1. Netop General Terms & Conditions
These Netop General Terms & Conditions (“GT&C”) apply and are valid for any and all transactions with purchases of services from Netop Solutions A/S or any affiliated company to Netop Solutions A/S as further set out and defined in www.netop.com/legal/group-structure.
The GT&C’s will apply for any customer having ordered, purchased, or taken delivery of services from Netop, hereunder the Services identified in the Order Form to which these GT&C have been attached.
The GT&C’s are part of modular contract terms that governs and defines terms of any contractual relationship between any Netop entity as set out in any specific terms, order form or other product or service terms and you as customer (“Customer”).
The full contractual relation and agreement consists of the specific contract documents numerated in any specific agreement or order and consists of one or more of the following components as set out in a specific individual order confirmation:
Order Form
Order, document or agreement that includes order, individual and/or specific service confirmation and acceptance of the formation of the Agreement.
General Terms & Conditions (GT&C);
These GT&C applicable to all cases and all purchases of Services or other supplies from Netop (as the case may be).
End User License Agreement (EULA):
Applicable to your commercial and non-commercial right of usage of the Services and available at www.netop.com/legal/EULA.
Acceptable Use Policy (AUP)
Applicable to your usage of the Services and setting out prohibited use of the Services and available at www.netop.com/legal/AUP.
Data Processing Agreement (Standard Contracting Clauses)
Applicable to Customers that are subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), including national implementation, or other Data Protection Legislation as data controllers and available at www.netop.com/legal/DPA.
2. ACCEPTANCE OF TERMS/ FORMATION OF AGREEMENT
An Agreement between Netop Business Solutions A/S or a Netop Company and Customer pursuant to these GT&C’s shall be deemed to be formed, if Netop issues a binding quote to Customer and Customer accepts the quote within the prescribed time period set out in the quote or, if no time period is specified, within twenty-one (21) days after issuance date; (ii) Customer and Netop enter into an order document or other form of contractual document; or (iv) in the case of a free-of-charge instance (i.e., Free Version, Trial License), when Customers downloads the Software (defined below).
The contractual details as agreed in the individual transaction documents as per processes described above and these GT&C’s and any exhibit, schedule and/or other addenda shall together form the “Agreement”.
YOUR CONTINUED USE OF THE SERVICES IS SUBJECT TO THE TERMS OF THESE GT&C’s. BY SIGNING THE ORDER OR ACCESSING AND/OR CONTINUING TO USE THE SERVICES YOU AGREE TO BE BOUND BY IT TO THE EXCLUSION OF ALL OTHER TERMS.
3. Defined Terms
The following words, when capitalized, have the meaning stated:
“Affiliate” means any legal entity that a party owns, that owns a party, or is under its common ownership. “Ownership” means, for the purposes of this definition, control of more than a fifty percent interest in an entity.
“Agreement” means any applicable order or other addenda, which together with these GT&C, EULA, Acceptable Use Policy and Data Processing Agreement (as the case may be) governs the provision of Services.
“Business Day” means Monday through Friday, excluding public holidays in the United States.
“Confidential Information” means non- public information disclosed by one party to the other in any form that: (i) is designated as “Confidential”; (ii) a reasonable person knows or reasonably should understand to be confidential; or (iii) includes either party’s products, customers, marketing and promotions, know-how, or the negotiated terms of the Agreement; and which is not independently developed by the other party, without reference to the other’s Confidential Information or otherwise known to the other party on a non-confidential basis prior to disclosure.
“Customer Data” means all data, including Personal Data, which Customer has directly entered or stored into the Services on its own or via its employees, students, or users.
“Data Protection Legislation” means all laws and regulations applicable to the processing of Personal Data under the GT&C, including U.S. Privacy Laws and laws and regulations of (a) the European Union, the European Economic Area and their member states, including, without limitation, where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction including, without limitation, (i) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), (ii) the EU e-Privacy Directive (Directive 2002/58/EC), (iii) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No45/2001, and (iv) any national implementing laws, Switzerland, including, without limitation, Swiss Federal Act on Data Protection and implementing regulations, (b) the United Kingdom, including, without limitation, (i) the GDPR as applicable as part of UK domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by Data Protection, (ii) Privacy and Electronic Communications (EU Exit) Regulations 2019 (the “UK GDPR”), (iii) the UK Data Protection Act of 2018.
“Deliverables” means the tangible or intangible materials which are prepared for your use in the course of performing the Services (specifically excluding Device Agents).
“Device Agents” means any end-user or per-device software or agents provided by Netop to be used in conjunction with the Services.
“Intellectual Property” means patents, copyrights, trademarks, trade secrets, domain names, database rights, and any other proprietary intellectual property rights, in each case whether registered or unregistered and including all applications (or rights to apply) for, and renewal or extensions of, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
“Netop” or “we” means Netop Solutions A/S or a Netop Company identified in the Order, or, if none is identified: 1. If your billing address is within the United States, Canada or Mexico it means Netop Tech Inc. 2. If your billing address is outside the United States, Canada or Mexico it means Netop Business Solutions A/S.
“Netop Companies” means: all the entities identified as Netop Companies listed within the organization structure available at www.netop.com/legal/group-structure.
“Netop Group” means Impala Bidco Limited t/a Netop, a company incorporated in England and Wales with registration number 10878303, registered at Seventh Floor, East West, Tollhouse Hill, Nottingham, NG1 5FS, United Kingdom and its Affiliates consisting of Impala/Impero companies and Netop Companies as identified at www.netop.com/legal/group-structure.
“Netop Platform” means the online host panel, if the Order agrees to a host panel provided and hosted by Netop as part of the Services.
“Order” or “Order Form” means the document which describes the Services provided pursuant to this Agreement, including any online Order, process, or tool through which you request or provision Services or any other notice of written acceptance of an offer to purchase the Services under the conditions of this GT&C.
“Personal Data” means all data that is related to an identified or identifiable individual within the meaning of Data Protection Legislation.
“Representatives” means a party’s respective service providers, officers, directors, employees, contractors, Affiliates, suppliers, and agents.
“Services” means the Netop services (including any software, Deliverables and Device Agent) identified in a given Order or otherwise provided subject to the terms of this Agreement, including access to the Netop Platform.
“User Device” means any host device, individual computer or mobile device of any type which is used by Customer or its students, employees, or users in its IT-environment in connection with the Services.
“Use Limits” means any limitations, including any maximum permitted use metrics relating to the maximum number of Guest, maximum number of User Devices and maximum number of users of the Netop Platform, placed on the use of the Services by Netop as set out in the Order.
“U.S. Privacy Laws” means all applicable data privacy or data protection laws of the United States and each States governing Personal Data, including, but not limited to, California Consumer Privacy Act of 2018, as amended by the California Privacy Right Act of 2020 (“CCPA”), Texas Data Privacy and Security Act (2023 H.B. 4, 88 Reg. Sess (Tex. 2023)), Indiana Consumer Data Protection Act of 2023 (Ind. Code § 24-14 (20023)), the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq. and Colo Code Regs. Tit 4 §§904-3 et seq.), the Connecticut Data Privacy Act (Conn. Gen. Stat §§ 42-515 et seq.), Delaware Personal Data Privacy Act (DE HB154), Florida Digital Bill of Rights (Fla. Stat. §§501.701 et seq.), Indiana Consumer Data Protection Act of 2023 (Ind. Code § 24-14 (20023)), Iowa Consumer Data Protection Act (Iowa Code §§ 715D.1 et seq.), Kentucky Consumer Data Protection Act (24RS HB 15), Maryland Online Data Privacy Act (MD SB 541), Massachusetts’ Standards for the Protection of Personal Information of Residents of the Common-wealth (201 CM 17: M.G.L. c. 93H), Minnesota Consumer Data Privacy Act (MN HF 4757), Montana Consumer Data Privacy Act (Mont. Code. Ann. §30-14 (2023)), Nebraska Data Privacy Act (L.B. 1074), New Hampshire Privacy Act (NH S.B. 255-FN), New Jersey Data Privacy Act (NJ S.B. 332) , Oregon Consumer Privacy Act (OR 2023 S.B. 619), Tennessee Information Protection Act (Tenn. Code Ann. §§ 47-18-3210 et seq.), Texas Data Privacy and Security Act (2023 H.B. 4, 88 Reg. Sess (Tex. 2023)), the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.), the Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1- 571 et seq.), and the Washington My Health My Data Act (RCW §§ 19.373.005 et seq.).
4. Services
4.1. General. Netop will provide the Services in accordance with the Agreement and all laws applicable to Netop. Customer must utilize the Services in accordance with any documentation provided by Netop.
4.2. Use Limits. Customers may use the Services for explicitly permitted purposes only, in accordance with all laws applicable to Customer, and may not resell the Services unless explicitly agreed to by Netop in writing.
4.3. Device Agents. During the term of the Agreement, Customer may use any software provided by Netop as part of the Services and may install Device Agents on its users’ systems as necessary to receive the benefit of the Services. Device Agents may be subject to additional terms, including third-party terms applicable to use of app stores for mobile devices and any network service provider terms. Customer is responsible for all use of Device Agents in connection with the Services. Fees for Device Agents will be specified on the Order where applicable.
4.4. Support and Maintenance. Netop will provide support only to those individuals designated in your account and is not required to provide any support directly to your users. Customer must report any errors in the Services to Netop. Following Netop’s receipt of report on errors, Netop shall strive to the best of its ability to fix errors and/or implement improvements in later, new versions of the software in accordance with its usual procedures.
4.5. New versions of the Service. Netop may at its discretion make new versions, enhancements, security patches and other patches of the Services available to Customer, and Customer must ensure that the improved current version of the Services is installed in its operating environment. Netop is not obliged to fix errors in previous version and to provide support and/or perform maintenance work on versions of the Services that are more than two versions behind the latest version of the Services or as stated in the release note pertaining to the latest improved version of the Services.
4.6. Representation and Warranties. To the extent Customer has installed the newest version of the Services, Netop represents and warrants to Customer that the Services are in accordance with generally recognized industry standards for similar services, and Netop will devote adequate resources to meet its obligations under this Agreement. Netop further represents and warrants it has the full right, power, and authority to enter into and perform its obligations to this Agreement, and the execution of the Agreement by the individual whose signature is set forth in the Order has been duly authorized by all necessary corporate or organization action.
5. CUSTOMER OBLIGATIONS
5.1. General. You must cooperate with Netop’s reasonable investigation of outages, security problems, and any suspected breach of the Agreement. You are responsible for keeping your account information and permissions current and secure. You agree that your use of the Services will comply with the Acceptable Use Policy.
5.2. Delivery and Installation. Netop shall only install the Services and other Deliverables in your operating environment if this has expressly been agreed in the Order Form. If no agreements have been made, you must install, organize, parameterize and tune the Services and other Deliverables to enable it to function in your operating environment.
Customer is entitled to test the Services as part of its installation activities. Penetration testing, vulnerability assessments and other testing activities that may affect Netop’s business, including the Netop Platform, may only be conducted with Netop’s prior written consent from Netop and must be coordinated in cooperation with Netop. All results, findings, and related data from such testing must be promptly and fully disclosed to Netop.
5.3. Suitability and Legality. You agree that you are solely responsible for the suitability of the Services and you and your users’ compliance with any applicable laws, including export control laws, intellectual property laws, financial legislation, IT-security legislation and Data Protection Legislation.
5.4. Data Backup. It is Customer’s responsibility to ensure the integrity, security, and confidentiality of Customer Data and to regularly backup and validate the integrity of backups of Customer Data. Netop does not store Customer Data and has no obligations whatsoever with regards to any data stored on a User Device.
5.5. Representations and Warranties. Customer represents and warrants to Netop that it owns or otherwise has and will have the necessary rights and consents relating to any data, Intellectual Property, or other inputs it provides to Netop so that, as received by Netop, they do not and will not infringe, misappropriate, or otherwise violate any Intellectual Property rights or privacy or other rights of any third party or violate any applicable laws. Customer further represents and warrants it has the full right, power, and authority to enter into and perform its obligations to this Agreement, and the execution of the Agreement by the individual whose signature is set forth in the Order has been duly authorized by all necessary corporate or organization action. Further, Customer represents and warrants that its usage of the Services in its business complies with mandatory industry legislation, including financial and IT-security legislation.
5.6. Restrictions.
Customer shall not:
(i) modify, copy, duplicate, reproduce, reverse engineer, license or sublicense, transfer or convey the Services or any portion thereof except as otherwise provided for in this Agreement or otherwise without the prior written consent of Netop;
(ii) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available any Services to any third party, including on or in connection with the internet or any time-sharing, service bureau, software as a service, cloud, or other technology or service;
(iii) use or access the Services for the purpose of building a competitive software or service or for any other competitive purposes;
(iv) misuse our Services by interfering with their normal operation or attempting to access them using a method other than through the interfaces and instructions provided by Netop;
(v) bypass or breach any security device or protection used by the Services or access or use the Services or other than by an Authorized user through the use of his or her own then valid access credentials;
(vi) circumvent or attempt to circumvent any limitations that Netop imposes on user accounts (such as using someone else’s username and password to get access to Service functionalities not meant for the user in question);
(vii) probe the vulnerability of any Netop system or network;
(viii) use any manual or automated system or software to extract or scrape data from the websites or other interfaces through which Netop makes the Services available
(ix) input, upload, transmit, or otherwise provide to or through the Services, any information or materials that are unlawful or injurious, or contain, transmit, or activate any virus, worm, malware, or other malicious computer code;
(x) damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the Services or Netop’s provision of services to any third party, in whole or in part; or
(xi) otherwise access or use the Services beyond the scope of the authorization granted under this Section or in violation of the End User License Agreement (EULA).
6. SECURITY
6.1. Netop undertakes no responsibility for the security of any User Device. Customer must use reasonable security precautions in connection with its use of the Services. Customer Data is, and at all times shall remain, your exclusive property. Netop will not store Customer Data, and Netop will not use or disclose Customer Data except as materially required to perform the Services or as required by law.
6.2. Customer shall determine which employees, students, and users shall receive access to the Services (the “Authorized” users). Netop shall provide usernames and passwords as necessary for Authorized users at Customer’s sole discretion. Netop shall have no liability whatsoever for unauthorized use of login information of an Authorized user, unless the unauthorized use was wholly caused by Netop, its agents, or employees.
For the purposes of this clause, “Unauthorized” use shall mean any access or use of the Services by an individual who is not an Authorized user, or any use of the Services that is not in accordance with the terms and conditions of the End User License Agreement, the AUP, and the restrictions set forth in Section 3.4 of this Agreement agreed upon by Customer and Netop.
7. INTELLECTUAL PROPERTY
7.1. Pre-Existing. Each party shall retain exclusive ownership of Intellectual Property created, authored, or invented by it prior to the commencement of the Services. If you provide Netop with your pre-existing Intellectual Property (“Customer IP”), then you hereby grant to Netop, during the term of the applicable Order, a limited, worldwide, nontransferable, royalty-free, right and license (with right of sub- license where required to perform the Services) to use Customer IP solely for the purpose of providing the Services. You represent and warrant that you have all rights in Customer IP necessary to grant this license, and that Netop’s use of such Customer IP shall not infringe on or otherwise misappropriate the Intellectual Property rights of any third party.
7.2. Created by Netop.
Excluding any Customer IP, Netop shall own all Intellectual Property created as part of providing the Services. Unless otherwise specifically stated in the Agreement, and subject to your payment in full for the applicable Services, Netop grants to you, during the term of the applicable Order, a limited, non- exclusive, non-transferable, right and license (without the right to sublicense) to use any Deliverables, and any Intellectual Property provided to you by Netop as part of the Services for your internal use as necessary for you to enjoy the benefit of the Services during the term of the Agreement. You agree that any usage data, usage metrics, and other general information about your use or operation of the Services may be used and disclosed by Netop for product improvement and market analysis purposes.
7.3. Third-Party Software. Netop may provide third party software for your use as part of the Services or to assist in our delivery of the Services (“Third-Party Software”). Unless otherwise permitted by the terms of the applicable license you may not: (i) assign, grant or transfer any interest in the Third-Party Software to another individual or entity; (ii) reverse engineer, decompile, copy or modify the Third-Party Software; (iii) modify or obscure any copyright, trademark or other proprietary rights notices that are contained in or on the Third-Party Software; or (iv) exercise any of the reserved Intellectual Property rights provided under the laws governing this Agreement. Your use of any Third-Party Software may be subject to additional restrictions identified in the Order or an end-user license agreement or similar terms. Netop makes no representation or warranty regarding Third- Party Software except that Netop has the right to use or provide the Third-Party Software and that we are in material compliance with the applicable license;
7.4. Infringement. If the delivery of the Services or any portion thereof become the subject of any claim of infringement, then Netop, at its sole option, may (i) procure for you the right to continue using the Services as contemplated in the applicable Order; (ii) replace the Services or applicable portion thereof with a substantially equivalent non- infringing service as determined by Netop; or (iii) modify the Services to make them non- infringing, without materially reducing the features or functionality thereof. If Netop determines that it is not able to produce the preceding remedies via reasonably or commercially practicable efforts, Netop may terminate the Order on written notice and will not have any liability on account of such termination except to refund prepaid amounts paid for unused Services (prorated as to portions of Deliverables deemed infringing). Netop, at its sole option, may (i) procure for you the right to continue using the Services as contemplated in the applicable Order; (ii) replace the Services or applicable portion thereof with a substantially equivalent non- infringing service as determined by Netop; or (iii) modify the Services to make them non- infringing, without materially reducing the features or functionality thereof. If Netop determines that it is not able to produce the preceding remedies via reasonably or commercially practicable efforts, Netop may terminate the Order on written notice and will not have any liability on account of such termination except to refund prepaid amounts paid for unused Services (prorated as to portions of Deliverables deemed infringing).
8. FEES
8.1. Fees. Undisputed fees are due within 30 days of the invoice date. If you have arranged for payment by credit card or bank transfer, we may charge your account on or after the invoice date. If any undisputed payment is 15 or more days late, then we may suspend the Services on written notice. Invoices which are not disputed within 30 days of the invoice date are conclusively deemed accurate. Fees must be paid in the currency identified in the Order.
8.2. Fees Increase. On 30 days’ advance written notice, unless otherwise agreed by the parties, Netop may increase the fees due under any given Order by the greater of (i) 7% or (ii) the percentage change between the US CPI in the initial month of the applicable Order and the then current month, provided that Netop may not exercise these rights more than once in any 12-month period. Unless otherwise expressly provided in the applicable Order, fees will automatically increase for each renewal term. If at any time a third-party license or infrastructure provider directly or indirectly increases the fee they charge Netop for software or services required to deliver the Services, Netop may increase your fees by the same percentage amount on 90 days’ advance written notice.
8.3. Taxes. All amounts due to Netop under the Agreement are exclusive of any value added, goods and services, sales, use, property, excise and like taxes, import duties, and/or applicable levies (collectively “Tax”). You must pay any Taxes due on Netop’s provision of the Services or provide Netop with valid evidence of your exemption from such Taxes in advance of invoicing. All fees are due in full without any deduction for any withholding or other taxes except withholding taxes imposed on income attributable to Netop which you are legally required to withhold and remit to the applicable governmental authority (“Local Withholding Taxes”). You agree to provide Netop with timely accurate information regarding such Local Withholding Taxes on request.
8.4. Expenses. Except as otherwise included in a given Order, if any of the Services are performed at your site or premises then you agree to reimburse Netop for the actual substantiated out-of-pocket expenses of our Representatives.
8.5. Free of Charge Services. Where Services are provided free of charge, the provisions of this Agreement continue to apply in full.
9. DISCLAIMERS
9.1. Netop makes no commitment to provide any Services other than the Services stated in the Order. Netop is not responsible to you or any third party for Unauthorized access to your Customer Data or for Unauthorized use of the Services that is not solely caused by Netop’s failure to comply with its security obligations in the Agreement. Netop is not responsible for Customer’s compliance with mandatory legislation pertaining to your business.
9.2. At Customer’s request, Netop may provide Services that are not required by the Agreement. Any such Services shall be provided AS-IS, and Netop disclaims any and all other warranties, express or implied, including without limitation any implied warranties of merchantability and fitness for a particular purpose.
9.3. Netop may provide free of charge Services. Any such Services shall be provided AS-IS, and Netop disclaims any and all other warranties, express or implied, including without limitation any implied warranties of merchantability and fitness for a particular purpose.
9.4. TO THE EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS OTHERWISE SPECIFICALLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE RENDERED “AS IS”, AND NETOP AND ITS REPRESENTATIVES DISCLAIM ANY AND ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT
9.5. Netop makes no representation or warranty whatsoever regarding open source software or with regard to any third-party products or Services which we may recommend for your consideration
10. TERM AND TERMINATION
10.1. Term. This Agreement shall continue until terminated in accordance with its terms or the termination of the Order, whichever is later. Unless otherwise stated in the applicable Order, Orders shall automatically renew following their initial term (as identified in the Order) unless either party provides the other with written notice of non-renewal at least 90 days prior to the expiration of the then current term. Each renewal shall have a duration equal to the duration of the initial term.
10.2. Termination. Either party may terminate the Agreement or the affected Order(s) for cause on written notice if the other party materially breaches the Agreement and does not remedy the breach within 30 days of the other party’s written notice describing the breach. If, following the suspension of your Services for non-payment as provided in Section 6.1 (Fees), your account remains overdue for a further 15 days, we may terminate the Agreement or the applicable Orders for breach on written notice. Where Netop terminates this Agreement for cause as provided for in this Section, all fees due for the then current term shall immediately become due and payable. Upon termination of the Agreement, you will remove any Netop provided software and Device Agents and any Third-Party Software which has been installed on your (or your users’) devices.
10.3. Transition. If you request contemporaneously with any notice of termination (by either party), Netop shall make Customer Data available to you for a period of at least 30 days, in a publicly accessible format as it chooses. You agree that you shall promptly retrieve any Customer Data within this time period as required for you to comply with any applicable laws. If Customer Data is not retrieved within 180 days, Personal Data and Customer Data may be deleted by Netop.
11. CONFIDENTIAL INFORMATION
Each party agrees not to use the other’s Confidential Information except in connection with the performance or use of the Services, the exercise of its legal rights under this Agreement, or as required by law, and will use reasonable care to protect Confidential Information from Unauthorized disclosure. Each party agrees not to disclose the other’s Confidential Information to any third party except: (i) to its Representatives, provided that such Representatives agree to confidentiality measures that are at least as stringent as those stated in this Agreement; (ii) as required by law; or (iii) in response to a subpoena or court order or other compulsory legal process, provided that the party subject to such process shall give the other written notice of at least seven days prior to disclosing Confidential Information unless the law forbids such notice.
12. LIMITATIONS ON DAMAGES
12.1. Direct Damages. Notwithstanding anything in the Agreement to the contrary, except for liability arising from: (i) death or personal injury caused by negligence; (ii) willful misconduct, fraudulent misrepresentation; (iii) willful default; (iv) unlawful acts; or (v) any other loss or damages for which such limitation is expressly prohibited by applicable law, the maximum aggregate monetary liability of Netop and any of its Representatives in connection with the Services or the Agreement shall not exceed the total amount of fees paid for the Services in the twelve month period immediately preceding the event(s) giving rise to the claim.
12.2. Indirect Damages. Neither party (nor any of our Representatives) is liable to the other for any indirect, special, incidental, exemplary or consequential loss or damages of any kind. Neither of us is liable for any loss that could have been avoided by the damaged party’s use of reasonable diligence, even if the party responsible for the damages has been advised or should be aware of the possibility of such damages. In no event shall either party be liable to the other for any punitive damages, or for any loss of profits, data, revenue, business opportunities, customers, contracts, goodwill or reputation.
13. INDEMNIFICATION
13.1. You shall, at your expense, indemnify, release, hold harmless, and defend Netop, our Affiliates, and any of our or their Representatives (the “Indemnitees”) from and against any and all liability or expenses (including attorneys’ and other professional fees and expenses as reasonably incurred), damages, claims, proceedings, lawsuits, threats of lawsuits, and other written allegations or claims (each, a “Claim”) made or brought by a third party arising out of your actual or alleged: (i) willful misconduct; (ii) breach of applicable law; (iii) failure to meet the security obligations required by the Agreement; (iv) breach of your agreement(s) with or obligation(s) to your customers or users; (v) violation of the AUP; or (vi) your breach of Section 7 (Intellectual Property). Further, you shall indemnify Netop against any and all claims of third parties due to product liability as a result of a defect in a product or system that you have supplied to a third party and that consisted in part of the Services, unless and insofar as you are able to prove that the loss was caused by the Services. Your obligations under this Section include Claims arising out of the acts or omissions of your employees or agents, any other person to whom you have given access to the Services, and any person who gains access to the Services as a result of your failure to use reasonable security precautions, even if the acts or omissions of such persons were not Authorized by you.
13.2. We will choose legal counsel to defend the Claim, provided that the choice is reasonable and is communicated to you. You must comply with our reasonable requests for assistance and cooperation in the defence of the Claim. We may not settle the Claim without your consent, which may not be unreasonably withheld, delayed or conditioned.
14. Notices.
Your routine communications to Netop regarding the Services should be sent to your account team using the Customer portal. To give a notice regarding termination of the Agreement for breach, indemnification, or other legal matter, you must send it by electronic mail and first-class post to:
Credit Control
Netop Business Solutions A/S
Bregnerødvej 127
DK-3460 Birkerød
Denmark
Email: creditcontrol@netop.com
Netop’s routine communications regarding the Services and legal notices will be sent by email or post to the individual(s) you designate as your contact(s) on your account. Notices are deemed received as of the time posted or delivered, or if that time does not fall within a Business Day, as of the beginning of the first Business Day following the time posted or delivered. For purposes of counting days for notice periods, the Business Day on which the notice is deemed received counts as the first day.
15. PUBLICITY, USE OF MARKS.
Customer agrees that Netop may publicly disclose that it is providing Services to Customer and may use Customer’s name and logo to identify Customer in promotional materials, including press releases. Customer may not issue any press release or publicity regarding the Agreement, use the Netop name or logo or other identifying indicia, or publicly disclose that it is using the Services without Netop’s prior written consent.
16. ASSIGNMENT/SUBCONTRACTORS.
Neither party may assign the Agreement or any Orders without the prior written consent of the other party except to an Affiliate or successor as part of a corporate reorganization or a sale of some or all of its business, provided the assigning party notifies the other party of such change of control. Netop may use its Affiliates or subcontractors to perform all or any part of the Services, but Netop remains responsible under the Agreement for work performed by its Affiliates and subcontractors to the same extent as if Netop performed the Services itself. Customer acknowledges and agrees that Netop Affiliates and subcontractors may be based outside of the geographic jurisdiction in which Customer is located.
17. FORCE MAJEURE.
Neither party will be in violation of the Agreement if the failure to perform the obligation is due to an event beyond its control, such as of any fire, earthquake, flood, hurricane, tornado, snowstorm, epidemic, accident, explosion, casualty, virus or other malicious software, strike, lockout, labour controversy, riot, civil disturbance, act of public enemy, embargo, war, act of God, act of terrorism, or any municipal, county, state or national ordinance or law, or any executive, administrative or judicial order (which order is not the result of any act or omission which would constitute a default hereunder), or any failure or delay of any transportation, power, or communications system or any other or similar cause, or significant failure of a part of the power grid, failure of the Internet, or other events beyond such party’s reasonable control.
18. Governing Law for all Customers except Customers domiciled or resident (with billable address) in the United States of America, Canada or Mexico.
These GT&C’s and the entire Agreement shall be governed by the laws of the Kingdom of Denmark without recourse to any choice of law provision or international regulation, treaty or convention appointing to another governing law (renvoi). Any and all disputes shall be resolved through the ordinary Danish courts with venue with the Copenhagen City Court or the Maritime and Commercial Court of Copenhagen within its exclusive competence as court of first instance.
19. Governing Law for Customers with billable address in the United States of America, Canada or Mexico.
If Customer is contracting with Netop Tech Inc., then these GT&C’s are governed by the laws of the State of Delaware, USA, exclusive of any choice of law principle that would require the application of the law of a different jurisdiction. Exclusive venue for all disputes arising out of the Agreement shall be in the state or federal courts[], and we each agree not to bring any action in any other venue. You waive all objections to this venue and agree not to dispute personal jurisdiction or venue in these courts.
20. GDPR, UK GDPR, and EUDPR.
20.1. Netop Service may be set up by you in a way where no Personal Data is processed. However, if we process “Personal Data” (also known as “Personal Information”) as defined by the Data Protection Legislation as part of delivering the Services to you, in so far as required, both you and we agree that we will comply with all applicable requirements of the Data Protection Legislation. This Section is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
20.2. You acknowledge that for the purposes of the Data Protection Legislation, we are the controller of Personal Data we use to manage our relationship with you and to allow your users to access the Services and you are the controller and Netop is the processor of any Personal Data contained in the Customer Data (where controller and processor have the meanings as defined in the Data Protection Legislation). Where we are acting as your processor, the Data Processing Agreement (www.netop.com/legal/DPA) sets out the scope, nature and purpose of processing by Netop, the duration of the processing and the types of Personal Data (as defined in the Data Protection Legislation) and categories of Data Subject. Further information is contained in the Data Processing Agreement (www.netop.com/legal/DPA.)
21. LEGAL BASIS.
Without prejudice to the generality of Section 21.1, you will ensure that you have all necessary appropriate legal basis for lawful processing of any Personal Data.
22. SANCTIONS STATUS.
22.1. Neither party nor any of its Affiliates or, to the best of its knowledge, any director, officer, manager, or employee of such party or any of its Affiliates is a person who (a) is the target of any laws administered by the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) or any other governmental entity imposing economic sanctions or trade embargoes (“Economic Sanctions Laws”), or (b) is located, organised, or resident in a country or territory that is, or whose government is, the target of sanctions imposed by OFAC or any other governmental entity.
22.2. Each party shall promptly upon becoming aware thereof notify the other party if it or any of its Affiliates, or any of its or its Affiliates’ directors, officers, managers, employees, or agents becomes the target of any Economic Sanctions Laws, or the country or territory where any of them is located, organized, or resident becomes the target of sanctions imposed by OFAC or any other governmental entity
23. MISCELLANEOUS.
23.1. “Business Day” means Monday through Friday, excluding public holidays in the United States. Unless otherwise explicitly stated in the Order Form, Netop may amend the terms of the Agreement by given Customer 90 days written notice to the end of a term. An amendment may include all part of the agreement including removal of all or part of the Services.
23.2. If any part of the Agreement is found unenforceable, the rest of the Agreement will continue in effect, and the unenforceable part shall be reformed to the extent possible to make it enforceable and give business efficacy to the Agreement. Each party may enforce its respective rights under the Agreement even if it has waived the right or failed to enforce the same or other rights in the past. The relationship between the parties is that of independent contractors and not business partners. Neither party is the agent for the other and neither party has the right to bind the other on any agreement with a third party. The use of the word “including” means “including without limitation”. Other than Representatives for the purposes of Sections 7, 11, 12, and 13, there are no third-party beneficiaries to the Agreement.
23.3. The following provisions shall survive expiration or termination of this Agreement: Defined Terms, Intellectual Property, Disclaimers, Term and Termination, Confidential Information, Limitations on Damages, Indemnification, Notices, Governing Law, ,GDPR, UK GDPR, EUDPR, Miscellaneous, all terms of the Agreement requiring you to pay any fees for Services provided prior to the time of expiration or termination, or requiring you to pay an early termination fee, and any other provisions that by their nature are intended to survive expiration or termination of the Agreement.
23.4. The Agreement constitutes the complete and exclusive understanding between the parties regarding its subject matter and supersedes and replaces any prior or contemporaneous representation(s), agreement(s) or understanding(s), written or oral. Singular and Plural Terms. In the body of the GT&C, both the singular and plural can be used interchangeably regardless of whether the definition refers to the singular or plural term.
Netop US Addendum
This US Addendum (“Addendum”) integrates with and amends the Netop End User License Agreement (“EULA”) and the Netop General Terms & Conditions (collectively, the “Base Terms”) for any Customer that executes an Order with Netop Tech Inc. for the licensing of Software as defined in the EULA. By executing an Order, Customer agrees that the Order, the Base Terms, and this Agreement together constitute a single binding contract (the “Agreement”). Capitalized terms not defined in this Addendum have the meanings given in the Base Terms. If there is any conflict between this Addendum and the Base Terms, the provisions of this Addendum control solely for the subject matter of the conflict.
1. Equitable Relief. Customer recognizes and agrees that there may be no adequate remedy at law for a breach of this Agreement, especially with respect to restrictions on Customer’s use NetOps’s Confidential Information or Intellectual Property, and that such breach would irreparably harm Netop, for which monetary damages would not be an adequate remedy; consequently, Netop is entitled, in addition to its other rights and remedies, to seek equitable relief without posting of bond or other security
2. U.S. Government Restricted Rights. The Software is deemed to be commercial computer software as defined in FAR 12.212 (Computer Software) and is subject to restricted rights as defined in FAR section 52.227-19 (Commercial Computer Software License) and DFARS 227.7202 (Rights in Commercial Computer Software or Commercial Computer Software Documentation), as applicable, and any successor regulations. Any use, modification, reproduction, release, performance, display, or disclosure of the Software by the U.S. Government shall be solely in accordance with the terms of this
Agreement.
3. Protected Health Information. Unless the parties expressly agree in writing to the contrary, if Customer is a Covered Entity, Business Associate, or Representative of a Covered Entity or Business Associate, as those terms are defined in 45 C.F.R § 160.103 (HIPAA Privacy Rule definitions), as amended, Customer agrees not to use any component, function, or other facility to create, receive, manage, or transmit any “protected health information” as defined in 45 C.F.R § 160.103 if doing so would cause Netop General Terms & Conditions May 2025 20 Netop to be considered a Business Associate or a Representative of a Business Associate.
4. Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL NETOP OR ITS LICENSORS, RESELLERS, SUPPLIERS, OR AGENTS BE LIABLE TO CUSTOMER FOR (i) ANY COSTS OF PROCUREMENT OF SUBSTITUTE OR REPLACEMENT GOODS AND SERVICES, LOSS OF PROFITS, LOSS OF USE, LOSS OF OR CORRUPTION TO DATA, BUSINESS
INTERRUPTION, LOSS OF PRODUCTION, LOSS OF REVENUES, LOSS OF CONTRACTS, LOSS OF GOODWILL, OR ANTICIPATED SAVINGS OR WASTED MANAGEMENT AND STAFF TIME; OR (ii) ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, OR INDIRECT DAMAGES WHETHER ARISING DIRECTLY OR INDIRECTLY OUT OF THIS CONTRACT, EVEN IF NETOP OR ITS LICENSORS, RESELLERS, SUPPLIERS, OR AGENTS HAS BEEN ADVISED SUCH DAMAGES MIGHT OCCUR. IN NO CASE SHALL NETOP’S LIABILITY EXCEED THE LOWER OF (X) THE FEES CUSTOMER PAID FOR THE SOFTWARE OR SERVICES GIVING RISE TO THE CLAIM DURING THE SIX MONTH PERIOD IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO THE CLAIM.
5. Indemnification by Customer. Customer shall indemnify, defend, and hold Netop, its affiliates, officers, directors, shareholders, employees, agents, and assigns harmless from and against any and all liabilities, losses, costs, expenses, settlement amounts, and damages (including reasonable attorneys’ fees) incurred by Netop arising out of any suit or proceeding by a third party that results from Customer’s use of the Software or
Customer’s breach of any representation, warranty, covenant, or obligation under this Agreement.
6. Indemnification Process. Netop shall promptly notify Customer in writing of any action for which Netop believes it is entitled to indemnification under Section 5. If Netop is named a party in any judicial, administrative, or other proceeding arising out of or in connection with any breach of
this Agreement, a negligent or wrongful act, or a violation of any applicable law, Netop may, at its option: (a) undertake its own defense, choosing the attorneys, consultants, and other appropriate professionals to represent its interests, in which case Customer will be responsible for and pay the reasonable fees and expenses of such professionals; or (b) tender its defense to Customer, in which case Customer will provide qualified
attorneys, consultants, and other appropriate professionals to represent Netop at Customer’s expense. Netop retains the sole right and discretion to
settle, compromise, or otherwise resolve any and all claims, causes of action, liabilities, or damages against it, notwithstanding that Netop may have tendered its defense to Customer. Any such resolution will not relieve Customer of its obligation to indemnify Netop under section 5.
7. Governing Law and Jurisdiction. This Agreement and any disputes arising from or relating to it shall be governed exclusively by the laws of the State of Delaware, United States of America, without regard to principles of conflicts of law and excluding the United Nations Convention on Contracts for the International Sale of Goods. The parties unconditionally and irrevocably consent to the exclusive jurisdiction of the federal and state courts located in Delaware with respect to any action, suit, or proceeding arising out of or relating to this Agreement, and each party waives any objection to
venue in those courts.
8. Disclaimer. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE WARRANTIES SET FORTH IN THIS AGREEMENT ARE CUSTOMER’S EXCLUSIVE WARRANTIES AND REPLACE ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. NETOP MAKES NO WARRANTIES OR REPRESENTATIONS THAT THE SOFTWARE OR ANY SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR THAT OPERATION OR USE OF THE SOFTWARE OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE. CUSTOMER MAY HAVE OTHER WARRANTY RIGHTS, WHICH MAY VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.
9. California Consumer Privacy Act and Personal Information. With regard to Personal Information subject to the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”), Netop agrees that it shall not: (i) sell or share the Personal Information, as “sell” or “share” is defined in the CCPA; (ii) retain, use, or disclose the Personal Information for any purpose other than as described in this Agreement, the Data Processing Addendum, or Netop’s Privacy Notices, including retaining, using, or disclosing the Personal Information for a commercial purpose that does not comply with the CCPA; or (iii) retain, use, or disclose the Personal Information outside the permitted scope of this Agreement and without the documented instructions of Customer.
EXHIBIT A
DATA PROCESSING ADDENDUM
Standard Contractual Clauses
For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)
between
Customer
(as defined in the Order Form)
(the data controller)
and
Netop Business Solutions A/S
CVR 20077948
Bregnerødvej 127
3460 Birkerød
Denmark
(the data processor)
each a ‘party’; together ‘the parties’
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.
1. Table of Contents
2. Preamble
3. The rights and obligations of the data controller.
4. The data processor acts according to instructions.
5. Confidentiality.
6. Security of processing.
7. Use of sub-processors.
8. Transfer of data to third countries or international organisations.
9. Assistance to the data controller.
10. Notification of personal data breach.
11. Erasure and return of data.
12. Audit and inspection.
13. The parties’ agreement on other terms.
14. Commencement and termination.
15. Data controller and data processor contacts/contact points.
Appendix A Information about the processing.
Appendix B Authorised sub-processors.
Appendix C Instruction pertaining to the use of personal data.
2. Preamble
1. These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.
2. The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
3. In the context of the provision of Netop Services, the data processor will process personal data on behalf of the data controller in accordance with the Clauses.
4. The Clauses shall take priority over any similar provisions contained in other agreements between the parties.
5. Four appendices are attached to the Clauses and form an integral part of the Clauses.
6. Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
7. Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors authorised by the data controller.
8. Appendix C contains the data controller’s instructions with regards to the processing of personal data, the minimum security measures to be implemented by the data processor and how audits of the data processor and any sub-processors are to be performed.
9. The Clauses along with appendices shall be retained in writing, including electronically, by both parties.
10. The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.
3. The rights and obligations of the data controller
1. The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State[1] data protection provisions and the Clauses.
2. The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
3. The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.
[1] References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”.
4. The data processor act according to instructions
1. The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions shall be specified in appendices A and C. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically, in connection with the Clauses.
2. The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.
5. Confidentiality
1. The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
2. The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.
6. Security of processing
1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
a. Pseudonymisation and encryption of personal data;
b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.
If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.
7. Use of sub-processors
1. The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).
2. The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Clauses without the prior general written authorisation of the data controller.
3. The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least two weeks in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The list of sub-processors already authorised by the data controller can be found in www.netop/com/legal/sub-processors.
4. Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Clauses and the GDPR.
The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.
5. A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.
6. If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.
8. Transfer of data to third countries or international organisations
1. Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.
2. In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
3. Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:
a. transfer personal data to a data controller or a data processor in a third country or in an international organization
b. transfer the processing of personal data to a sub-processor in a third country
c. have the personal data processed in by the data processor in a third country
4. The data controller’s instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix C.6.
5. The Clauses shall not be confused with standard data protection clauses within the meaning of Article 46(2)(c) and (d) GDPR, and the Clauses cannot be relied upon by the parties as a transfer tool under Chapter V GDPR.
9. Assistance to the data controller
1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.
This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:
a. the right to be informed when collecting personal data from the data subject
b. the right to be informed when personal data have not been obtained from the data subject
c. the right of access by the data subject
d. the right to rectification
e. the right to erasure (‘the right to be forgotten’)
f. the right to restriction of processing
g. notification obligation regarding rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right not to be subject to a decision based solely on automated processing, including profiling
2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:
a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
d. the data controller’s obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
3. The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.
10. Notification of personal data breach
1. In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.
2. The data processor’s notification to the data controller shall, if possible, take place without undue delay after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.
3. In accordance with Clause 9(2)(a), the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3)GDPR, shall be stated in the data controller’s notification to the competent supervisory authority:
a. The nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b. the likely consequences of the personal data breach;
c. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4. The parties shall define in Appendix C all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority.
11. Erasure and return of data
1. On termination of the provision of personal data processing services, the data processor shall be under obligation to delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so unless Union or Member State law requires storage of the personal data.
The data processor commits to exclusively process the personal data for the purposes and duration provided for by this law and under the strict applicable conditions.
12. Audit and inspection
1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
2. Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub-processors are specified in appendices C.7. and C.8.
3. The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.
13. The parties’ agreement on other terms
1. The parties may agree other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.
14. Commencement and termination
1. The Clauses shall become effective on the date of both parties’ signature.
2. Both parties shall be entitled to require the Clauses renegotiated if changes to the law or inexpediency of the Clauses should give rise to such renegotiation.
3. The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Clauses cannot be terminated unless other Clauses governing the provision of personal data processing services have been agreed between the parties.
4. If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller pursuant to Clause 11.1. and Appendix C.4., the Clauses may be terminated by written notice by either party.
5. Signature
Signed in the Order Form.
15. Data controller and data processor contacts/contact points
1. The data controller may be contacted using the contacts/contact points set-out in the data processor’s customer platform. The data processor may be contacted by using the prevailing contact point of the DPO of the data processor.
Appendix A Information about the processing
A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:
Remote access to the Host devices of the Data Controller.
A.2. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
IP addresses may in certain instances be viewed by the Data Processor in connection with the transmission of data from the data controller to the host devices. Such IP addresses may include personal data.
A.3. The processing includes the following types of personal data about data subjects:
IP addresses may include names of employees of the Data Controller.
A.4. Processing includes the following categories of data subject:
Ordinary personal data (IP addresses)
A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
The duration of the Services.
Appendix B Authorized sub-processors
B.1. Approved sub-processors
On commencement of the Clauses, the data controller authorises the engagement of the following sub-processors:
Name | CVR | ADDRESS | DESCRIPTION OF PROCESSING |
Appendix C Instruction pertaining to the use of personal data
C.1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the Services set out in the Order Form.
C.2. Security of processing
The level of security shall take into account that the processing is limited in scope to transmission of IP addresses of Host and Guest, and only if the technical measures of the Customer does not exclude such transfers.
The data processor and its sub-processors are certified pursuant to ISO/IEC 27001, and the processing is carried out with a high level of security as set out in the GT&C.
C.3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in with information on any data breach with the data processor in so far that the breach is caused by the data processor or any of its sub-processors. All other assistance will be invoiced on a time and materiel basis.
C.4. Storage period/erasure procedures
The personal data is not stored with the data processor.
C.5. Processing location
Processing of the personal data will take place at the locations listed on:
https://www.netop.com/legal/sub-processors
C.6. Instruction on the transfer of personal data to third countries
The data processor is instructed to process data on locations out-side the EU/EEA as set out in https://www.netop.com/legal/sub-processors The data processor is free to choose legal basis for transfer of personal data in accordance with clause 7.4.
C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor
The data processor will annually present a general report from an independent third party concerning the data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The report shall without undue delay be submitted to the data controller for information.
The data controller or the data controller’s representative shall in addition have access to inspect, including physically inspect, the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing. Such an inspection shall be performed, when the data controller deems it required, and the data controller will be invoiced all cost pertaining to such inspections on a time and material basis.