delivery service, which is purchased from Upsales as an add on, and as necessary for Upsales to provide this e-mail delivery service to the Customer. In these cases, Upsales and Sendgrid always make the transfer in accordance with the European Commission´s standard contractual clauses for the transfer of personal data to third countries or provisions replacing them.

Upsales and Sendgrid have further implemented additional safeguards in light of the decision by the CJEU in case C-311/18 and Recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data from the European Data Protection Board.

 

In 2022, the personal data that Upsales processes on the Customer´s behalf in relation to the e-mail delivery service provided by Sendgrid will be processed completely within the EU. If this should prove not to be the case, Upsales will cease to make use of Sendgrid as a sub-processor and instead provide an e-mail delivery service with the use of a sub-processor fully based within the EU.

 

Information security measures

Physical Access Control

Access to the data center may only be attained by a limited number of authorized personnel passing through a series of electronic validation systems. Throughout the facility, video cameras monitor all sections of the building and the surrounding grounds. Within this facility, all Upsales equipment is kept in secured cabinets.

In addition to the above security measures, all Upsales site operations personnel have signed special non-disclosure agreements with respect to the handling of customer data. Failure to uphold this agreement carries severe legal penalties. For added security the site operations team is limited to just a few individuals having access to the site.

System Access Control Upsales shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, IP-blocking and logging of access on several levels.
Data Access Control Upsales shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced by the Customer when Upsales’ personnel needs application access to fulfill Regular User Support described in the Upsales General Terms and Conditions.
Back-up Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that personal data is protected against accidental destruction or loss when hosted by Upsales. Back-ups will be stored for a maximum of 6 weeks before destruction.
Encryption of data communication (Transmission control) Upsales shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so Service data cannot be read, copied, modified or removed without authorization during electronic transmission or transport from the Service to the end user.
Deletion After thirty (30) days after the termination of the Customer´s access to and use of the Service, Upsales shall have the right to delete all Service data stored or Processed by Upsales on behalf of the Customer in accordance with Upsales´ deletion policies and procedures.
Logical Separation Data from different Upsales’ subscriber environments is logically segregated on Upsales’ systems to ensure that personal data that is collected for different purposes may be processed separately.