LOADING
Pricing
Knowledge
FAQ
Book A Demo

Terms and Conditions

BY USING THE SERVICE, CUSTOMER AGREES THAT CUSTOMER HAS READ AND UNDERSTOOD, AND AS A CONDITION TO CUSTOMER’S USE OF THE SERVICE, CUSTOMER AGREES TO BE BOUND BY THESE GENERAL TERMS AND CONDITIONS (“GENERAL TERMS”). THE PERSON WHO ENTERS INTO THE ORDER ON CUSTOMER’S BEHALF REPRESENTS THAT SUCH PERSON HAS THE AUTHORITY TO AND DOES BIND CUSTOMER TO THESE GENERAL TERMS. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Kuvio and Customer agree as follows:

1. General

1.1 These general terms and conditions (the “General Terms”) shall apply to the delivery of the Service to the Customer. Details of the delivery are provided in the applicable purchase order (“Order”).

1.2 The following order of precedence shall be applied in the event of conflict or inconsistency between the Order and these General Terms: (i) the Order; (ii) schedules included with or referenced to in the Order or General Terms; (iii) these General Terms.

2. Definitions

2.1 Capitalized terms used in these General Terms shall have the following meaning:

  1. “Advertising Spend” means Customer’s monthly cost for the online advertising for which the Service will be used.

  2. “Agreement” means these General Terms and any Order referencing these General Terms, and any other schedules, supplements, statements of work, exhibits or appendices thereto, whether attached or incorporated by reference.

  3. “Confidential Information” means, with respect to Customer, the Customer Data, marketing and business plans and/or Customer financial information, and with respect to Kuvio: (a) the Service and service offering terms, including, without limitation, all (i) computer software (both object and source code) and related Documentation or specifications; (ii) techniques, concepts, methods, processes and designs embodied in or relating to the Service; and (iii) all application program interfaces, system security and system architecture design relating to the Service; and (b) Kuvio research and development, service offerings, pricing and availability. In addition to the foregoing, Confidential Information of either Kuvio or Customer (the Party disclosing such information being the “Disclosing Party” and the Party receiving such information being the “Receiving Party”) may also include information which the Disclosing Party protects against unrestricted disclosure to others that (i) the Disclosing Party or its representatives designates as confidential at the time of disclosure; or (ii) should reasonably be understood by the Receiving Party to be confidential given the nature of the information and the circumstances surrounding its disclosure.

  4. “Customer” means the entity that has entered into the Agreement: (i) by execution of an Order that references these General Terms; (ii) by having started using the Service after signing up for it at Kuvio’s website; or (iii) by any other legally binding method of acceptance of the Agreement.

  5. “Customer Data” means any data that Customer imports to the Service from a Data Source or that is generated from such data as a result of Customer’s use of the Service.

  6. “Effective Date” means the earlier of (i) the start date for the Service set out in the Order; or (ii) date of signing of the Order.

  7. “Data Destination” means a destination to which Customer Data is exported from the Service.

  8. “Data Source” means a digital source from which Customer Data is imported to be used in the Service.

  9. “Digital Advertising Data Source” means a Data Source whose data derives from digital advertising on the Internet.

  10. “Documentation” means Kuvio’s technical and functional documentation for the Service, prevailing at the time, which is made available to Customer.

  11. “Kuvio” is a registered trademark of Bluebird Devs AB, reg. no. 559298-6185, with its principal place of business at Drottninggatan 71C 29, 111 36 Stockholm, Sweden.

  12. “Media Agency” a company that is directly or indirectly using the Service to provide media services or products to its clients.

  13. “Order” means the written order form provided by Kuvio (including, if Customer is ordering the Service online, a registration website) entered into by the Kuvio entity noted on the order and Customer containing the pricing, subscription period, Data Sources and Data Destinations, and other specific terms and conditions applicable to the Service.

  14. “Other Data Sources” means another Data Source than a Digital Advertising Data Source.

  15. “Party” or “Parties” shall mean each of Kuvio or Customer or Kuvio and Customer together.

  16. “Service” means the Kuvio software as a service, described in the Order and Documentation or as provided by Kuvio when the Customer has signed up for using it at Kuvio’s website (subject to payment or for use during a free trial), including upgrades and updates thereto made available to the Customer pursuant to the Agreement.

3. Use of the Service

3.1 Provision of the Service. Kuvio shall make the Service available to Customer in accordance with the Order and during the term and hereby grants to the Customer a non-exclusive, non-transferable, non-sublicensable right to permit users to remotely access and use the Service solely for Customer’s own internal business purposes as permitted by and subject to the terms of the Agreement and the Documentation. If Customer is a Media Agency, Customer may use the Service to provide services to its designated clients, subject to the restrictions in Section 3.2. Any charges from a Data Source or a Data Destination provider, shall be the responsibility of the Customer (as part of the relationship between Customer and such third party).

3.2 Restrictions. Customer may not: (i) sublicense, license, sell, lease rent or otherwise make the Service available to a third party; (ii) circumvent or disclose the user authentication or security of the Service or any host, network, or account related thereto; (iii) share non-public Service features or content with any third party; (iv) copy any ideas, features, functions or graphics of the Service or translate, disassemble, decompile, reverse-engineer or otherwise modify any parts of the Service; (v) infringe the intellectual property rights of any entity or person; (vi) interfere with or disrupt the Kuvio software or Kuvio systems used to provide or host the Service, or other equipment or networks connected to the Service; (vii) access the Service in order to build a competitive product or service, to build a product using similar ideas, features, functions or graphics of the Service, or to copy any ideas, features, functions or graphics of the Service; or (iix) use the Service in a way that does not comply with applicable law.

3.3 Change or modification of the Service. Kuvio may change or modify the Service at any time, including restricting the number of subaccounts. During the term, Kuvio shall not materially diminish, reduce or eliminate any of the core functionalities of the Service. Customer shall be automatically entitled (as a part of and limited to its existing Agreement) to any functionality that is (as determined by Kuvio, acting reasonably) a direct replacement or succession of any functionality removed from or replaced in the Service without any payment of additional fees. For the avoidance of any doubt, Customer shall not be entitled to any functionality that is beyond the scope of an Order. Where Kuvio has materially diminished, reduced or eliminated any core functionality in the Service and no equivalent functionality is otherwise made available to the Customer, then Customer may terminate the Agreement in accordance with Section 11.

3.4 Setup Services and Support, Service Quality. Kuvio shall free of charge provide the setup services and support, which may reasonably be required by the Customer to understand and use the functionality of the Service. Setup services and support and the service quality shall comply with reasonable market practice.

3.5 Information Security. Kuvio undertakes to use good industry practices for information security (such as password protection, encryption, and firewall protection, logging and monitoring) when providing the Service.

4. Customer’s responsibilities and obligations

4.1 Customer Data. Customer is solely responsible for the accuracy, quality and integrity of the Customer Data that Customer enters into the Service or provides for input into the Service. Customer represents and warrants that it has collected and shall maintain and process all Customer Data in compliance with all applicable privacy and data protection laws and regulations. Customer is solely responsible for determining the suitability of the Service for Customer's business and complying with any laws and regulations applicable to the Customer Data and Customer’s use of the Service.

4.2 Use of Data. Customer hereby grants to Kuvio a non-exclusive right to collect and analyse data and other information relating to the provision, use and performance of various aspects of the Service and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Kuvio shall be free (during and after the term hereof) to (i) subject to Section 8, use such information and data to improve and enhance the Service and for development, diagnostic and corrective purposes in connection with the Service and other offerings, and (ii) disclose such data solely in aggregated or other de-identified form in connection with its business.

4.3 Customer Account. Customer shall designate one of its employees to be the point of contact with Kuvio for the management and support of the Service, and who will be responsible for establishing and managing Customer’s use of the Service, including the creation of usernames and passwords to access Customer’s account. Customer is solely responsible for maintaining the status of its user base. Customer will safeguard all user authentication credentials in its possession or under its control. Customer is responsible for all activities that occur under its account, including without limitation unauthorised access. Customer will notify Kuvio immediately if Customer believes an unauthorised third party may be using Customer’s account or if Customer’s account information is lost or stolen.

4.4 User Data. When fulfilling its obligations under the Agreement, Kuvio will collect and process such information, which is necessary to administrate Customer’s access and use of the Service and may constitute personal data, e.g. email addresses, authentication credentials and other data related to the use of the Service. Kuvio will be the controller and responsible for the processing activities mentioned in this Section 4.4 and Customer shall ensure that its users, which may be subject to such processing, are duly informed about it and consents to the processing. Kuvio’s privacy notice for its processing of personal data in capacity of controller is available at https://kuvio.io/privacy.

4.5 Suspension. Kuvio may, in addition to such other remedies as Kuvio may have, suspend Customer’s right to access or use any portion of the Service immediately without advance notice to Customer if Kuvio determines that Customer’s or its users’ use of the Service (i) do not comply with the prohibitions described in Section 3.3; (ii) poses a security risk to the Service or any third party; (iii) may adversely impact the Service, or the networks or data of any other Kuvio service provider, customer or business partner; (iv) does not comply with applicable law; or (v) may subject Kuvio or any third party to liability; or (vi) is a violation of the infrastructure provider’s acceptable use or similar policy. Kuvio will notify Customer of the reason for such suspension and may terminate the Agreement if Customer fails to rectify such use within thirty (30) days from notification by Kuvio.

5. Personal Data

Customer may choose to import data from Data Sources which could include personal data in the Service. Accordingly, Kuvio may process personal data when providing the Service. The Customer is, or shall be regarded as a controller of the processing of such personal data and Kuvio is, or shall be regarded as, a processor of such personal data. Kuvio will process such personal data in accordance with the terms set forth in Schedule A Data Processing Agreement.

6. Ownership of Intellectual Property Rights

6.1 Kuvio IP. Kuvio, or its licensors, own all right, title and interest in and to any and all copyrights, trademark rights, patent rights, database rights and other intellectual property or other rights in and to the Service, including without limitation all software, integrations, integrations with Data Sources and Data Destinations, technology and other rights used to provide the Service, and all graphics, user interfaces and any documentation, any improvements, design contributions or derivative works thereto, and any knowledge or processes related thereto and/or provided hereunder. Except for the limited rights expressly granted herein, the Agreement does not transfer from Kuvio any proprietary right or interest in the Service. All rights not expressly granted to Customer in the Agreement are reserved to Kuvio and its licensors.

6.2 Customer IP. Customer shall own all right, title and interest in and to any copyrights, trademark rights, patent rights, database rights and other intellectual property or other rights in and to the Customer Data. Except for the limited rights expressly granted herein, the Agreement does not transfer from Customer any proprietary right or interest in the Customer Data. All rights regarding Customer Data not expressly granted to Kuvio in the Agreement are reserved to Customer.

7. Fees and Payment

7.1 Fees. Customer shall pay to Kuvio the fees for the Service. Except as expressly set forth in the Order, the Service is non-cancellable and all fees are non-refundable. Customer shall have no right to withhold or reduce fees under the Agreement or set off any amount against fees owed for alleged defects in the Service.

7.2 Payment. Customer shall pay to Kuvio the fees for the Service provided hereunder, in the amount set forth in the Order, by recurring credit card charges made on the first day of each subscription period or by invoice within thirty (30) days from the invoice date. Payment shall always be made by the start date when paying by credit card and prior to the start date of the Service when paying by invoice. Without limiting any other rights or remedies Kuvio may have, any amount not paid when due will be subject to interest equal to the lesser of: (i) 1.5% per month of the overdue amount; or (ii) the highest lawful rate allowed by applicable law. Such interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, whether before or after judgment. In addition to any interest due under this Section 7.2 Customer shall reimburse any costs or expenses (including, but not limited to, any penalties, charges and legal and other reasonable professional costs and expenses) incurred by Kuvio to collect any amount that is not paid when due.

7.3 Taxes. All fees are exclusive of taxes, levies, and duties, and Customer shall be responsible for payment of all such taxes, levies, and duties, including value-added tax (VAT), withholding, or similar taxes. Kuvio may calculate taxes based on the billing information Customer provides.

7.4 Fee Increase. Kuvio may increase the fees for the Service, which will be effective at the beginning of the next subscription period. Kuvio will notify Customer of any increase prior to it becoming effective; notice may be in the form of an invoice. Customer acknowledges that expiration of any discount or incentive programs to which Customer was previously entitled does not constitute a fee increase.

7.5 Effects on non-payment. Kuvio may suspend Customer’s access to the Service without advance notice if Customer fails to pay in full when due. Kuvio will notify the Customer of the reason for the suspension.

8. Confidentiality

8.1 Restrictions on Use and Disclosure. Confidential Information shall not be used or reproduced in any form except as required to accomplish the intent of the Agreement. Any reproduction of any Confidential Information of the other Party shall remain the property of the Disclosing Party and shall contain any and all confidential or proprietary notices or legends, which appear on the original. With respect to the Confidential Information of the other, each Party (i) shall take all Reasonable Steps (defined below) to keep all Confidential Information strictly confidential; and (ii) shall not disclose any Confidential Information of the other to any person other than individuals whose access is necessary to enable it to exercise its rights and/or perform its obligations hereunder and who are under obligations of confidentiality substantially similar to those set forth herein. As used herein “Reasonable Steps” means those steps the Receiving Party takes to protect its own similar proprietary and confidential information, which shall not be less than a reasonable standard of care. Confidential Information of either Party disclosed prior to execution of the Agreement shall be subject to the protections afforded hereunder.

8.2 Exclusions. Confidential Information does not include information that the Receiving Party can establish: (i) has entered the public domain without the Receiving Party’s breach of any obligation owed to the Disclosing Party; (ii) has been rightfully received by the Receiving Party from a third party without confidentiality restrictions; (iii) is known to the Receiving Party without any restriction as to use or disclosure prior to first receipt by the Receiving Party from the Disclosing Party; or (iv) has been independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information.

8.3 Disclosure Required By Law. If the Receiving Party is compelled by law or legal process to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prompt prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s expense, if the Disclosing Party wishes to contest the disclosure.

9. Warranties

9.1 Mutual. Each Party represents and warrants to the other Party: (i) it is duly organized, validly existing, and in good standing as a corporation or other entity under the laws of the jurisdiction of its incorporation or other organization; (ii) it has the full right, power, and authority to enter into and perform its obligations and grant the rights, licenses, consents, and authorizations it grants or is required to grant under this Agreement; (iii) the representative who entered into this Agreement on behalf of a Party has been duly authorized by all necessary corporate or organizational action of such Party; and (iv) this Agreement will constitute the legal, valid, and binding obligation of such Party, enforceable against such Party in accordance with its terms.

9.2 Service. Kuvio warrants that the Service will substantially conform to the specifications stated in the Agreement and the Documentation. The foregoing warranty shall not apply to the extent: (i) the Service is not being used in accordance with the Agreement and/or any Documentation; (ii) any non-conformity is caused by third party products, content or service being accessed through the Service that are identified as third party products, content or service not part of the Service (e.g. a Data Source or Data Destination); or (iii) the Service being used was provided for free (no fee) or is a trial use of the Service. Subject to Section 9.5, Customer’s sole and exclusive remedy, and Kuvio’s entire liability for breach of the limited warranty in this Section 9.2, shall be correction of the warranted non-conformity or, if Kuvio fails to correct the warranted non-conformity after using reasonable commercial efforts, Kuvio may terminate access to the non-conforming Service and refund the fees paid by Customer for the Service for the remainder of the term (starting on the date Customer reported the non-conformity).

9.3 Insurance. Kuvio is insured with financially sound and reputable insurance companies, in such amounts, with such deductibles and covering such risks as are customarily carried by companies engaged in similar businesses, providing similar services and in localities where Kuvio operates.

9.4 Viruses. Kuvio warrants that it shall exercise commercially reasonable efforts to keep the Service free of all computer viruses, Trojan horses, and comparable malicious code intended to harm the Customer’s systems (collectively, “Virus”) provided that Kuvio shall not be responsible for any such Virus that is placed on the Service by Customer or its users or any third party.

9.5 Remedies. In case of any non-conformity described in this Section 9, Customer shall provide Kuvio with prompt written notice for any non-conformity of the Service, within thirty (30) days from Customer’s discovery, or when it reasonably should have discovered, such non-conformity.

9.6 Warranty disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THE AGREEMENT, Kuvio DOES NOT MAKE ANY REPRESENTATIONS, WARRANTIES, TERMS, CONDITIONS OR STATEMENTS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE REGARDING ANY MATTER, INCLUDING THE MERCHANTABILITY, SUITABILITY, ORIGINALITY, OR FITNESS FOR A PARTICULAR USE OR PURPOSE, NON-INFRINGEMENT OR RESULTS TO BE DERIVED FROM THE USE OF OR INTEGRATION WITH THE SERVICE OR OTHER MATERIALS PROVIDED UNDER THE AGREEMENT, OR THAT THE OPERATION OF THE SERVICE WILL BE SECURE, UNINTERRUPTED OR ERROR FREE.

10. Third Party Indemnification

10.1 Claims Brought Against Customer. Kuvio shall defend (at its sole expense) Customer against claims brought against Customer by any third party alleging that Customer’s use of the Service, in accordance with the terms and conditions of the Agreement, constitutes an infringement or misappropriation of a patent claim(s), copyright, or trade secret rights or any other third party intellectual property rights. Kuvio will pay damages finally awarded against Customer with respect to such claims, and will pay reasonable attorney’s fees in connection with such defense. This obligation of Kuvio shall not apply if the alleged infringement or misappropriation results from use of the Service in conjunction with any other software or service not provided by Kuvio or in the event of free (no fee) or trial use of the Service.

10.2 Intellectual Property Claims. In the event a claim under Section 10.1 is made or in Kuvio’s reasonable opinion is likely to be made, Kuvio may, at its sole option and expense: (i) procure for Customer the right to continue using the Service under the terms of the Agreement; or (ii) replace or modify the Service to be non-infringing without material decrease in functionality. If Kuvio provides written notice to Customer that the foregoing options are not reasonably available, Kuvio or Customer may terminate the Agreement and Kuvio shall refund to Customer all prepaid fees for the remainder of its term after the date of termination.

10.3 Claims Brought Against Kuvio. Customer shall defend (at its sole expense) Kuvio and licensors against claims brought against Kuvio by any third party arising from or related to an allegation that the Customer Data used in connection with the Service violates, infringes or misappropriates the intellectual property rights of a third party. Customer will pay damages finally awarded against Kuvio with respect to such claims, and will pay reasonable attorney’s fees in connection with such defense. The foregoing shall apply regardless of whether such damage is caused by the conduct of Customer or by the conduct of a third party using Customer’s access credentials.

10.4 Conditions. The obligations under this Section 10 are conditioned on (i) the Party against whom a third party claim is brought timely notifying the other Party in writing of any such claim, provided however that a Party’s failure to provide or delay in providing such notice shall not relieve a Party of its obligations under this Section 10 except to the extent such failure or delay prejudices the defense; (ii) the Party who is obligated hereunder to defend a claim having the right to fully control the defense of such claim; and (iii) the Party against whom a third party claim is brought reasonably cooperating in the defense of such claim. Any settlement of any claim shall not include a financial or specific performance obligation on or admission of liability by the Party against whom the claim is brought, provided however that Kuvio may settle any claim on a basis requiring Kuvio to substitute for the Service any alternative substantially equivalent non-infringing service. The Party against whom a third party claim is brought may appear, at its own expense, through counsel reasonably acceptable to the Party obligated to defend claims hereunder. Neither Party shall undertake any action in response to any infringement or misappropriation, or alleged infringement or misappropriation that is prejudicial to the other Party’s rights.

10.5 Third Party Indemnification Disclaimer. THE PROVISIONS OF THIS SECTION 10 STATE THE SOLE, EXCLUSIVE AND ENTIRE LIABILITY OF A PARTY TO THE OTHER PARTY, AND IS THE OTHER PARTY’S SOLE REMEDY, WITH RESPECT TO THIRD PARTY CLAIMS COVERED HEREUNDER AND TO THE INFRINGEMENT OR MISAPPROPRIATION OF THIRD-PARTY INTELLECTUAL PROPERTY RIGHTS.

11. Term and termination

11.1 Term. The term of the Agreement shall begin on the Effective Date and shall continue for the subscription period designated in the Order, including any renewals, or if no subscription period is designated in the Order, until terminated by one of the Parties. If a subscription period is designated in the Order, the term will renew automatically on the last day of each subscription period for an additional time period corresponding to the prior subscription period.

11.2 Termination for Cause. Kuvio may terminate the Agreement (including without limitation Customer’s access to the Service) without advance notice if Customer fails to pay applicable fees when due. Either Party may terminate the Agreement for any other material breach by the other Party via written notice, effective in thirty (30) days unless the other Party within such time period cures such breach.

11.3 Termination without Cause. Either Party may terminate the Agreement without cause by providing notice of termination at least thirty (30) days prior to the end of the then-current subscription period, or if no subscription period is designated in the Order, by providing notice at least thirty (30) days (or as otherwise specified in the Order) prior to termination. 

11.4 Effects of Termination. Upon termination of the Agreement, Customer shall cease all use of the Service and delete, destroy, or return all copies of the Documentation in its possession or control.

11.5 Surviving Sections. The following provisions shall survive termination or expiration of the Agreement: (i) Section 3.2 Restrictions; (ii) Section 6 Ownership of Intellectual Property Rights; (iii) Section 7 Fees and Payment; (iv) Section 8 Confidentiality; (v) Section 9 Warranties; (vi) Section 10 Third Party Indemnification; (vii) Section 11.5 Surviving Sections; (viii) Section 12 Limitation of Liability; (ix) Section 14 Dispute Resolution; and (x) any other provision of the Agreement that must survive to fulfill its essential purpose.

12. Limitation of liability

12.1 Death or Personal Injury. Nothing in the Agreement shall limit or exclude either Party’s liability for death or personal injury caused by its negligence; or for fraud or fraudulent misrepresentation; or any other liability that may not be excluded or limited by law.

12.2 Exclusion of Liability. SUBJECT TO SECTION 12.1, AND EXCLUDING GROSS NEGLIGENCE, IN NO EVENT SHALL A PARTY BE LIABLE TO THE OTHER PARTY, OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE (INCLUDING DAMAGES FOR LOSS OF DATA, GOODWILL, DIRECT OR INDIRECT PROFITS, INVESTMENTS; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, ARISING OUT OF (I) THE PERFORMANCE OR NON-PERFORMANCE OF THE AGREEMENT OR THE SERVICE PROVIDED HEREUNDER, OR (II) ANY CLAIM, CAUSE OF ACTION, BREACH OF CONTRACT OR ANY EXPRESS OR IMPLIED WARRANTY, UNDER THE AGREEMENT OR OTHERWISE, MISREPRESENTATION, NEGLIGENCE, STRICT LIABILITY OR OTHER TORT. If the Order includes a free trial or other period during which the Service is provided free of charge (“Trial Period”), then the following terms apply for the Trial Period: NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, DURING THE FREE TRIAL PERIOD THE SERVICE IS PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND Kuvio SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE SERVICE FOR THE FREE TRIAL PERIOD UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE Kuvio’S LIABILITY WITH RESPECT TO THE SERVICE PROVIDED DURING THE FREE TRIAL PERIOD SHALL NOT EXCEED $100.

12.3 General Limitation of Liability. Subject to Section 12.1, 12.2, and excluding Section 7 Fees and Payment or any other liability which cannot be excluded or limited by applicable law, the aggregate liability of each Party to the other Party, or any third party in connection with the Agreement, shall not exceed the annual fees payable for the Service under the Agreement.

12.4 Allocation of Risks. The provisions of the Agreement allocate the risks between Kuvio and Customer. The Service fees reflect this allocation of risk and limitations of liability herein. The aforementioned liability limitations shall include any claims against employees of, subcontractors of, or any other persons authorised by either Party.

13. Miscellaneous

13.1 No Partnership. The Parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties is created hereby. Notwithstanding any other provision in the Agreement, nothing in the Agreement shall create or confer (whether expressly or by implication) any rights or other benefits in favour of any person not a party hereto.

13.2 Collaboration Partners and Publicity. Customer agrees to Kuvio sharing Customer being a customer of Kuvio’s with Kuvio’s collaboration partners, subject to appropriate confidentiality provisions. Further, and provided that a Party complies with any trademark usage requirements notified to it by the other Party, each Party may refer to the other Party as a customer (for Kuvio) and a vendor (for Customer) and use the other Party’s logo as part of such reference. Upon execution of the Agreement, Kuvio may either (i) issue a press release announcing the relationship between Kuvio and Customer; or (ii) submit a joint press release to Customer for Customer’s approval, such approval not to be unreasonably withheld or delayed. Customer agrees to be a reference account for Kuvio, provided however that Kuvio will provide Customer with reasonable notice and obtain Customer’s consent before scheduling any reference calls.

13.3 Non-solicitation of personnel. During the term of the Agreement, and for a period of twelve (12) months thereafter, neither Party will, without the prior written consent of the other, directly or indirectly solicit, hire or employ any employee or individual independent contractor of the other Party who has been involved in the provision of the Service during the preceding year to become an employee or individual independent contractor of the other. Nothing in this Section 13.3 will make a Party liable for general solicitations in the media or on the Internet.

13.4 Force majeure. Any delay or non-performance of any provision of the Agreement caused by conditions beyond the reasonable control of the performing Party (force majeure) shall not constitute a breach of the Agreement, and the time for performance of such provision, if any, shall be deemed to be extended for a period equal to the duration of the conditions preventing performance.

13.5 Severability, invalidity. To the extent permitted by applicable law, the Parties hereby waive any provision of law that would render any Section of the Agreement invalid or otherwise unenforceable in any respect. In the event that a provision of the Agreement is held to be invalid or otherwise unenforceable, such provision will be interpreted to fulfil its intended purpose to the maximum extent permitted by applicable law, and the remaining provisions of the Agreement will continue in full force and effect.

13.6 Waiver. Neither Party will be deemed to have waived any of its rights under the Agreement by lapse of time or by any statement or representation other than by an authorized representative in an explicit written waiver. No waiver of a breach of the Agreement will constitute a waiver of any other breach of the Agreement.

13.7 Construction. The Parties agree that the terms of the Agreement result from negotiations between them. The Agreement will not be construed in favor of or against either Party by reason of authorship.

13.8 Execution of the Order. The Order shall be signed in two counterparts, each of which shall be deemed an original and which shall together constitute one Order. An Order may also be executed electronically. Signatures sent by electronic means (facsimile or scanned and sent via email, or signed by electronic signature service where legally permitted) shall be deemed original signatures.

13.9 Assignment. Neither Party may assign any of its rights or obligations under the Agreement without the prior written consent of the other, which will not be unreasonably withheld, conditioned or delayed, however Kuvio may assign or delegate some or all of its rights and obligations under the Agreement to any of its affiliates, or to an entity as part of a corporate reorganization, or upon a change of control, consolidation, merger, sale of all or substantially all of its business or assets related to the Agreement, or a similar transaction or series of transactions. Subject to the foregoing restriction on assignment by Customer, the Agreement will be binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.

13.10 Subcontractors. Kuvio shall be entitled to engage subcontractors for the provision of the Service without Customer’s prior consent, and shall be liable for all acts and omissions of subcontractors, as for its own acts and omissions. In respect of processing of personal data, Section 5 applies.

13.11 Entire agreement. The Agreement constitutes the complete and exclusive statement of the agreement between Kuvio and Customer in connection with the Parties’ business relationship related to the subject matter hereof, and all previous representations, discussions, and writings (including any confidentiality agreements) are merged in, and superseded by the Agreement and the Parties disclaim any reliance on any such representations, discussions and writings. The Agreement shall prevail over any additional, conflicting, or inconsistent terms and conditions, which may appear on any purchase order furnished by Customer, and any additional terms and conditions in any such purchase order shall have no force and effect, notwithstanding Kuvio’s acceptance or execution of such purchase order.

13.12 Amendment. Kuvio may amend the General Terms from time to time by posting the amended version of the General Terms at its website. Such amended General Terms shall be deemed accepted and become effective:

13.12.1 upon posting thereof where the amendments to the General Terms are made to comply with mandatory law; and

13.12.2 as of the beginning of the next subscription period after the posting thereof for other amendments to the General Terms than such described in Section 13.12.1, 

which shall be considered confirmed by Customer’s continued use of the Service following the posting of the amended General Terms.

13.13 Notices. Any notice required to be given by either Party in writing under the Agreement shall be deemed to have been duly received (i) on the day of delivery, if delivered personally; (ii) on the date of confirmation of receipt from the notified Party, if sent by email (iii) on the second working day after sending, if sent by reputable overnight courier (with delivery receipt obtained); or (iv) on the fifth working day after sending, if sent by registered or certified mail, to the address or email address of the recipient set forth in the Order (or to such other address or email address of the recipient notified to the sender by the recipient for the purpose of the Agreement).

14. Dispute Resolution

14.1 Governing law and jurisdiction. Subject to Section 14.2, the Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be interpreted, construed and enforced in all respects in accordance with Swedish law, without regard to its conflict of law principles

14.2 Settlement by good-faith discussions. All disputes arising out of or in connection with the Agreement shall be attempted to be settled by good-faith negotiations between senior management of both Parties. Such negotiations shall commence within two weeks from the date of written request from a Party to the other. In the event that negotiations do not result in a resolution of the dispute within one (1) month from said written request, a Party may proceed to dispute resolution as set forth below. Both Parties agree and acknowledge that that the commencement of such dispute resolution process shall not relieve either Party from its continued duties and obligations under the Agreement, including but not limited to any payments due.

14.3 Disputes. Any dispute, controversy or claim arising out of or in connection with the Agreement, or the breach, termination or invalidity thereof, which has not been resolved amicably as set forth in Section 14.2, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall be composed of three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the proceedings shall be English. The arbitration award shall be final and binding upon the Parties.

14.4 Confidentiality. The confidentiality undertaking in Section 8 shall apply to any arbitration process or court proceedings hereunder, including any award or judgement.

SCHEDULE A

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is an appendix to the Kuvio General Terms.

GENERAL

The EU General Data Protection Regulation 2016/679 (“GDPR”) requires a written agreement between a Controller and a Processor (as defined by the GDPR) in order to allow the Processing of Personal Data by the Processor on behalf of the Controller. For this reason, the parties have agreed to enter into this Data Processing Agreement (“DPA”). The GDPR, any other EU member state privacy or data protection law are hereafter referred to as “Data Protection Law”.

This DPA shall apply to all Processing of Personal Data by the Processor on behalf of the Controller under the  Agreement entered into between the parties on 1 September 2021 and any agreement amending, supplementing, extending or replacing the  Agreement and any orders for products and/or services placed thereunder.

For the purposes of this DPA and as between them, Customer is, or shall be regarded as, a controller of the Personal Data and Kuvio is, or shall be regarded as, a processor of the Personal Data.

In the event of conflicting terms between this DPA and the Agreement, this DPA shall prevail.

1. DEFINITIONS

1.1   “Personal Data” means any information relating to an identified or identifiable natural person, including an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

1.2   “Data Subject” means a natural person who can be identified, directly or indirectly, by the Personal Data.

1.3   “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.4   “Processing” or ”to Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.5   “Sub-processor” means any third party engaged by the Processor, or its Sub-processor, to Process Personal Data on behalf of the Controller.

1.6   “SCC” means either the standard contractual clauses adopted by the European Commission implementing decision 2010/87/EC, the standard contractual clauses adopted by European Commission implementing decision 2021/3972 (Module 3) (repealing the former decision) or any other clauses amending or replacing the latter.

1.7   “EEA” means member state countries of the European Union and countries of the European Economic Area.

1.8   To the extent the terms and definitions in this DPA are defined in GDPR they shall be interpreted in accordance with the definition in GDPR. In the event of conflicting definitions between the definitions in this DPA and the definitions in GDPR, the definitions in GDPR shall prevail.

2. DATA PROCESSING

2.1   The Processor agrees to comply with Data Protection Law, and with any other laws applicable to the Processor to the extent it is not in conflict with Data Protection Law. At regular intervals the Processor shall assess whether any laws applicable to the Processor are in conflict with this DPA.

2.2   The Processor shall only Process Personal Data in accordance with this DPA or any other documented instructions provided by the Controller. If EU or EU member state law imposes additional processing requirements, the Processor shall inform the Controller of such legal requirements before Processing, unless prohibited by applicable law on important grounds of public interest.

2.3   If the Processor lacks instructions which the Processor deems necessary in order to carry out an assignment from the Controller, or if the Controller’s instructions infringe Data Protection Law or other applicable law, the Processor shall notify the Controller without undue delay and await the Controller’s further instructions. 

2.4   The Processor shall enable the Controller to access, rectify, erase, restrict and transmit the Personal Data Processed by the Processor. The Processor shall comply with any instruction related to the above without undue delay and in any event within 14 calendar days. If the Controller erases, or instructs the Processor to erase, any Personal Data held by the Processor, the Processor shall ensure that the Personal Data is erased so that it cannot be recreated by any party.

2.5   The Processor shall notify the Controller without undue delay about any events or other circumstances likely to have an adverse effect on Processor’s ability to fulfill its obligations under this DPA, including SCC, whenever applicable.

2.6   The Processor shall notify the Controller without undue delay as to any contacts with a supervisory authority, concerning or of significance for, the Processing of Personal Data carried out on behalf of the Controller. The Processor may not represent the Controller, nor act on the Controller’s behalf, against any supervisory authority or other third party.

2.7   The Processor shall assist the Controller in its contacts with any supervisory authority, including, upon the Controller’s instruction, by providing any information requested by the supervisory authority. For the avoidance of doubt, the Processor may not disclose Personal Data or any information on the Processing of Personal Data without explicit instructions from the Controller.

2.8   If a Data Subject requests information from the Processor concerning the Processing of Personal Data, the Processor shall forward the request to the Controller and assist the Controller in responding to such request as obliged by Data Protection Law. The Processor shall assist the Controller by appropriate technical and organisational measures, taking into account the nature of the Processing.

2.9   The Processor shall impose adequate contractual obligations regarding confidentiality and security upon its personnel which have been authorised to Process Personal Data.

2.10 The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations under Data Protection Law, e.g. assist with security measures, data protection impact assessments (including prior consultation), and in situations involving Personal Data Breach.

2.11 The Processor shall maintain a record of all Processing activities carried out on behalf of the Controller. Upon the Controller’s request, the Processor shall promptly make the record available to the Controller in a generally readable electronic format, including as a minimum the following information:

  1. the name and contact details of the Processor, its authorized representatives, and if applicable, the Data Protection Officer (as defined in Data Protection Law) of the Processor;

  2. where applicable, the name and contact details of any Sub-processor, its authorized representative, and Data Protection Officer of the Sub-processor;

  3. the actual Processing activities carried out by the Processor and/or Sub-processor on behalf of the Controller;

  4. where applicable, transfers of Personal Data to a third country including the identification of that third country and suitable safeguards employed to ensure an adequate level of protection of the Data Subject; and

  5. a general description of the technical and organisational measures employed to ensure an appropriate level of security.

3. SECURITY

3.1   The Processor, shall implement appropriate technical and organisational security measures, to ensure the confidentiality, integrity and availability of Personal Data and the robustness and resilience of the processing systems and services in use for the processing of Personal Data under this DPA. The Processor shall in particular protect Personal Data from unauthorized disclosure by using pseudonymization and encryption techniques whenever such safeguards are available and appropriate. 

3.2   The Processor shall observe relevant codes of conduct, industry best practice, and guidelines issued or approved by supervisory authorities and at least implement a process for regularly testing, assessing and evaluating the effectiveness of any measures taken as described in Clause 3.1. 

3.3   The Processor shall notify the Controller, in writing, without undue delay after the Processor has or should have become aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Additionally, the Processor shall whenever possible restore the confidentiality, availability and access to Personal Data without undue delay, unless other measures are agreed between the parties.

3.4   The Processor must be able to verify its compliance with this DPA and Data Protection Law and shall maintain adequate documentation verifying fulfillment of its obligations hereunder. Further, the Controller, or a third party approved by the Controller, may conduct audits to ensure that the Processor is complying with this DPA and Data Protection Law. The Processor shall, upon the Controller’s request and without undue delay, provide necessary assistance and allow inspection of any relevant documentation and, to the extent such documentation is not deemed sufficient, its Processing facilities. Each Party shall bear its own costs related to the audit.

4. SUB-PROCESSING

4.1   Subject to the provisions below, the Controller hereby gives the Processor a general consent to engage Sub-processors for Processing of Personal Data on behalf of the Controller. The Processor shall inform the Controller before transferring any Personal Data to a new Sub-processor. Following receipt of such information the Controller shall notify the Processor if it objects to the new Sub-processor. If the Controller does not object to the Sub-processor within 30 days of receiving the information, the Controller shall be deemed to have accepted the Sub-processor. If the Controller has raised a reasonable objection to the new Sub-processor, and the parties have failed to agree on a solution within reasonable time, the Controller shall have the right to terminate this DPA and any contract relating to the Processing with a notice period determined by the Controller, without prejudice to any other remedies available under law or contract. During the termination period, the Processor is not allowed to transfer any Personal Data to the Sub-processor.

4.2   The Processor warrants that it has used reasonable efforts to determine that a Sub-processor is able, through the implementation of appropriate technical, organisational and contractual measures, to satisfy its obligations under the processing agreement with the Processor and Data Protection Law.

4.3   The Processor shall enter into appropriate written agreements with all of its Sub-processors on terms corresponding to this DPA, including without limitation, the Controller’s right to conduct supplementary audits on the Sub-processor in accordance with Section 3.4 above. The Processor shall remain fully liable to the Controller for the performance or non-performance of the Sub-processor’s obligations.

4.4   Upon the Controller’s request, the Processor is obliged to provide information regarding any Sub-processor, including name, address and the Processing carried out by the Sub-processor.

5. DISCLOSURE REQUESTS BY PUBLIC AUTHORITIES

5.1   The Processor shall not disclose Personal Data to any public authority, agency or other third party (each a “Public Authority”), unless the Processor receives a civil or criminal subpoena, warrant, or other official and written request which (a) is issued by a Public Authority with the authority and jurisdiction to demand the disclosure, (b) is legally binding on the Processor and requires the Processor to disclose Personal Data in response thereto, and (c) not contradictory to Data Protection Law (a “Disclosure Request”).

5.2   If the Processor is contacted by a Public Authority with a Disclosure Request, Processor shall:

  1. attempt to redirect the Requesting Authority to request that Personal Data directly from the Controller instead;

  2. promptly notify the Controller by submitting an incident notification for Personal Data Breach according to Section 8 with a copy of the Disclosure Request, unless legally prohibited from doing so;

  3. review the Disclosure Request to determine whether it is valid and if the Processor has a legal requirement to disclose Personal Data; and

  4. assert its legal rights, including to resist and narrow the demand by taking available remedies with reasonable prospect of success, and/or seek a stay from enforcement of the Disclosure Request.

5.3   In the event the Processor is notified by the Public Authority issuing a Disclosure Request that the Processor is prohibited by law from giving notice to Controller of the Disclosure Request, the Processor will use best efforts to relieve itself of any such prohibition, limited by prospect of success, so that it may fully disclose such Disclosure Request to the Controller and coordinate with the Controller in responding to the Disclosure Request. In any case, the Processor will provide notice to the Controller of the Disclosure Request immediately as soon as legally permissible.

5.4   In no event shall the Processor provide any Public Authority.

  1. direct or indirect access to Personal Data;

  2. encryption keys used to secure Personal Data or the ability to break such encryption; or

  3. access to Personal Data if the Processor is aware that the Personal Data is to be used for purposes other than those stated in the Disclosure Request,

unless such access is based on EU or EU Member State laws, legally binding on the Processor.

5.5   In support of the above, Processor may provide to the Requesting Authority, Controller’s basic contact information used for incident notifications referred to in Clause 8.1 

6. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

6.1   Any transfer of Personal Data to a third country by the Processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under EU or Member State law to which the processor is subject and shall take place in compliance with Data Protection Law.

6.2   The Controller agrees that where the Processor engages a Sub-processor in accordance with Clause 4, for carrying out specific Processing activities (on behalf of the Controller) and those Processing activities involve a transfer of Personal Data within the meaning of Data Protection Law, the Processor and the Sub-processor shall ensure compliance with Data Protection Law by using SCC, provided the conditions for the use of SCC are met. 

6.3   If and to the extent this DPA and the SCC are inconsistent, the provisions of the applicable SCC shall prevail.

7. LIABILITY

7.1   If the Processor Processes Personal Data in breach of the Controller’s lawful instructions, this DPA or Data Protection Law, the Processor shall fully indemnify and hold the Controller harmless for any loss, cost or damage, including but not limited to claims by a Data Subject, administrative fines or any other financial penalties imposed by supervisory authorities or other competent authorities, due to the Processor’s (or its Sub-processors’) Processing of Personal Data. 

7.2   In case of claims by a Data Subject, administrative fines or any other financial penalties imposed by supervisory authorities or other competent authorities, the Controller shall, where this would not jeopardize the Controller’s defense: (a) notify the Processor promptly in writing of any such potential or pending claims or penalties; (b) use reasonable endeavors to reduce or avoid such claims or penalties; (c) allow the Processor to comment on any response, settlement, defense or appeal in relation to such claim; and (d) to a reasonable extent provide the Processor with information in relation to the same. For the sake of clarity, the Controller will not be bound by any recommendations made by the Processor.

8. INCIDENT NOTIFICATION

8.1   Kuvio shall notify Customer of any personal data breach involving the Personal Data that it becomes aware of without undue delay, and in any case, never later than 48 hours after Kuvio becomes aware of the personal data breach. All such notifications shall be made at Kuvio’s discretion by a phone call or email to Customer representative that Kuvio regularly liaises with, or such privacy contact person notified to Kuvio by Customer.

8.2   The notification shall be as specific as possible and at least include all information available to the Processor regarding the Personal Data Breach set out in Article 33.3 GDPR including, to the best of the Processor’s knowledge, (i) which systems or processes that are affected, (ii) the country where the breach is noted and observed, (iii) the country where the data is Processed, and (iv) the nationality of the Data Subjects affected. The notification may not include any Personal Data related to the Data Subject(s) affected by the Personal Data Breach. 

9. TERM

9.1   Upon termination or expiry of the services relating to the Processing, the Processor shall submit all Personal Data to the Controller on a medium as reasonably requested by the Controller. The Processor shall thereafter, in accordance with the provisions on erasure in Section 2.4, ensure that there is no Personal Data remaining with the Processor or any of its Sub-processors. 

9.2   This DPA is applicable from the date of its execution and until all Personal Data is erased in accordance with Section 9.1 above.

10. DISPUTE RESOLUTION

10.1 This DPA shall be governed by law in the jurisdiction where the Controller is domiciled.

10.2 Any dispute, controversy or claim arising out of, or in connection with this DPA, or the breach, termination or invalidity hereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall be composed of three arbitrators. The seat of the arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English.

SCHEDULE 1

Data Processing Agreement

ANNEX I

DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

Under Data Protection Law, the Processor shall only Process Personal Data in accordance with Controller’s documented instructions, as regulated in the DPA. This document forms part of the Controller’s instructions, directing the Processor on the scope, nature, and purpose when Processing Personal Data on behalf of the Controller. 

1. SCOPE OF PROCESSING

The Processor shall Process Personal Data hereunder within the scope of any purchase orders or similar agreements that the Processor and the Controller enter.

2. PURPOSE OF PROCESSING.

The Processor shall only be allowed to Process Personal Data on behalf of the Controller for the purpose of making analysis on aggregated data which have been shared by the Controller. The Processor will provide insights concluded from the data in order to improve the marketing efficiency for the Controller. The Processor will receive the data via a CSV file that the Controller will upload to the Processors system and/or by adding a javascript on the Controller's website. The Processor does not place any cookies in the Controller's website visitors browsers. The Processor will make the analysis based on already collected cookie data by the Controller and the CSV file sent by the Controller. 

3. CATEGORIES OF DATA SUBJECTS

-   Customers (current, former and potential)

4. TYPES OF PERSONAL DATA

-   Order number

-   Buying history

-   Cookie data that’s already been collected from the Controllers sites, such as cookie data from Google and Facebook. No other data will be collected in the form of cookies by the Processor. A CSV file will be sent to the Processor with purchase information

5. PROCESSING ACTIVITIES

-   Collection

-   Registration

-   Organisation

-   Structuring

-   Storing

-   Accessing, reading or consultation

-   Use

-   Disclosure by transmission

-   Alignment or combination

-   Erasure or destruction

6. DURATION OF PROCESSING

Personal Data shall not be Processed for a period longer than is necessary for serving its purpose. The duration of all Processing operations shall be during agreement period.

7. DATA SUBJECT RIGHTS

Data subjects rights will not be executed by the Processor, as the Processor is processing a copy of the personal data originally held by the Controller and with only indirect related personal data. However, the Controller is still having the right to access, rectify, erase, restrict and transmit the data whenever needed and upon request. The Processor shall immediately act on Controllers request and the latest within 72hours from such request. The Controller shall send the request in writing, to the Processor.

8. SUB-PROCESSING

Name of Sub-processor: Amazon Web Services

Company details: Amazon Web Services EMEA SARL

Subject matter: Cloud computing

Nature of processing: ETL/Extract, Transform, Load), CRUD (Create, Read, Update, Delete), reporting and sync to third-party marketing platforms (e.g. Facebook and Google)

Duration: During the contract period

ANNEX II

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES PURSUANT TO  ARTICLE 32-34 OF GDPR

Measures for ensuring ongoing confidentiality, integrity, availability of data

  • Controller: Controller shall provide historic order data securely

  • Processor: Processor shall be responsible for sufficient redundancy, compartmentalization and security.

Measures of pseudonymisation and encryption of personal data

  • Controller: Controller will only share pseudonymized data to Processor.

Measures for ensuring  resilience of processing systems and services

  • Processor: Make sure that the Controllers data is kept in a safe and secure environment.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

  • Controller: Controller to review the process as part of the normal audit/reviewing framework.

  • Processor: Processor shall aid controller in this process

Measures for user identification and authorisation

  • Controller: Make sure only relevant resources from Processor have access to the file.

  • Processor: Only request access to resources that need access to fulfill the purpose.

Measures for the protection of data during transmission

  • Processor: Ingestion of historic data and/or variables such as COGS, shippingMethod shall happen using hashed .csv files which are password protected. Live data is collected from frontend using a graphQL api endpoint.

Measures for the protection of data during storage

  • Processor: Data is stored in HA Multi-AZ RDS instances that are encrypted with AES-256

Measures for ensuring physical security of locations at which personal data are processed

  • Processor: The data is stored in AWS facilities in Frankfurt. The information is accessed solely by authorized persons at approved upon locations.