Terms of service

Updated January 19th, 2021

These Terms of Service (the “Terms”) including its appendices listed below, order form and/or any other agreement constitutes the entire agreement (“Agreement”) between the Customer or You and Koivu Solutions Oy (”Koivu” or “we” or “our” or “us”), regarding your use of our services specified in the Terms (the software, and services are collectively referred to as the “Service”). Please read these Terms carefully. You may authorize your employees or other individual authorized users (collectively, “Authorized Users”) to use the Service. You agree that you are fully responsible with respect to any use of the Service by an Authorized User, including any breach by an Authorized User of these Terms.

The following appendices forms an inseparable part of and is governed by the terms of these Terms of Service:

Annex 1: Data Processing Agreement

In the event of any conflicting terms in the Terms and its appendices, the Terms shall take precedence over the appendices, except in any matters relating to the processing of personal data, in which case Annex 1 (Data Processing Agreement) shall take precedence.

1. The Service

The Service is an enterprise application platform that integrates Excel, web application, and third-party integration platforms. The Service is provided only electronically through user interfaces on Microsoft Excel or other third party platforms, for example through an add-in or add-on functionality, and through Web application interfaces hosted by Koivu.

2. Eligibility

The Service is not intended for users that are consumers (being an individual acting primarily for purposes other than a trade, business or profession) and the applicability of consumer protection legislation is therefore excluded. You must be 18 years of age or older to enter into this agreement and use the Service. You represent and warrant that any information you submit is true and accurate and that you are 18 years of age or older and are fully able and competent to enter into, and abide by these Terms, and that you have the authority to bind the Customer entity listed on the Agreement, if applicable.

3. Account Registration

All Authorized Users must register to use the Service. You agree to, and cause all Authorized Users to: (a) provide accurate, current and complete information as may be prompted by registration forms on the Service (“Registration Data”); (b) maintain the security of, and not share with any third party, any logins, passwords, or other credentials that you or any Authorized User selects or that are provided to you or any Authorized User for use on the Service; (c) maintain and promptly update the Registration Data, and any other information you or any Authorized User provides to us, and to keep all such information accurate, current, and complete; and (d) notify us immediately of any unauthorized use of any Authorized User account or any other breach of security by emailing us at [email protected].  Any activity on an Authorized User’s account shall be the sole responsibility of the Customer.

4. Free Trial

We may at our sole discretion offer you free trials for selected features of the Service or a limited time trial period of the entire Service. Once your free trial period ends, your ability to access the Service will terminate. Koivu reserves the right to determine if you are eligible for a free trial and to discontinue any free trial without notice at our sole discretion.

5. Fees and payment 

Access to selected features of the Service may be provided to you free of charge. We will charge fees for certain features, either on a one-time or a subscription basis (“Paid Services”). Koivu reserves the right to implement fees or change the fees for certain services at any time by providing you notice on the Service or otherwise. When you purchase any Paid Services, you authorize Koivu or its third-party payment processors to charge the credit card identified by you (which you represent and warrant that you are authorized to use) all applicable fees for your purchase, including all applicable taxes, and you agree that our payment provider can store your credit card information. If Koivu does not receive payment from your credit card provider, you agree to pay all amounts due upon demand and Koivu may suspend your access to the Services until full payment is received or terminate the Terms of Service. All sales are final and Koivu will not issue refunds, including for prepaid monthly fees. If you choose an automatic recurring payment and later decide to end your subscription, cancelling the payment is your responsibility. Koivu does not refund automatic payments not cancelled in time.

6. Access; Use Restrictions

Koivu hereby grants you the right to access and use the Service, subject to your compliance with these Terms at all times, including timely payment of all applicable fees.  Your right to access and use the Service is personal, limited to your internal business purposes, non-transferable, non-exclusive, and revocable.

Your access and use of the Service are based on the Service client, data source, data destination and usage restrictions. Access and use may be restricted to one individual, specific number of individuals, company, or specific data access/usage. There may be additional restrictions, which may change from time to time, and we will use reasonable efforts to provide you with advance notice of impending changes in a timely manner. Specific written agreements for access and usage restrictions will be indicated in the Agreement and they will override these Terms. 

Without limiting the generality of the foregoing, you will not, will not attempt to, and will not permit or encourage any third party to:

  1. Reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain improper access to any software component of the Service, in whole or in part;
  2. Modify or create derivative works of the Service, in whole or in part;
  3. Use the Service in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any third party;
  4. Interfere with or disrupt the integrity of the Service or any content or data contained therein or transmitted thereby;
  5. Access, monitor, or copy any content or information on the Service using any robot, spider, scraper, or other automated means or any manual process for any purpose without our express written permission;
  6. Violate the restrictions in any robot exclusion headers on the Service or bypass or circumvent other measures employed to prevent or limit access to the Service;
  7. Take any action that imposes, or may impose, in our discretion, an unreasonable or disproportionately large load on our infrastructure;
  8. Deep-link to any portion of the Service for any purpose without our express written permission;
  9. “Frame”, “mirror,” sell, resell, rent, or lease any portion of the Service or otherwise incorporate any part of the Service into any other website without our prior written authorization;
  10. Input any virus, malware, or other harmful code into the Service;
  11. Use the Service or any Koivu Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services or to develop, commercialize, license, or sell any product, service, or technology that could, directly or indirectly, compete with the Service; or
  12. Violate any applicable local, provincial national, or international law or regulation.

We may at any time suspend or terminate your or any Authorized User’s access to the Service if we have reason to believe that you are not complying with the Terms or you are otherwise abusing the Service.

7. Modifications to the Service

You acknowledge that Koivu may make modifications to the Service during the Term without prior notice to you; however, Koivu will use reasonable efforts to notify you of any material changes to the Service in advance.  In the event of material changes to the Service, Koivu may provide further instructions to you with respect to any actions required by you in order to continue access and use the Service, if necessary.

8. Subcontractors

Koivu may engage subcontractors to perform the Service under the Agreement, provided that Koivu remains fully liable for any actions of such subcontractors. Notwithstanding the foregoing, Koivu shall not be liable for the acts or omissions of any of its hosting service or data communication service providers.

9. Term and Termination

9.1 Your account and subscription of the Service remains in effect unless you terminate it or unless Koivu terminates your account as provided by these Terms. Your account and subscription of the Service may, depending on your choice, be automatically renewable or valid for a fixed period. If your subscription is automatically renewable, your subscription to the Service will remain in effect and will be renewed automatically at the end of each subscription period unless you terminate your subscription or we terminate it.

If your subscription is made for a fixed period and/or not automatically renewable, your subscription will automatically terminate at the end of the agreed subscription period.

Upon the termination or expiration of the Agreement, you must immediately stop using the Service.

9.2 Koivu may terminate this Agreement or terminate or suspend any Authorized User’s access or use of the Service in the following circumstances:

(a) If Customer’s or any Authorized User’s continued use of the Service may, in Koivu’s discretion, result in material harm to Koivu, its subcontractors, affiliates, or another customer of the Service, Koivu may reasonably block or restrict Customer’s access to the Service;.

(b) if Customer or any Authorized User has (i) submitted information to the Service in violation of applicable law or (ii) otherwise used the Service in breach of these Terms, including the restrictions set forth in Section 6 above;

(c) any fees due by Customer remain unpaid fifteen (15) days after the applicable due date as set forth in the Agreement; or

(d) if Customer commits a material breach of its obligations under the Agreement and does not remedy such breach within thirty (30) days of receiving notice of breach from Koivu.

9.3 Either party may terminate the Agreement upon written notice to the other party if the other party enters into bankruptcy, becomes insolvent or makes an assignment for the benefit of creditors.

10. Feedback

Any feedback, comments, suggestions, ideas, or other information provided by you in the form of email or other submissions to us (collectively “Feedback”), are non-confidential and you hereby grant to us and our subcontractors and affiliates a nonexclusive, royalty-free, perpetual, irrevocable, and fully sublicensable right to use your Feedback for any purpose without compensation or attribution to you.

11. Trademarks

11.1 The “Koivu” name, the Koivu logos, and any other product or service name or slogan contained on the Service are trademarks or registered trademarks of Koivu and its suppliers or licensors, and may not be copied, imitated or used, in whole or in part, without the prior written permission of the applicable trademark owner. All other trademarks, registered trademarks, product names and company names or logos mentioned on the Service are the property of their respective owners. Reference to any products, services, processes or other information, by trade name, trademark, manufacturer, supplier or otherwise, does not constitute or imply endorsement, sponsorship, or recommendation thereof by us, or vice versa.

11.2 Koivu may use your company name(s) and logo(s) for marketing purposes, including on the Koivu website and in press releases, promotional and sales literature, customer/prospect presentations, and customers lists.

12. Ownership and intellectual property rights

As between you and Koivu, Koivu owns all right, title, and interest, including all intellectual property rights, in and to the Service, and any services available in connection with the Service. Except for those rights expressly granted in these Terms, no other rights are granted, either express or implied, to you and all other rights are hereby reserved.

13. Confidential information

If we share non-public information about the Service with you, you must keep it confidential and use reasonable security measures to prevent unauthorized disclosure of or access to that information.

14. Privacy Policy and processing of data

14.1 Koivu will process personal data as both 1) data controller; and 2) data processor on documented instructions from you as the data controller.

14.2 As a data controller, we process personal data about you when you sign up for the Service or when you otherwise provide personal information to us in the context of this Agreement. Our collection and use of this information, which we process as the data controller, is described in the Privacy Policy, available at https://koivu.cloud/privacy-policy/.

14.3 As a data processor, we process such personal data which you have provided to us (including collected or generated through the use of the Service) for the purpose of providing the Service. This processing of personal data is governed by a separate Data Processing Agreement entered into between you and us in connection with your signing up for the Service, which is attached hereto as Annex 1.

15. Customer Data

Customer, its subsidiaries, affiliates and customers retain all rights pertaining to all data, personal data or other information that Customer, or another party on Customer’s behalf, provides to Koivu for the purpose of providing the Service (“Customer Data”). Where permitted by Data Protection Laws, Koivu may process Customer Data or other data derived from the operation of the Service: (i) to build or improve the quality of its services (data shall be in aggregated and anonymous form); (ii) to detect security incidents; (iii) to protect against fraudulent or illegal activity and (iv) to create public statistics, for example, to enable Customers to benchmark their performance against industry level statistics (data shall be in aggregated and anonymous form). In no event does the aggregated data include any personally identifiable information or company level data.

16. Disclaimer of Warranties

YOUR USE OF THE SERVICE, INCLUDING, WITHOUT LIMITATION, YOUR USE OF ANY CONTENT ACCESSIBLE THROUGH THE SERVICE AND YOUR INTERACTIONS AND DEALINGS WITH ANY SERVICE USERS, IS AT YOUR SOLE RISK. KOIVU DOES NOT WARRANT UNINTERRUPTED USE OR OPERATION OF THE SERVICE OR YOUR ACCESS TO ANY CONTENT. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE SERVICE WILL CREATE ANY WARRANTY REGARDING KOIVU THAT IS NOT EXPRESSLY STATED IN THESE TERMS.

EXCEPT FOR ANY EXPRESS WARRANTIES INCLUDED HEREIN, WE DISCLAIM ALL WARRANTIES, TO THE MAXIMUM EXTENT PERMITTED BY LAW, EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE AND WE DO NOT WARRANT THE ACCURACY OF ANY DATA PROVIDED IN CONNECTION WITH THE SERVICE, OR THAT THE SERVICE IS FREE OF BUGS OR ERRORS.

17. Indemnification

17.1 Koivu will defend, indemnify and hold harmless Customer from and against any costs, damages, expenses, and liabilities (including, but not limited to, reasonable attorneys’ fees) arising out of or in relation to third-party claims or actions arising out of or relating to infringement of a third party’s intellectual property rights due to Customer’s use of the Service, except to the extent such claims or actions arise out of or are related to (i) any modification or combination of the Service by Customer with any service not provided by Koivu; (ii) any third-party programs, information, or data (including any Third-Party Services); (iii) any access or use of the Services by Customer in violation of these Terms, including the restrictions set forth in Section 6; or (iv) any data, information, or content provided by Customer.

Koivu’s indemnification obligation in this Section only applies under the condition that Customer has notified Koivu in writing of a claim or action within a reasonable time.

In case such third party claim is made or is likely to be made, Koivu is responsible, at its own cost, for obtaining any necessary rights for Customer to continue to use the Service under the terms of the Agreement or replace or modify the infringing part of the Service to be non-infringing without decreasing functionality. If Koivu is unable to replace or modify the infringing part, then Koivu may terminate this Agreement upon written notice to Customer, in which case Customer shall be entitled, as its sole remedy, to a pro-rata refund in the amount of the unused portion of any prepaid fees for the terminated Service calculated as of the effective date of termination. Koivu liability, and your sole remedy, for infringement of intellectual property rights in the Service shall be limited to this Section 17.1.

17.2 Customer will defend, indemnify and hold harmless Koivu from and against any costs, damages, expenses, and liabilities (including, but not limited to, reasonable attorneys’ fees) arising out of or in relation to third-party claims or actions arising out of or relating to:

(a) any breach by Customer or any Authorized User of the restrictions set forth in Section 6 above;

(b) any violation of applicable law by Customer;

(c) any data, information, or content inputted into the Service or otherwise provided by Customer, including any actual or alleged infringement of third-party intellectual property rights or rights to privacy arising out of any such data, information, or content, including Customer Data;

(d) any of Customer’s products or services;

(e) any material breach by Customer of this Agreement; or

(f) any gross negligence, willful misconduct, or fraud by Customer.

18. Limitation of Liability

Neither party nor its suppliers or licensors will be liable for any indirect, incidental, special, consequential, or exemplary damages, including, without limitation, damages for loss of profits, goodwill, use, data, or other intangible losses (even if such party or any supplier or licensor has been advised of the possibility of these damages), arising out of this Agreement.

Koivu’s maximum total liability towards the Customer and its Authorized Users for all claims under these Terms or otherwise in relation to the Service, whether in contract, tort, or otherwise, is limited to 100 EUR.

Any limitations of liability under this Section 18 shall not apply with respect breach of Section 13 (Confidential information) or in the event of gross negligence, willful misconduct, or fraud.

19. Governing law and dispute resolution

These Terms shall be governed and construed in accordance with the laws of Finland, without giving effect to principles of conflicts of law or to the Convention on Contracts for the International Sale of Goods. Any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The seat of arbitration shall be Helsinki, Finland. The number of arbitrators shall be one. The language of the arbitration shall be English.

20. Other terms

Neither party will be responsible for any failure or delay in the performance of its obligations under this Agreement (except for any payment obligations) due to causes beyond its reasonable control (a “Force Majeure Event”), which may include, without limitation, labor disputes, strikes, lockouts, shortages of or inability to obtain energy, raw materials or supplies, denial of service or other malicious attacks, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God.  Our failure to act in a particular circumstance does not waive our ability to act with respect to that circumstance or similar circumstances. Any provision of these Terms that is found to be invalid, unlawful, or unenforceable will be severed from these Terms, and the remaining provisions of these Terms will continue to be in full force and effect. The section headings and titles in these Terms are for convenience only and have no legal or contractual effect.

Neither party may assign this Agreement.

Koivu may change the content of these Terms, subject to posting a notice of change in its web page.

Any notices under or in relation to the Agreement shall be sent in accordance with the notice provisions in the Agreement.

By using the Service, you consent to receiving electronic communications from us. These communications may include notices about your account and information concerning or related to the Service.

ANNEX 1 Data Processing Agreement

1. Nature and purpose of the processing

This Data Processing Agreement (“DPA”) is an annex to and forms an inseparable part of the Agreement between the Customer or you and Koivu, regarding your use of our Services.

The agreed Service delivery may include processing of personal data by Koivu and its subcontractors, on behalf of the Customer, within the scope described in the Agreement. The purpose of this DPA is to set the terms and conditions governing such processing by Koivu on behalf of the Customer in compliance with the requirements set by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation, including the California Consumer Privacy Act of 2018 (“CCPA”) (collectively, “Data Privacy Laws”).

Koivu may process personal data only on behalf of the Customer solely to the extent necessary for the provision of the Services set forth in the Agreement and may not otherwise process or use personal data for purposes other than those set forth in this DPA or as reasonably instructed by the Customer in writing where such instructions are consistent with the terms of the Agreement. Koivu may not sell the Customer’s personal data, as the term “sale” is defined under the CCPA. This DPA shall take precedence over conflicting provisions relating to processing of personal data in the Agreement, unless otherwise expressly stated in this DPA.

The parties acknowledge and agree that the Customer enters into this DPA on behalf of itself and on behalf of its affiliates which utilize the Services as defined in the Agreement (“Affiliates”), thereby establishing a separate DPA between Koivu and each of the Customer Affiliates subject to the terms of this DPA. The Customer and Affiliates are jointly referred to as the “Customer”. Koivu enters into this DPA on its own behalf and on behalf of those of Koivu’s group companies that are involved in the processing of personal data under this DPA and the Agreement.

All references to “personal data”, “processing”, “data subject” and other terms defined in Data Privacy Laws and not expressly defined herein shall have the same meaning in this DPA as in Article 4 of the GDPR. When CCPA applies, these above-mentioned terms shall have the same meaning as defined in the CCPA; “controller” shall mean “Business” and “processor or “data processor” shall mean “Service Provider”.

In the event that under the Agreement it is agreed that Koivu’s cloud-based service shall be delivered by a third-party provider (Google, Microsoft or other) the parties acknowledge that any personal data processed within the cloud service shall be exclusively governed by the terms and conditions for the cloud service as stipulated and amended from time to time by the cloud service provider.

2. Term and termination of this DPA

This DPA shall become effective upon the Customer entering into the Agreement and shall remain in force during the validity of the Agreement and thereafter for as long as necessary for the finalization of the agreed processing of personal data.

3. Processing of your personal data

For the sake of clarity, it is noted that in relation to the personal data processed under this DPA, Koivu acts as a data processor or second data processor (a so-called sub-processor), and the Customer acts as a data controller or first data processor (to the extent Koivu process personal data for which a customer of the Customer is considered controller).

The types of personal data and categories of data subjects may include the following depending on the service(s) Koivu provides:

Categories of data subjects
The personal data will concern the following categories of data subjects: Customers or users (including prospective customer’s or user’s) of the Customer or Customer’s customers.
  Types of personal data
Online identifiers, such as cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers; Contact details, such as names, email addresses, phone numbers and addresses; Data relating to individuals provided to Koivu via the Services by (or at the direction of) the Customer, including to create and collaborate on reports, graphs and charts; Event data and CRM data relating to individuals provided to Koivu via the Services by (or at the direction of) the Customer, such as data about data subjects and the actions they take on or in relation to specific websites, apps, services or applications. Financial and transactional details such as accounting, sales, orders, invoices, payments and items purchased. Other personal data submitted to the Services by (or at the direction of) the Customer within the scope of the Agreement.

This DPA with the Agreement constitutes the instructions in accordance with which any such data is processed as per the date of entering into this DPA.

Koivu shall not process the personal data provided to Koivu via the Services by (or at the direction of) the Customer for any other purpose or otherwise deviate from the Customer’s instructions relating to the processing of personal data in any way, unless required to do so by the laws of the European Union or its member states to which Koivu is subject, in which case Koivu shall inform the Customer of that legal requirement before carrying out such processing (unless that law prohibits Koivu from doing so).

In the event that Koivu believes an instruction from the Customer is in breach of applicable data protection legislation or otherwise lacks instructions which, in Koivu assessment, are necessary to perform the processing of personal data in accordance with this DPA or applicable data protection legislation, Koivu shall promptly inform the Customer thereof and await further necessary instructions.

4. Responsibilities of the Customer

The Customer is the owner of its personal data and is responsible for the accuracy, legality, integrity and content reliability of such personal data. Customer shall, in its use of the Services, process personal data in accordance with the requirements of applicable data protection legislation and Customer will ensure that its instructions for the processing of personal data shall comply with applicable data protection legislation. Customer is solely liable for its compliance with Data Privacy Laws in its use of the Services. Customer must provide a written notification to Koivu without undue delay if it believes this DPA and Customer’s written instructions do not fulfil requirements of applicable Data Privacy Laws.

5. Assistance to the Customer

5.1 Koivu will assist the Customer in ensuring compliance with their obligations under Article 32 (security of processing), Article 33 (notification of personal data breaches to supervisory authorities), Article 34 (communication of personal data breach to data subjects), Article 35 (data protection impact assessments) and Article 36 (prior consultation), taking into account the nature of processing and the information available to Koivu. Any assistance by Koivu outside the scope of the services agreed under the Agreement shall be charged by Koivu at the then current rate applied by Koivu.

5.2 Koivu shall, taking into account the nature of the processing, assist the Customer by appropriate technical or organizational measures, in the fulfilment of the Customer’s obligations to respond to data subject requests relating to their exercise of their rights under Data Privacy Laws. In this respect, Koivu shall provide assistance only upon request by the Customer. Any request directed to Koivu by a data subject shall be referred by Koivu to the Customer without undue delay. Any assistance by processor outside the scope of the Services agreed under the Agreement shall be charged by Koivu at the then current rate applied by Koivu.

5.3 Koivu shall notify the Customer about any personal data breaches concerning the Customer’s personal data without undue delay after having become aware of such personal data breach. To the extent possible, the notification shall include the following information:

  1. Description of the nature of the personal data breach including where possible the categories and approximate number of data subjects and personal data records concerned;
  2. The name and contact details of Koivu data protection officer or other contacts where further information can be obtained;
  3. Description of the likely consequences of the personal data breach; and
  4. Description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.4 Where it is not possible for Koivu to provide the information as indicated in Section 5.3 at the same time as the notification of the personal data breach, the information may be provided in phases without undue delay.

6. Confidentiality and security

6.1 Koivu shall ensure that all persons authorized to process the personal data of the Customer are bound by an obligation of confidentiality with respect to such personal data, and only processes such personal data on instructions from the Customer, unless required to do so under applicable EU or EU member state law.

6.2 Koivu shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. This shall include, inter alia as appropriate, measures to:

  1. Implement and maintain technical and organizational measures for safeguarding the confidentiality, integrity, availability and resilience of systems and services processing personal data;
  2. Restore the availability and access to personal data in a timely manner in the event of an incident;
  3. Regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing; and
  4. Pseudonymize and/or encrypt personal data.

6.3 On request, Koivu shall cooperate with the supervisory authority in the performance of its tasks and shall comply with decisions by the supervisory authority on security measures required to comply with the GDPR. If and to the extent the Customer or the supervisory authority instructs Koivu to perform any measure, activity or action outside the scope of the Services agreed to under the Agreement, then such instruction shall be considered a request for additional services pursuant to the Agreement and additional fees may apply.

7. Sub-processors and transfers to third countries

7.1 The Customer acknowledges that Koivu needs to engage other processors for carrying out specific processing activities, and that Koivu wishes to deliver standard services to its customers in a consistent, secure and efficient manner. Accordingly, the DPA shall constitute a general authorization by the Customer for Koivu’s use of sub-processors. Koivu shall ensure that sub-processors are bound by a written agreement that require them to provide at least the level of data protection required by Koivu under this DPA. Koivu shall inform the Customer of changes concerning its sub-processors, including the identity and location of new or replaced sub-processors. A list of sub-processors (including their name, country, processing activities and country/area where processing activities are carried out) is available at the end of this agreement or other location as designated by Koivu from time to time. Koivu will notify the Customers by adding the name and above-mentioned details of new and replacement sub-processors to the list prior to them starting sub-processing of personal data.

7.2 Where a sub-processor fails to fulfil its data protection obligation, Koivu shall remain fully liable to the Customer for the performance of that sub-processor’s obligations.

7.3 If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Koivu of such objection in writing within ten (10) days of the notification. In case the Customer objects to the use of a specific sub-processor, the parties shall enter into good faith negotiations on how to resolve the issue. In case the negotiations do not solve the issue and the Customer opposes Koivu’s use of a specific sub-processor either party shall, for a justified reason and as a final remedy, be entitled to terminate the relevant Agreement on thirty days’ written notice.

7.4 Koivu and its sub-processors may transfer or process personal data outside the EU/EEA area.

7.5 When transfer of personal data by Koivu to a sub-processor outside the EU/EEA, is permitted as stated above, in case of any transfer Koivu shall ensure that transfer is only made to (a) a country deemed by the Commission to have an adequate level of protection, (b) entities having entered into the EU Commission standard contractual clauses approved by the European Union concerning the transfer of personal data to outside the EU/EEA or provided other appropriate safeguards as described in Article 46 of the GDPR.

7.6 Subject to the above and subject to Koivu keeping the Customer informed of any transfer of personal data outside the EU/EEA, the Customer gives its consent to the transfers and authorizes Koivu to agree on the use of privacy clauses on behalf of the Customer and to represent the Customer regarding those conditions of the standard contractual clauses that refer to the rights and liabilities of the Customer.

8. Retention of your data

Koivu has no obligation to store and Koivu will not store any of Customer’s data after the termination of your account and/or subscription of the Service.  Koivu will, at Customer’s election, promptly delete or return all personal data related to Customer’s account after the end of the provision of the Services relating to processing and delete existing copies unless applicable legislation requires storage of the personal data.

9. Audit

9.1 Koivu shall upon the Customer’s request make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR.

9.2 The Customer or an auditor authorized by the Customer (however, not a competitor of the Koivu) is entitled to audit the activities pursuant to the DPA. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 30 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of Koivu or its subcontractors in regard to third parties. The representatives of the Customer and the auditor must sign conventional non-disclosure commitments. The Customer shall be responsible for its own and Koivu’s expenses caused by the auditing. If notable defects are perceived during auditing, Koivu shall be liable for the costs incurred from remediating said defects.

9.3 Provided that the parties have an applicable Non-Disclosure Agreement in place, Koivu reserves the right to provide the Customer with a copy of a third-party certification or report in lieu of an onsite audit as described in 9.2 above. In the event the customer does not find all reasonably needed information from the report, then 9.2. will apply.

10. Damages

Koivu shall compensate the Customer for damages incurred by the Customer as a result of fault or negligence by Koivu, or by a sub-contractor to Koivu, in the processing of personal data in breach of the Agreement or this DPA, including for claims by data subjects or a supervisory authority against the Customer caused directly by Koivu’s breach of this DPA.

To clarify, the limitations of liability set forth in Section 18 of the Agreement shall apply.


Exhibit 1

Standard Contractual Clauses (Processors)

for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Customer (as defined in the Agreement) (the data exporter)

And

Koivu’s sub-processor(s) as set forth in Section 7 of Annex 1 in the Agreement (the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1
Definitions

For the purposes of the Clauses:

(a)  ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

  • If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

  • The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-processing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
  2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 

to the Standard Contractual Clauses

This Appendix forms part of the Clauses

Data exporter

The data exporter is: Customer as set forth in the Agreement.

Data importer

The data importer is: Koivu’s sub-processor(s) as set forth in Section 7 of Annex 1 in the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects: data subjects as set forth in Section 3 of Annex 1 in the Agreement.

Categories of data

The personal data transferred concern the following categories of data: As set forth in Section 3 of Annex 1 in the Agreement.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data: As set forth in Section 3 of Annex 1 in the Agreement.

Processing operations

The personal data transferred will be subject to the following basic processing activities: Processing to carry out the Services pursuant to the Agreement (as defined in the Agreement and Annex 1).

Appendix 2 

to the Standard Contractual Clauses

This Appendix forms part of the Clauses. 

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

The data importer shall implement and maintain technical and organizational security measures as set forth in Annex 1.


Sub Processors

CompanyCountry Processing ActivitiesCountry/area where processing activities are carried out 
Google Ireland LimitedIrelandServers, storage, databases, cloud services and functionsUSA, Netherlands, Belgium, Germany, Finland