1.1 “Terms and Conditions” refers to these terms and conditions for providing the Services.
1.2 “Confidential Information” refers to what is outlined in paragraph 16 below.
1.3 “Company Account” is an account registered at Cinode by a company.
1.4 “The Customer” refers to a legal entity with an activated Company Account at Cinode.
1.5 “Cinode Account” refers to an individually registered User account, including User Details, a Profile and other associated features, such as a Resume.
1.6 “Profile” refers to details associated with a Cinode Account, stored in the Profile.
1.7 ”Customer Data” refers to data entered by the Customer into the Services that are stored in the Supplier’s software systems.
1.8 “The Supplier” refers to Cinode AB, org.nr 556825-8668.
1.9 “The Services” refers to the cloud services that are made available for the Customer by the Supplier using a public electronic network.
1.10 “The Web Service” refers to app.cinode.com
1.11 “Service Levels” refers to service levels agreed between both parties in regard to the Supplier providing Services to the Customer.
1.12 “Start Date” refers to the day when delivery of Services shall be initiated in accordance to what has been agreed upon. On the Start Date, the Supplier shall send login details or other activation instructions for Services to the Customer.
1.13 “The Data Controller” is defined according to GDPR article 4.
1.14 “The Data Processor” is defined according to GDPR article 4.
2.1 The Supplier provides the Customer with services through their website, http://app.cinode.com, according to these Terms and Conditions. If you enter into agreement in accordance with these Terms and Conditions as a Company or another form of legal entity, you certify that you have the legal and formal right to enter into agreement in the name of this legal entity.
2.2 If you are not entitled according to paragraph 2.1 or if you don’t agree to the Terms and Conditions, you are not entitled to use the Services.
2.3 The Supplier reserves the right to periodically update these Terms and Conditions.
3.1 The Services consist of (a) access to the Web Service, (b) Cinode’s software modules, which are provided via the Web Service, (c) configuration, settings, and support services, and (d) all software, data, text, images, audio, and video that is made available by using the Web Service. All new or changed features made available via the Services are included in these Terms and Conditions.
4.1 The Services include the number of accounts or other usage specified in the agreement.
4.2 The Services are delivered and produced by the Supplier, via the Supplier’s system. Work on Customer location is included in the Services if a separate Agreement has been entered into between both parties.
5.1 The Supplier undertakes to deliver the Services in accordance with the terms in the agreement, during the term of the agreement.
5.2 The Supplier processes Customer data as a Data Processor in accordance with GDPR article 28 and may only process personal data in accordance with the Data Processing Agreement.
5.3 The Supplier shall at its own expense update and upgrade the included software in the Services to the extent that the Supplier considers necessary for the performance of the Services.
5.4 The Supplier is entitled to hire subcontractors to fulfill the Supplier’s commitments. The Supplier is responsible for the services performed by subcontractors as if they were delivered by the Supplier. For processing of personal data, the Supplier shall obtain a separate permission or a written general permission from the Controller of Personal Data. The customer acknowledges the list of pre-approved subcontractors according to Data Processing Agreement.
6.1 The Customer undertakes to: (i) have access to the software and equipment that has been designated by the Supplier in writing; (ii) have access when needed to the working communication services that has been designated by the Supplier in writing; (iii) take any actions that are the responsibility of the Customer; (iv) ensure that the data that is submitted to the Supplier’s system is in an agreed upon format and is not infected by viruses or anything else that could harm or influence the Supplier’s systems or Services negatively; (v) immediately submit information or documentation relating to the Services if requested by the Supplier; (vi) follow instructions given by the Supplier relating the use of the Services; and (vii) assist the Supplier to a reasonable extent and take reasonable actions to enable the Supplier to deliver Services according to the agreement.
6.2 Login information and other instructions provided to the Customer from the Supplier in accordance to paragraph 6.6 below shall be managed by the Customer with secrecy in accordance to paragraph 15 below. The Supplier is responsible for only providing login information and other instructions to authorized Users. The Customer undertakes to immediately notify the Supplier if the employment for an employee who has authorization to administer company information has ended, or if someone else has or is feared to have been granted unauthorized access to login information or other instructions. The Customer is responsible for their Users’ usage of the Services.
6.3 The Customer agrees that the Services may only be used for legal purposes and the Customer undertakes to keep the Supplier indemnified from all third party claims directed against the Supplier as a result of the Customer’s use of the Services that are in violation of this provision, including but not limited to claims for infringement of third party intellectual property rights.
6.4 The Customer is responsible for Personal Data processed in the Services where the Customer is the Controller of Personal Data following current regulations for protection of Personal Data.
6.5 The Customer is responsible for the content created and managed by the Users that are associated with the Customer.
6.6 The Supplier shall provide the Customer with the Services from the start date by providing the Customer with login information and other instructions. The start date occurs when the Supplier or the Customer has created a Company Account in the Services with the associated login information and other instructions for accessing the Services.
7.1 The Supplier may perform continuous changes and additions to the Services. The Supplier shall notify the Customer in regard to significant changes or additions affecting the use of the Services to a large extent.
8.1 The Customer shall pay a fee according to the official price list or quotation.
8.2 Terms of payment are 30 days from the invoice date.
8.3 Fees are stated excluding VAT, taxes, and other charges.
8.4 The Supplier is entitled to revise the default price list and shall in such cases notify the Customer about those changes.
8.5 If the Customer hasn’t paid for the Services in time, the Supplier is entitled to cancel the delivery of the Services until it has been paid in full.
8.6 If, during the term of the agreement, there are law changes, governmental decisions, decisions in regard to changing or imposing taxes or public fees, or if the application of laws and regulations are changed and influence the delivery costs of the Services, the Supplier is entitled to adjust the fee for the Services to cover increased operating costs.
8.7 If the Supplier is charged with additional work or costs due to circumstances for which the Customer is responsible, the Supplier is entitled to charge such costs as per the Supplier’s applicable price list.
9.1 The Customer is aware that the Services occasionally can be made unavailable due to planned and/or unplanned maintenance.
9.2 The Supplier shall notify the Customer in reasonable time before planned maintenance of Services in accordance with current service hours according to 11.1.
9.3 The Supplier shall take reasonable actions to minimize the time for maintenance of the Services.
10.1 The Supplier shall provide users with support. The FAQ shall be maintained continuously and be available for users. If answers are not found in the FAQ, the Supplier shall provide users with Customer support via firstname.lastname@example.org. Cinode shall provide the Customer with advice and assistance in regards to the functionality of the Service.
10.2 After an error report, the Supplier shall rectify errors that hinder functionality of the services during regular working hours, unless otherwise agreed upon between the Parties. Troubleshooting includes, if applicable, directions for circumventing the error.
10.3 The Supplier shall initiate troubleshooting according the service level specified below. The hours in the table below should be calculated within regular working hours.
|Classification of Error||Description||Initiating Troubleshooting|
|Error Class 1||Errors that hinder functionality in the Service, making it impossible for the Customer to use the Service.||Within 1 hour|
|Error Class 2||Errors that significantly hinder functionality in the Service for the majority of the Customer’s use of the Service.||Within 3 hours|
|Error Class 3||Errors that hinder functionality in the Service for some of the Customer’s users, or errors that cannot be classified as Error Class 1, 2, or 4.||Within 8 hours|
|Error Class 4||Errors that hinder functionality in the Service to a lesser extent for the Customer/aesthetic errors.||Managed after decision by the Supplier within the scope of planned version management.|
10.4 If the Customer reports an error and it is found that the problem is not attributable to errors in the Service, Cinode is entitled to charge a fee for time spent on the report as per the Supplier’s regular prices. See Other Services.
10.5 In order to fulfill its obligations under this Agreement, Cinode is entitled to make changes to the Service to the extent Cinode deem necessary.
11.1 Services shall be available 99 % of the time Monday – Friday 08:00 – 18:00 outside of holidays. The period is measured by calendar month.
11.2 If the parties have no separate agreement regarding Service Level fees, the Customer is entitled to a reasonable reduction in fees in regard to the Services during the period to which the reduced Service Level applies.
11.3 Any compensation claims due to service levels not being met may not exceed thirty (30) % of the monthly fee for the Services unless otherwise agreed upon.
11.4 The Supplier’s obligations under paragraph 5 only apply when the Customer has fulfilled all the obligations stated in paragraph 6 above.
11.5 Furthermore, the Supplier is not responsible for non-fulfillment of agreed upon claims if the failure is caused by: (i) the Customer or a circumstance that the Customer is responsible for; (ii) downtime in communication services; (iii) planned downtime of Services due to maintenance of Services and/or of the Supplier’s systems; or (iv) circumstances that the Supplier could not reasonably avoid, including but not limited to, force majeure according to paragraph 16 below, and viruses or other harmful attacks.
11.6 The Supplier’s responsibilities according to paragraph 5 apply when: (i) the Supplier is made aware of the defect in the Services by the Customer within thirty (30) days from the discovery of the defect, or from when the Customer should have discovered the defect; and (ii) the Customer provides the Supplier with information that is necessary to analyze the defect.
11.7 This paragraph (11) represents the sole responsibility of the Supplier in terms of defects and delays of Services.
12.1 The Supplier and/or the Supplier’s licensor owns all rights, including intellectual property rights, of Services and related software, including but not limited to, patents, copyright, trademark protection, and trademarks. Nothing in the design of the Service or in the correspondence between the Customer and the Supplier shall be construed as the above-mentioned rights, or part of the rights, being transferred to the Customer.
12.2 The Supplier undertakes to indemnify the Customer in respect to third party claims based on the Customer’s use of the Services, or part of the Services, in Sweden and in other countries agreed upon in writing, being in violation of those third parties’ intellectual property rights. The Supplier’s responsibility according to paragraph 5 does however require that the Customer has used the Services in accordance with all terms and conditions.
12.3 The Supplier’s responsibilities according to this paragraph (12) only apply on condition that: (i) the Customer promptly notifies the Supplier regarding claims directed towards the Customer; (ii) the Supplier is given the exclusive right to decide how the process is conducted; and (iii) the Customer complies with the Supplier’s instructions and provides the Supplier with reasonable assistance requested by the Supplier.
12.4 In the event that infringement of third party intellectual property rights has occurred, the Supplier shall, at its own discretion: (i) assure the Customer continued right to use the Services; (ii) change the Services to remove any infringement; (iii) replace the Services, or parts of the Services, with other equivalent services that cannot be considered to be an infringement; or (iv) terminate the Services and after deduction, to the Customer’s reasonable benefit, reimburse the Customer’s paid fee for the Services without interest.
12.5 This paragraph (12) constitutes the sole responsibility the Supplier has towards the Customer in terms of infringement of third party intellectual property rights.
13.1 The Customer holds all rights to the Customer’s Data and the Supplier receives no rights to the Customer’s Data.
13.2 The Supplier is entitled to use information about the use of the Service for business development purposes or for example, but not limited to, providing benchmarking information or other value adding features that can be included in the Service. However, the Supplier is bound to only show aggregated, unidentifiable information that can’t be attributed to an individual Customer or individual User. The Customer is entitled to not include their data in such value adding features, but will then not be able to use such functions.
13.3 Unless otherwise agreed, the Supplier is entitled to compensation for the work required to transfer data to the Customer in accordance with the Supplier’s current price list for corresponding services.
14.1 With the limitations stated below, the Supplier is liable for harm that the Supplier has inflicted on the Customer by negligence in the performance of the services.
14.2 In no event shall the Supplier be liable for the Customer’s loss of profits, revenue, savings or goodwill, losses due to outage, losses of data, any liability the Customer has in regards to third parties, or indirect damage or consequential damage of any kind.
14.3 The total liability of the Supplier regarding one or more events (whether or not they are related) shall in no case exceed the monthly fee for the services.
14.4 This paragraph (14) is not applicable in relation to the Supplier’s liability for infringement of intellectual property rights according to paragraph 12.
14.5 The Customer shall, in order to not lose their rights, make claims for damages within three (3) months after the Customer noticed or should have noticed the cause for the claim, and no later than six (6) months after the damage occurred.
14.6 The Customer is responsible for all Users using the Services under the trademark of the Customer.
14.7 The Supplier is not responsible for information published by third parties.
15.1 The party providing material is responsible for obtaining the required rights from the correct rights holder.
16.1 Both parties undertake to not disclose to third parties, without the consent of the other party, information about the other party’s business that could be considered business or professional secrets, or by law be subject to confidentiality (“Confidential Information”). Information that one party has labeled confidential shall always be considered as Confidential Information.
16.2 Parties shall be responsible for the compliance of their respective employees and consultants with the provisions set forth herein and shall by accepting this privacy agreement or other appropriate measures ensure confidentiality compliance.
16.3 The party’s confidentiality obligation according to this paragraph (16) does not apply if such confidential information: (i) is already known by the receiving party; (ii) is or has become public knowledge without violating the confidentiality of the receiving party; (iii) has been obtained in a proper way by the receiving party from a third party that is not bound by confidentiality vis-à-vis the issuing party; or (iv) if it is incumbent on the receiving party to make information public through court orders, government decisions, or if it is in any other way required by law.
16.4 The party’s confidentiality obligation according to the agreement is valid during the term of the agreement and also for a period of three (3) years after the agreement has expired.
16.5 The Supplier shall ensure that people who are authorized to process personal data have agreed to comply with confidentiality.
17.1 If compliance with any party’s obligation is prevented or obstructed by circumstances beyond the control of each party, such as lawsuits, labor conflicts, mobilization or great military action, government decisions, restrictions on power, goods, and energy or defects or delays in delivery from subcontractors due to circumstances set forth herein, this shall constitute an exemption which implies delays and exemption from penalties, provided that the party that cannot fulfill their obligations immediately have informed the other party about the situation. If the fulfillment of the agreement is delayed more than six (6) months, the other party is entitled to terminate the agreement.
18.1 The agreement will commence when the agreement is accepted. It is valid until further notice.
19.1 The Customer is entitled to terminate the Services with a notice period of 30 days.
19.2 Both parties are entitled to immediately terminate the contract by giving written notice: (i) if the other party substantially violates their responsibilities under the agreement and do not make correction within thirty (30) days after a written request; or (ii) if the other party is put into bankruptcy, enters into liquidation, initiates business reconstruction, resigns their payments or in any other way can be considered insolvent.
19.3 The Customer is upon termination according to the above not entitled to recover any excess of advances paid or any other expenses relating to time after the termination of the agreement.
20.1 In the case of decommissioning of the Service, the Supplier shall to a reasonable extent for compensation assist the Customer in transferring the Customer’s Data to the Customer or to a third party designated by the Customer in a way that creates as little impact as possible for the Customer.
20.2 The Supplier shall upon the Customer’s request delete or return the Customer’s data after the Services have been terminated.
20.3 The Supplier shall be entitled to compensation for the work performed according to this paragraph (20) in accordance with the Supplier’s current price list for corresponding services.
21.1 Termination or other notices shall be sent by courier, registered letter, or electronic messaging to relevant parties.
21.2 The notice shall be considered received by the recipient: (i) if submitted by courier: upon delivery; (ii) if sent by registered letter: two (2) days after handing it over to the postal service; or (iii) if sent as electronic notice: when the electronic message has been delivered to the recipient’s electronic address.
22.1 Disputes concerning interpretation and/or application of the agreement shall be settled in accordance with Swedish law, except for compulsory international private law.
22.2 Disputes shall be settled by a public court where the Supplier has its registered office.
1.1. This Processor Agreement and Appendices 1 and 2 jointly constitute the “Processor Agreement” or “Data Processor Agreement”. Between the Customer and the Supplier there is an agreement (the "Service Agreement") regarding the services that the Supplier shall provide to the Customer, and this Data Processor Agreement governs the processing of Personal Data in connection with the Service Agreement. The Service Agreement states that the Supplier shall process Personal Data on behalf of the Client, and what the Supplier is responsible for performing.
1.2. Unless stipulated otherwise, the provisions of the Data Processor Agreement shall take precedence over the provisions of the Service Agreement.
1.3. This Agreement is intended to comply with the Data Protection Laws’ rules that there shall be a written agreement on the Processor's Processing of Personal Data on behalf of the Controller. This Data Processor Agreement also governs the technical and organisational measures that the Supplier and its potential Subcontractors are to implement and maintain for the protection of Personal Data.
1.4. This Data Processor Agreement is valid for as long as the Service Agreement is in force between the parties, and thus ends when the Service Agreement ends unless the parties have agreed otherwise.
2.1. “Customer” means the organisation that has contracted under the Supplier's Terms of Service to use the Supplier’s Service Modules.
2.2. “Controller” means the party that determines the purposes and means of processing Personal Data, acting alone or with others.
2.3. “Processor” means the party that processes personal data on the Controller’s behalf.
2.4. “Data Protection Laws” means the applicable laws that aim at protecting the fundamental rights and freedoms of individuals, and specifically their privacy. They include the Customer's national legislation, Directive 95/46/EC and Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), as replaces Directive 95/46/EC.
2.5. “Data Subject” means an identified or identifiable natural person, as defined under the Data Protection Laws.
2.6. “Instruction” means written instructions for the processing of personal data by the Supplier. Such instructions are provided in the Data Processor Agreement, but may be updated or modified from time to time by separate written instructions from the Customer.
2.7. “Personal Data” means any piece of information that refers to an identified or identifiable natural person, as defined under the Data Protection Laws.
2.8. “Processing” means an action or combination of actions concerning personal data, as defined in the Data Protection Laws.
2.9. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that is Processed under the Service Agreement.
2.10. “Subcontractor” means any third party which the Processor engages to carry out its obligations under the Service Agreement and/or this Data Processor Agreement in accordance with Section 6, and which through this engagement Processes Personal Data for which the Customer is the Controller.
2.11. The “Supplier” is Cinode, Corporate ID number 556825-8668, Torsgatan 21, 113 21 Stockholm, Sweden.
2.12. “Transfer” means a cross-border transfer of Personal Data to territories outside the EU in accordance with Section 11.
3.1. Purpose and categories of Processing and types of data processed. The nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects covered under this Data Processor Agreement are specified in Appendix 1.
3.2. Controller. The Customer is the Controller for all information that the Customer shares with the Supplier for the Processing of Personal Data under the Service Agreement. The Customer is responsible for ensuring that the Personal Data is collected legally, and for the accuracy and quality of the Personal Data. The Customer holds all rights to the Customer’s Data and the Supplier receives no rights to the Customer’s Data
3.3. Processor. The Supplier and its Subcontractors are Processors for the Processing of Personal Data under the Service Agreement, and shall only process Personal Data on behalf of the Customer and in accordance with the Customer’s Instructions. The Supplier is responsible for ensuring that Subcontractors that it engages only Process Personal Data in accordance with the Data Processor Agreement and the Data Protection Laws.
3.4. Purpose of Processing. The Customer is the party that decides on the purpose of the Processing of Personal Data under the Service Agreement. The purpose of the Processing of Personal Data by the Supplier is limited to
a) Providing the agreed services such as the provision of software, consulting services, maintenance, support and other services in accordance with the Service Agreement;
b) Implementing, managing and monitoring any underlying infrastructure required to provide services under the Service Agreement and to fulfil the stipulated technical and organisational requirements for the protection of Personal Data;
c) Communicating with the Customer and Customer’s personnel;
d) Implement the Customer’s Instructions in accordance with Section 3.5; and
e) Handling service problems, Incidents or Security Breaches.
f) The Supplier is entitled to use information about the use of the Service for business development purposes or for example, but not limited to, providing benchmarking information or other value adding features that can be included in the Service. However, the Supplier is bound to only show aggregated, unidentifiable information that can’t be attributed to an individual Customer or individual User. The Customer is entitled to not include their data in such value adding features, but will then not be able to use such functions.
3.5. Instructions. The Customer is responsible for giving the Supplier Instructions for the Processing of Personal Data under the Service Agreement. The Supplier shall only manage the Customer's Personal Data in accordance with the Data Processor Agreement and Instructions given by the Customer from time to time. If the Supplier deems that an instruction is contrary to the requirements of the Data Protection Laws, the Supplier shall notify the Customer thereof without delay. The Controller’s original Instructions to the Processor regarding the object and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of data subjects are listed in this Data Processor Agreement and in Appendix 1.
4.1. Confidentiality. The Supplier is responsible for ensuring that Supplier’s and its Subcontractors’ personnel who Process Personal Data for which the Customer is the Controller shall maintain secrecy, have received suitable training on Personal Data and are bound by non-disclosure agreements. The obligation of confidentiality shall remain in force even after this Data Processor Agreement has otherwise cease to be in force. Otherwise, what is stated in the Service Agreement shall apply to the Supplier's obligation of confidentiality.
4.2. Restricted access. The Supplier is responsible for ensuring that only the personnel of the Supplier and the Subcontractor who need the Personal Data to fulfil the Supplier's commitment under the Service Agreement shall have access to the Personal Data.
5.1. Technical and organisational measures. The supplier shall take the technical and organisational measures for the protection of the Personal Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. The Personal Data shall be protected from any type of unauthorized Processing such as change, destruction or unauthorised access and dissemination. The Supplier accordingly undertakes to take all the measures stipulated in Article 32 of the GDPR. The Supplier shall be prepared to comply with a competent authority’s decision on measures to comply with the Data Protection Laws’ security requirements.
5.2. Rights of the Data Subject. The Supplier shall notify the Customer without delay if the Supplier receives a request from a Data Subject regarding his or her rights, such as information, correction or deletion of the Data Subject’s Personal Data. The Supplier shall not respond to such a request without the Customer's written consent, except for the purpose of notifying the Data Subject that the request has been received and forwarded to the Customer. The Supplier shall assist and help the Customer in managing Data Subjects’ inquiries and rights, unless the Supplier is prevented from doing so by law or by official decision.
5.3. The Supplier shall assist the Customer in fulfilling his or her duties as a Controller of Personal Data to respond to requests regarding the registered user’s rights
5.4. Official communications. The Supplier shall notify the Customer without delay if a government authority contacts the Supplier regarding or pertinent to the Personal Data managed under the Service Agreement. At the Customer's request, the Supplier shall, to a reasonable extent, help the Customer with such an official communication, and otherwise provide information so that the Customer is able to respond to the official communication within a reasonable period of time. The Supplier has no right to respond on the Customer’s behalf or act in the Customer's Name.
6.1. Use of Subcontractors. The Supplier may engage Subcontractors for the Processing of Personal Data under the Service Agreement subject to what is otherwise stipulated in this Section 6, and only for the purposes specified in Section 3.4.
6.2. Change in Subcontractor. The Supplier has the right to terminate a Subcontractor or engage other appropriate and reliable Subcontractors, provided that the rules in Section 6 are applied. Before engaging a new Subcontractor, the Supplier shall notify the Customer in writing of the new Subcontractor, and upon receipt of the notice the Customer has a right to object to the new Subcontractor in accordance with Section 6.4.
6.3. Contractual obligation. The Supplier is responsible for ensuring that all Processing of Personal Data performed by a Subcontractor is governed by a written agreement with the Subcontractor that corresponds to the requirements of this Data Processor Agreement at least.
6.4. Objections. If Customer has cause to object to any Subcontractor, the Customer shall notify the Supplier of this in writing. If the Customer wishes to exercise its right under Section 6.2 to object to a proposed new Subcontractor, the Customer shall notify the Supplier in writing within ten (10) days of receipt of the supplier's notice in writing.
6.5. Resolution of objections. In the event that the Customer has objected to a Subcontractor in accordance with Section 6.4 above, the parties shall discuss various activities to resolve the reason for the Customer's objection together. If the parties can not agree on any solution within a reasonable period of time, which shall not exceed thirty (30) days, the Customer may terminate the agreement by notifying the Supplier in writing. The supplier shall then refund any payments made in advance for the agreed services under the Service Agreement.
6.6. Supplier’s responsibility. The Supplier is responsible for the Subcontractor's Processing of Personal Data under the Service Agreement, and is fully responsible for Subcontractors who do not fulfil their obligations according to the Data Processor Agreement.
6.7. List of Subcontractors. The Supplier shall maintain a list of all Subcontractors who process Personal Data in connection with the Service Agreement, and shall send a copy of the list upon the Customer’s request.
7.1. Customer’s right to perform an audit. The Supplier shall provide the Customer and Customer’s independent auditors with access to such information and Supplier’s premises as may reasonably be necessary for the Customer to be able to verify that the Supplier its fulfilling its obligations according to the Data Processor Agreement. The Customer shall, within a reasonable period of time (at least thirty (30) days), notify the Supplier before such an audit unless otherwise required by a government authority, or the Customer has reason to suspect that the Supplier or a Subcontractor is not fulfilling its obligations according to the Data Processor Agreement. Each party shall be responsible for its own costs during an audit.
7.2. Audit results. If an audit has shown that the Supplier or a Subcontractor has not fulfilled its obligations according to the Data Processor Agreement, the Supplier shall promptly manage and correct this. Such corrective action does not affect the Customer's other possible claims and rights under the Data Processor Agreement.
8.1. Incident management. The supplier shall evaluate and act upon events suspected of possibly resulting in unauthorised access or Processing of Personal Data (“Incidents”). If there is a risk that the Incident may lead to unplanned or illegal deletion, loss, alteration or release to unauthorised persons, the Supplier shall promptly notify the Customer of the Incident and provide all relevant information related to the Incident. The Supplier shall develop appropriate steps to manage the Incident and cooperate with the Customer when appropriate to protect the Personal Data, with the aim of restoring the confidentiality, privacy and availability of the Personal Data.
8.2. Security Breach. The Supplier shall promptly notify the Customer and confirm that the notification was received as soon as a Security breach is discovered that could pose or could have posed a risk to the Personal Data Processed under the Service Agreement. The Supplier shall promptly investigate the Security Breach and take measures to reduce the damage, identify the basic problem and prevent it from happening again. The Customer shall be updated with relevant information related to the Security Breach and the Supplier's work on the Breach while the work is proceeding, and the Supplier shall cooperate with the Customer when appropriate to reduce the damage and protect the privacy of the Data Subjects.
9.1. Return and deletion. Within thirty (30) days of expiration of the Service Agreement, the Supplier shall delete all Personal Data that the Supplier Processed under the Service Agreement, including Personal Data managed in backups and the like, unless otherwise agreed in writing. Before deletion, the Supplier shall return all Personal Data that the Supplier Processed under the Service Agreement upon the Customer's request.
10.1. Damages and penalties. If the Supplier fails to fulfil its obligations under this Data Processor Agreement, what was agreed in the Service Agreement regarding liability and damages shall apply, except that: The Supplier is liable for claims and damages from a Data Subject and administrative measures and/or penalties from an authority targeting the Customer based on the failure of a Supplier or a Subcontractor fulfil its obligations according to the Data Processor Agreement.
11.1. In general. The Supplier and its Subcontractors shall only process Personal Data under the Service Agreement within the EU and those countries deemed by the Commission to have an adequate level of protection, unless otherwise agreed in writing.
11.2. Transfers. If the Customer has approved the Transfer in writing, the Supplier or its Subcontractors may Process Personal Data outside the EU and those countries deemed by the Commission have an appropriate level of protection only if:
a) The recipient has been deemed to guarantee an adequate level of protection of the Personal Data through certification under the Privacy Shield Agreement, or;
b) The transfer and rights and freedoms of the data subjects are protected through approved Binding Corporate Rules pursuant to Article 47 of the GDPR, or;
c) The transfer and rights and freedoms of the data subjects are protected through the Commission's Standard Contractual Clauses.