General Terms and Conditions

General Terms and Conditions for Billit

Please read these General Terms and Conditions (the "Terms") carefully, as they constitute a binding agreement and govern the use of Billit's digital services relating to, among other things, bookkeeping, invoicing and payroll management (the "Services") offered to customers who are business operators (the "Customer") via Billit.

Separately, Billit and the Customer are referred to as a "Party" and jointly as the "Parties".

The Customer is the data controller for the data that the Customer registers on Billit and in the Services. The data processing agreement between the Customer and Billit is set out in Appendix 1. Information regarding the personal data that Billit, in its capacity as data controller, collects, uses, shares and protects can be found in Billit's Privacy Policy.

By registering for or otherwise using Billit and/or the Services, you consent to the Terms. The Terms shall be deemed accepted each time the Services and/or the Platform are used. If the Terms are not accepted, the Services and/or the Platform may not be used or any content accessed.

Please note that Billit's services are not provided to consumers.

In the event of conflicting provisions in the contractual documents, the Terms shall, unless otherwise expressly stated, take precedence over the appendices, and the appendices shall take precedence over each other in numerical order.

Some recurring terms:

User & User Account

A User creates a User Account and thereby gains access to the Platform and the Services. A User Account is personal and may only be used by the User who created the User Account. A User Account may have different authorisation levels for different Customers.

Main Administrator

A Main Administrator is a User who has the authority or power to enter into agreements on behalf of a Customer and who serves as the Customer's contact person in all matters relating to the Services and the Terms.

Customer

A natural or legal person who is a business operator. Only businesses may become Customers of Billit (no consumers).

Customer's Data

All data and information that the Customer, or individual User Accounts on behalf of the Customer, makes available and that is processed within the scope of the Services.

Subscription & Pricing Plan

Access to the Services and the Customer's Data requires a Subscription to a Pricing Plan. If no cancellation is made, a Subscription is automatically renewed for the same Contract Period as before and the Customer is liable for payment for that period as well. A Subscription is charged automatically and if payment is not received, access to the Services and the Customer's Data will be lost.

Contract Period

The Contract Period is the period for which you pay when you enter into a Subscription and the period during which you have access to the Services. If cancellation is not made no later than the day before the next Contract Period, the Subscription is automatically renewed for the same Contract Period as the previous one.

Storage Service

Storage Service means that Billit, on behalf of the Customer, continues to store the Customer's Data for as long as the legislation requires the storage of accounting records. To access the Customer's Data, the Customer must have a Subscription. Upon termination of the Terms, Billit will no longer store the Customer's Data.

Access to the Services

Creating a User Account

A named natural person (the "Holder") who accepts the Terms may create a User Account with Billit. By creating a User Account, the Holder becomes a User of Billit's services.

The User bears full responsibility for the use of the User Account. The login credentials for a User Account are personal and may not be lent to or used by anyone else. The password associated with the User Account must be kept confidential. A breach of this provision may be considered a material breach of the Terms.

In the event of suspected unauthorised use of the User Account, Billit must be contacted immediately.

If a password has been lost or stolen, it must be changed immediately by using the forgotten password function on the login page.

By means of the User Account, the User gains access to the Services. The User may not at any time use the Services in a manner that could damage Billit's name, reputation or goodwill, or that is in breach of applicable legislation or other rules.

Billit reserves the right to block a User Account if there is a suspicion of misuse of the Terms or the Services.

Billit has the right to refuse a Holder the creation of an account without stating reasons.

Billit is the data controller for personal data relating to the Holder. Billit may use information about the Holder for statistics and analysis of the Services. Such statistics may be combined with publicly available data, the Customer's Data and application data.

For Billit's processing of personal data, in its capacity as data controller, reference is made to Billit's Privacy Policy.

Registering a Company

A company may be registered, and a customer account thereby created, by a User submitting a request through their account for a company to become a Customer of Billit.

By submitting a request for a company to become a Customer, the User certifies that they have the authority and power to bind the Customer in relation to Billit. The Terms that the User has accepted are thereby also binding on the Customer.

The Customer and the User receive a non-exclusive access to Billit and the Services, and in no event shall the Services or a copy thereof be acquired by the Customer and/or the Users.

Billit reserves the right to block a Customer's access to the Services if there is a reasonable suspicion of misuse of the Terms or the Services.

Billit has the right to refuse the Customer from becoming a Customer without stating reasons.

All Users who gain access to the Services on behalf of a Customer become that Customer's case handlers.

Each Customer shall have a User registered as the Customer's Main Administrator. The Main Administrator shall be a User who has the authority or power to enter into agreements on behalf of the Customer.

It is the Customer's responsibility to ensure that the Customer at all times has a Main Administrator designated. In the event that the Customer lacks a Main Administrator, Billit reserves the right to suspend the Customer's access to the Services until a Main Administrator has been registered.

In the event that the Main Administrator no longer has the right to enter into agreements on behalf of the Customer, the Main Administrator shall either immediately contact Billit or change their role/authorisation by designating another User as Main Administrator.

Billit has the right to request that the User identifies themselves as well as supplementary information about the Customer and/or the User. In the event that Billit discovers that the User registered as the Main Administrator does not have the right to represent the Customer, Billit has the right to immediately suspend the Customer's and/or the User's access to Billit and the Services.

The Main Administrator is the Customer's contact person in all matters relating to the Services and the Terms. The Main Administrator is the person who, on behalf of the Customer, receives information about changes and updates to the Terms. The Main Administrator is also responsible for assigning authorisation levels to other case handlers and may thereby choose which Services each case handler shall have access to.

There may also be employees linked to a Customer. An employee is a User with limited access to the Services.

The Customer's IT Environment

The Customer is responsible for ensuring that the Customer at all times has the necessary technical equipment to use the Services and Billit to a normal extent. This also applies in the event of changed functionality due to changes to the Services or to Billit, changed security procedures and/or other changed technical requirements in the market.

The Customer is also responsible for the digital connection to Billit and the Services.

The Customer shall ensure that it has adequate protection against malicious code and is responsible for ensuring that all data and information that the Customer, or individual Users on behalf of the Customer, makes available and that is processed within the scope of the Services (the "Customer's Data") is free from viruses, trojans, worms or other malicious software or code, and does not otherwise damage or adversely affect Billit's systems and the Services.

The Customer is responsible for not using the Services or Billit for illegal activities or for the distribution of material that is illegal or that may be perceived as offensive.

The Customer is responsible for ensuring that its case handlers do not breach, circumvent, remove or interfere with the technology and security systems that Billit uses to protect the Services and their content. The Customer shall ensure that its case handlers do not act in a manner that could cause Billit or the Services to be disabled, overloaded, degraded or damaged, or in any other manner that could cause Billit to suffer loss or damage.

Support

The Customer is offered support regarding the Services via, among other things, email and help pages. The Customer's access to support may depend on the Customer's choice of Pricing Plan/Subscription, such as user training, advisory services or implementation/uploading of customer or product registers, which may be available for separate purchase. Support is not provided for software or hardware supplied by a party other than Billit.

Billit has the right to delay, interrupt and/or suspend support. Billit handles support enquiries with the urgency that the circumstances require.

In all contacts with Billit regarding support, the Customer shall, upon request from Billit, be prepared to identify itself, provide a detailed description of its computer system and its basic structure, any operational disruptions the Customer may be experiencing, and the impact such disruptions have on the Customer's business as a whole.

Restriction of Access to the Services

Billit strives to offer the best possible availability of the Services with minimal disruptions.

If the provision of the Services entails a risk of damage to Billit or to any of Billit's customers, Billit may take such measures as are necessary having regard to the circumstances (including shutting down and/or restricting access to the Services). The Customer shall be notified as soon as possible of any measures taken in relation to the Services.

Billit has the right to take planned measures that affect the availability of the Services if required for technical, maintenance, operational or security reasons. Billit shall carry out such measures promptly and in a manner that limits disruptions. Billit shall notify the Customer within a reasonable time before the measure is taken and, where possible, schedule planned measures outside normal working hours.

Billit has the right to immediately prevent further use and remove content from the Services if it can reasonably be assumed that continued use is in breach of applicable legislation. Billit shall notify the Customer if or when this right is exercised.

Billit has the right to prevent and block the Customer's use of the Services if the Customer, including its case handlers, uses the Services in breach of applicable legislation. Billit shall, where possible, notify the Customer if or when this right is exercised.

Subscription and Payment

Access to Billit and the Services requires that the Customer has a Subscription, i.e. has purchased a Pricing Plan/Package at a fixed price during the Contract Period which, if the Subscription has not been cancelled, is automatically renewed for a new Contract Period of the same duration as the previous one (unless otherwise notified by the Customer).

The Customer only has access to the Services included in the Pricing Plan/Package for which they have entered into a Subscription agreement. In the event that the Customer switches to a Pricing Plan with fewer Services included at the next Contract Period, the Customer's access to the other Services shall cease when the new Contract Period begins. Provided that the Customer continues to have a Subscription, the Customer shall, however, continue to have access to the Customer's Data originating from previous access to Services (e.g. previously sent invoices).

With the Subscription, the Customer has, depending on the Pricing Plan/Package, a number of Services. The Services are divided into different categories. Unless otherwise stated in the price list, the following payment terms apply for each category of Services:

Add-ons, which are included in the Subscription, have the same commitment period as the Subscription and thus apply for the entire remaining Contract Period (one month or one year). The Subscription is automatically renewed unless the Subscription has been cancelled.

Extra services, services that have a one-time cost and shall be paid in advance.

Billit has the right to increase prices by notifying the Customer no later than thirty (30) days before the price increase. For Subscriptions (i.e. services subject to a Contract Period), the new price shall take effect when the next Contract Period begins.

In the event of late payment, default interest shall accrue at an annual interest rate of 16 per cent. Billit also has the right to charge a late payment fee in accordance with applicable law.

If payment is not made by the specified due date, Billit has the right to suspend the Customer's access to Billit and the Services, which includes the Customer's access to the Customer's Data. In order for the Customer to gain access to the Customer's Data, the Customer must pay the outstanding claim to Billit and purchase a Pricing Plan/Package on a Subscription for the current period.

Limitation of Liability

Unless otherwise prescribed by mandatory legislation, Billit shall not be liable for any direct or indirect damage arising out of or in connection with the provision of the Services or Billit. This applies regardless of how the damage or loss was caused (including damage or loss caused by negligence) and whether the damage was foreseeable or not at the time the Terms entered into force (even if Billit has been informed of the risk of such damage or loss).

Unless otherwise prescribed by mandatory legislation, Billit shall in no event be liable for indirect damage or loss arising under or in connection with the provision of the Services, including but not limited to loss of profit, loss of reputation or goodwill, loss of production, loss of business or business opportunities, loss of income or anticipated savings, or loss of and/or damaged data or information. This applies regardless of how the damage or loss was caused (including damage or loss caused by negligence) and whether the damage was foreseeable or not at the time the Terms entered into force (even if Billit has been informed of the risk of such damage or loss).

Billit shall under no circumstances be liable for how the Customer has carried out its bookkeeping or for ensuring that the Customer's bookkeeping fulfils its bookkeeping obligations in accordance with applicable legislation in force from time to time.

The Customer is responsible for ensuring that accounting records (e.g. invoices and receipts) are handled in accordance with the requirements of the Swedish Bookkeeping Act (1999:1078) and other applicable legislation. If the Customer has uploaded accounting material in the Service, the Customer is responsible for saving the accounting material in the format in which it was received in accordance with the provisions of the Swedish Bookkeeping Act (1999:1078).

Billit is not responsible for ensuring that the interpretation of supplier invoices, proposed account coding and other accounting records are correct. Billit is also not responsible for errors attributable to the Customer, the User, or any other party for which Billit is not responsible.

Since Billit's services are dependent on the internet, problems with the internet such as interruptions, delays, bugs and similar obstacles between the Service and the User may cause the Service to malfunction. Since internet problems are beyond Billit's control, this does not constitute a defect in the Service and shall not be taken into account when calculating the Service's availability.

Billit is not responsible for interruptions, delays, bugs and similar obstacles that are beyond Billit's control and that cause a Customer's Subscription or Extra Service to malfunction. Such problems shall not be counted as a defect in the Service and shall not be taken into account when calculating the Service's availability. The Customer shall also have no right to a refund on account of a problem under this section.

Should liability for damages arise for Billit, Billit's liability shall, unless otherwise prescribed by mandatory law, be limited to 0.5 price base amount (prisbasbelopp), in accordance with the Swedish Social Insurance Code (2010:110), or its future equivalent.

To the extent that liability for damages or other liability arises for Billit beyond what is stated in the Terms due to negligence or wilful misconduct on the part of the Customer, the Customer shall indemnify and hold Billit harmless from liability, damages and losses, as well as from reasonable and verified costs and expenses (including legal costs).

Disclaimer of Defects

Unless otherwise prescribed by mandatory legislation, Billit makes no warranties that any of the Services provided by Billit will function without errors or that Billit or its servers are free from computer viruses or other harmful functions or mechanisms. If the use of the Services leads to loss of data or any other costs, Billit shall not be liable for such costs. The Services and their content are provided "as is" without any warranties of any kind. To the fullest extent permitted by law, Billit disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement. Billit makes no warranties regarding the accuracy, reliability, completeness or timeliness of the Services, including their content, software, text, graphics and links.

Force Majeure

If Billit's performance of its obligations under the Terms is materially impeded or prevented due to circumstances beyond Billit's control and which Billit could not reasonably have been expected to have taken into account at the time the Terms entered into force and whose consequences Billit could not reasonably have avoided or overcome, such as, for example, general industrial action, war, fire, lightning, flood, pandemic, epidemic, quarantine, virus outbreak, terrorist attack, amended governmental regulations, governmental intervention, and errors or delays in services from subcontractors due to circumstances stated herein, this shall constitute grounds for relief entailing exemption from liability for damages and other remedies.

Intellectual Property Rights

Billit, or where applicable its licensors, holds all rights including intellectual property rights (including but not limited to patents, copyright, trademarks and know-how) attributable to Billit or the Services and the software included therein. Nothing in the Terms shall be construed as meaning that the rights referred to in this section 14.1, or any part thereof, are transferred to the Customer. The Customer shall, through the Terms, only receive the limited right of use of the Services as specifically set out herein.

Billit holds all rights including intellectual property rights (including but not limited to patents, copyright, trademarks and know-how) attributable to the development of the Services, which are carried out in connection with the fulfilment of Billit's obligations in relation to the Customer, regardless of whether such development is carried out on the instructions of or in accordance with instructions from the Customer or on Billit's own initiative. Such development shall form part of the Services and shall be subject to the provisions of the Terms. The Customer shall, through the Terms, only receive the limited right of use of such development as specifically set out herein.

In cases where rights, including intellectual property rights, in respect of the development of the Services under applicable mandatory law accrue to the Customer and section 14.2 therefore cannot be applied, Billit shall have a non-exclusive, royalty-free and perpetual right to reuse (including the right to freely use, develop, modify and license to third parties) the development in its business. In cases where the Customer plans to transfer the rights to a third party, the Customer undertakes to, before the rights are transferred to another party, give Billit the right to acquire the development at a reasonable price.

Assignment

The Customer undertakes not to wholly or partly assign its rights or obligations under the Terms without Billit's prior written consent.

Billit has the right to wholly or partly assign its rights or obligations under the Terms to another company within the same group as Billit. Billit also has the right to assign invoices, for example in connection with factoring and debt collection arrangements.

Amendments

Billit has the right to unilaterally amend the Terms by notifying the Customer. Such amendments to the Terms shall take effect no earlier than thirty (30) days from the date on which Billit has informed the Customer of the amendments.

Notices

Notices to the Customer will primarily be provided to the Customer via the Services and on Billit. It is the Customer's responsibility to use the Services to access notices. Billit assumes no responsibility for ensuring that the notice reaches the Customer.

The Customer is responsible for promptly updating its details in the event of a change of name, address, email, telephone or other details of importance for communication under the Terms. It is the Customer's responsibility to ensure that contact details are up to date and that the Customer accesses the communications that Billit may send via, for example, email.

If Billit has sent a notice to the Customer's most recently provided postal address, the notice shall be deemed to have reached the Customer no later than the seventh day after dispatch. A notice sent via the Services or to the Customer's provided email address shall be deemed to have reached the Customer immediately.

Severability

If a competent court, authority or arbitration tribunal finds that any provision of the Terms is invalid or unenforceable, the provision in question and all other provisions shall remain valid and enforceable to the extent permitted by applicable law, and the Parties shall negotiate in good faith with each other with the aim of agreeing on the necessary amendments to the Terms in order to maintain the structure, purpose and spirit of the Terms.

Processing of Personal Data

In connection with the provision of the Services, Billit will process personal data on behalf of the Customer. The Customer and Billit have therefore entered into a data processing agreement, see Appendix 1.

Billit's Privacy Policy, available at the following link, contains information about the personal data processing that Billit carries out for its own purposes and for which Billit is the data controller.

Customer's Data

Billit may not use the Customer's Data to any extent other than as set out in these Terms.

Access to the Customer's Data requires an active Subscription. In the event that the Customer intends to cancel a Subscription, it is the Customer's responsibility to export all of the Customer's Data from Billit. Export of the Customer's Data must be completed before the end of the Contract Period. Billit has no obligation and no responsibility to provide the Customer's Data to a Customer who no longer has a Subscription. Billit does, however, have an obligation to return the personal data that may be contained in the Customer's Data if the Customer, in connection with the termination of the Terms, expressly requests the return of personal data in accordance with the data processing agreement in Appendix 1.

Billit has the right during the Contract Period to use the Customer's Data for:

1. Operation, maintenance and development of the Platform and the Services;

2. Offering the Customer and third parties new services; and

3. Administration of customer contacts, support and tailored information about and marketing of Billit's services.

Billit has the right, both during and after the Contract Period, to compile, collect, copy, modify, publish, transfer, merge with other data and otherwise use anonymised and aggregated data generated from or based on the Customer's Data.

Billit reserves the right to store and process information from the Customer on a server that may be located outside the country in which the Customer conducts its business.

Billit may share the Customer's Data with Billit's affiliated companies, suppliers and/or partners in order to deliver the Services and fulfil the purposes of the Terms, including offering additional services, service improvements and complying with the rights and obligations in the Terms. Information may be shared with third parties as part of a commercial cooperation linked to the Services, for example in order to develop additional services.

Billit reserves the right to provide the Customer's Data to the Main Administrator or to another authorised representative of the Customer (following verified identification), regardless of the contractual structure, both during and after the Contract Period. After the Customer's Subscription has expired, Billit shall, however, have no obligation to provide the Customer's Data.

The Customer is the data controller for any personal data contained in the Customer's Data. Billit is only entitled to process such personal data in accordance with section 19.

Storage Service

Storage Service means that Billit, on behalf of the Customer, continues to store the Customer's Data for as long as the legislation requires the storage of accounting records.

To access the Customer's Data, the Customer must have a valid Subscription, i.e. purchase a Pricing Plan/Package for Billit's services.

The Storage Service is provided "as is" and with "existing availability". Billit makes no warranties of any kind or other commitments in relation to the Storage Service, including but not limited to warranties regarding suitability, quality, availability, reliability, fitness for purpose or infringement of third-party intellectual property rights. To the extent permitted by applicable legislation, Billit shall not be liable for any damage, loss or claim (direct or indirect) arising in connection with the Customer's use and Billit's provision of the Storage Service, regardless of how the damage or loss was caused.

Billit has the right to unilaterally at any time amend the provisions for the Storage Service, including but not limited to amendments regarding whether the Storage Service will continue to be provided free of charge indefinitely or not, by notifying the Customer's Main Administrator.

Billit has the right to terminate the Storage Service with immediate effect if the Customer or the case handlers breach these Terms. In the event that Billit chooses to terminate the Storage Service, the Customer will, via email to the Main Administrator, be informed thereof at least ten (10) business days in advance. Note that section 21.2, the requirement for a Subscription to access the Customer's Data, also applies in these cases.

Billit also has the right to terminate the Storage Service in the event that the Customer misuses the Storage Service as a means of circumventing the requirement to enter into a Subscription.

For information on Billit's right to use the Customer's Data, reference is made to section 20, and for information on the processing of personal data to section 19 and Appendix 1 (the data processing agreement).

Confidentiality

Each Party undertakes not to, during the Contract Period, without the other Party's written consent, disclose to any third party information (regardless of whether it is in oral, written, electronic or other form) about the other Party's business that may be considered a trade or professional secret, or otherwise use such information for any purpose other than the Party's performance of its obligations under the Terms. Information that a Party has designated as confidential shall always be regarded as a trade or professional secret.

The confidentiality obligation does not apply to information that a Party can demonstrate became known to it by means other than through the Parties' contractual relationship, including the use of the Services, or that is publicly known. The confidentiality obligation also does not apply where a Party is obliged by law, other regulation or governmental decision to disclose information.

Contract Period and Termination

If the Customer wishes to cancel a Subscription and/or an Add-on, such cancellation must be made no later than the day before a new Contract Period begins. If the Subscription is not cancelled no later than the day before a new Contract Period begins, the agreement is automatically renewed for the same period (one month or one year). The Customer is then obliged to pay for the entire next Contract Period. Cancellation of a Subscription does not constitute a termination of the Terms.

If the Customer no longer wishes to use Services provided within the framework of these Terms, the Customer may terminate the Terms to expire at the end of the Contract Period for the current Subscription with at least thirty (30) days' notice. If the Customer does not have an active Subscription, the Terms may be terminated with thirty (30) days' notice.

Billit has the right, without stating reasons, to terminate a Customer by sending an email to the Customer's Main Administrator thirty (30) days before a new Contract Period begins. In the event that the Customer or its case handlers have breached these Terms, Billit has the right to terminate the Terms with immediate effect.

Billit shall always have the right to terminate the Terms with immediate effect if:

1. The Customer or its management has been convicted of or is suspected of breaching local laws; or

2. The Customer or its management is or becomes subject to, or operates in a country that is or becomes subject to, the sanctions imposed by the EU or the UN from time to time.

If the Customer becomes insolvent, or transfers a substantial part of its assets for the benefit of creditors, or if the Customer commits or threatens Billit with illegal or abusive measures, Billit may suspend or restrict the Customer's and/or its case handlers' access until the matter is resolved. Billit reserves the right to terminate the Terms if the Customer does not rectify or correct its actions within a reasonable time.

Termination of the Terms shall never affect the Customer's payment obligations for a Subscription already entered into or for extra services. The Customer shall at all times pay all outstanding fees and only thereafter shall neither Party have any claims against the other Party as a result of the termination of the Terms.

Upon termination of the Terms, Billit will not store the Customer's Data in accordance with the provisions regarding the Storage Service (section 21).

Dispute Resolution and Applicable Law

Disputes arising out of the Terms shall be settled by the general courts.

The Terms, including section 24.1, shall be interpreted and applied in accordance with Swedish law, however without regard to such rules of private international law as would result in the application of the law of any other jurisdiction.

Appendix 1 – Data Processing Agreement

This data processing agreement (the "DPA") has been entered into between: 1. The Customer, being the Company that has engaged Billit for the provision of products and services, in accordance with the definition in the Terms regarding Billit's provision of products and services, (the "Data Controller"); and 2. Billit, with address Decoos Holding AB, Hyllie Kyrkoväg 53C, 216 1 Limhamn, Sweden, (the "Data Processor"). (each a "Party" and jointly the "Parties"). The Parties have agreed as follows:

Background

The Data Controller and the Data Processor have entered into one or more agreements (the "Agreements") governing the Data Processor's provision of products and services to the Data Controller. The Agreements entail that the Data Processor will Process Personal Data on behalf of the Data Controller.

Under Applicable Data Protection Legislation, the Processing of Personal Data carried out by a data processor on behalf of a data controller must be governed by an agreement. The Parties have therefore entered into this DPA as part of the Agreements in order to comply with the requirements set out in Applicable Data Protection Legislation.

This DPA is applicable to the extent that the Data Processor Processes Personal Data on behalf of the Data Controller but only covers Processing of Personal Data in accordance with the Data Controller's instructions in this DPA (including its appendices). Other Processing of Personal Data is not covered. This DPA supersedes previously entered into agreements and previous instructions regarding the Processing of Personal Data.

Definitions

The following definitions are used in this DPA: "Applicable Data Protection Legislation" means all laws and regulations applicable within the EU/EEA from time to time that are applicable to the Processing of Personal Data within the scope of the DPA (including, but not limited to, Act (2018:218) with supplementary provisions to the EU Data Protection Regulation and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR")) as interpreted from time to time by the Court of Justice of the European Union or any other court with jurisdiction to establish precedent for such laws. "Sub-processor" means any other data processor engaged by the Data Processor for the Processing of the Personal Data.

Other words and expressions with initial capitalisation in this DPA that are not defined above in section 2.1 shall have the same meaning as set out in the Agreements or as otherwise specified in this DPA. Other terms in this DPA shall be interpreted in accordance with the GDPR.

Processing of Personal Data

The Data Controller takes full responsibility for ensuring that the Processing of Personal Data is carried out in accordance with applicable law in force from time to time, including the obtaining of necessary licences, permissions or approvals for the Processing.

The Data Processor shall only Process the Personal Data in accordance with the documented instructions from the Data Controller as set out in Appendix 1.1 (the "Instruction"), including with regard to transfers of Personal Data to a third country or an international organisation, unless the Data Processor is required by EU law (including the laws of its Member States) to Process the Personal Data. In such cases, the Data Processor shall inform the Data Controller of the legal requirement before the Processing commences, to the extent permitted by applicable law.

The Instruction to this DPA sets out:

1. the type of Personal Data Processed under this DPA;

2. the categories of Data Subjects to whom the Personal Data relates; and

3. the nature and purpose of the Processing of Personal Data.

This DPA, including the Instruction, constitutes the Data Controller's complete instructions to the Data Processor for the Processing of Personal Data under this DPA.

The Data Processor shall immediately inform the Data Controller if the Data Processor considers that all or part of the Instruction is in breach of Applicable Data Protection Legislation. The Data Processor is not obliged to implement such an Instruction.

The Data Processor shall Process the Personal Data for the entire period required for the fulfilment of section 1.1 of this DPA.

The Data Processor shall ensure that all persons for whom the Data Processor is responsible and who Process Personal Data under this DPA have committed to observing confidentiality or are subject to an appropriate statutory duty of confidentiality.

Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller through appropriate technical and organisational measures, insofar as this is possible, so that the Data Controller can fulfil its obligation to respond to requests for the exercise of Data Subjects' rights under Applicable Data Protection Legislation.

Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring that the Data Controller's obligations under Applicable Data Protection Legislation are fulfilled, including (where applicable) the Data Controller's obligation to (i) implement appropriate technical and organisational measures, (ii) report personal data breaches to the supervisory authority, (iii) inform Data Subjects of personal data breaches, (iv) carry out data protection impact assessments, and (v) consult with the competent supervisory authority prior to Processing.

The Data Processor shall, without undue delay, notify the Data Controller after becoming aware of a personal data breach. Such notification shall, taking into account the type of Processing and the information available to the Data Processor:

1. describe the nature of the personal data breach, and, where possible, the categories of and the approximate number of Data Subjects affected and the categories of and the approximate number of Personal Data records concerned;

2. describe the likely consequences of the personal data breach; and

3. describe the measures taken or proposed to be taken to address the personal data breach or mitigate its potential adverse effects.

If and to the extent that it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

If the Data Controller, in breach of Applicable Data Protection Legislation, does not inform the Data Subjects of a personal data breach and the supervisory authority orders the Data Processor to remedy the deficiency, the Data Controller shall reimburse the Data Processor's costs for complying with the supervisory authority's decision.

The Data Processor shall delete all Personal Data within 90 days from the expiry of this DPA's validity period. If the Data Controller so requests within the DPA's validity period, the Personal Data shall be returned to the Data Controller upon the expiry of the DPA and the Data Processor shall thereafter delete existing copies. Deletion shall, however, not take place if EU law (including the laws of its Member States) requires the storage of the Personal Data. The Data Processor's liability under this section 3.12 applies only to such responsibility for deletion and return of Personal Data as follows from Applicable Data Protection Legislation.

Security in Connection with Processing

The Data Processor shall implement appropriate technical and organisational security measures in accordance with Applicable Data Protection Legislation to ensure a level of security appropriate to the risk, and where appropriate: pseudonymisation and encryption of Personal Data; ensure that there is a procedure for regularly testing, examining and evaluating the effectiveness of the technical and organisational security measures intended to ensure the security of the Processing; maintain and update logs relating to Personal Data; establish and maintain an IT security policy; maintain a secure IT environment; and establish and maintain physical security measures and procedures; as well as notify the Data Controller of any attempted or successful unauthorised access to Personal Data (including loss or alteration of Personal Data).

The Data Processor is only responsible for implementing the appropriate technical and organisational security measures under section 4.1 that are within the Data Processor's actual control.

Audit (Review)

The Data Processor shall provide the Data Controller with access to all information necessary to demonstrate that the obligations under this DPA have been fulfilled. The Data Controller, or an auditor appointed by the Data Controller, shall have the right, no more than once per year, to carry out an audit, including inspections, during normal office hours, of the Data Processor's compliance with this DPA. Such an audit shall be preceded by at least thirty (30) days' prior written notice from the Data Controller, specifying the content and scope of the inspection. The purpose of such an audit is to verify that the Data Processor complies with the obligations set out in this DPA. The content and scope of an audit shall not exceed what is necessary having regard to the purpose of the audit. Unless otherwise agreed in writing between the Parties, an inspection may only be carried out if an audit under Applicable Data Protection Legislation cannot be fulfilled through the Data Processor's provision of information. All costs related to the audit shall be borne by the Data Controller. The Data Processor's reasonable costs in connection with the carrying out of such an audit may be charged to the Data Controller.

An audit under section 5.1 requires that the Data Controller, or the auditor appointed by the Data Controller, has entered into the necessary confidentiality undertakings and complies with the Data Processor's security regulations at the premises where the inspection is to take place, and that the inspection is carried out without unreasonably risking hindering the Data Processor's operations or jeopardising the protection of information relating to third parties. Information collected as part of the audit shall be immediately deleted upon completion of the inspection or as soon as the information is no longer required for the purpose of the audit.

Transfer of Personal Data to Countries Outside the EU/EEA

The Parties have agreed that Personal Data may be transferred by the Data Processor to Sub-processors in a country outside the EU/EEA. In the event of such a transfer, the Data Processor shall ensure that appropriate safeguards are in place for the transfer of the Personal Data in accordance with Applicable Data Protection Legislation. Such appropriate safeguards may include, but are not limited to, the Data Processor entering into binding agreements with Sub-processors in accordance with the European Commission's standard contractual clauses for the transfer of personal data to a country outside the EU/EEA. Transfer to a country outside the EU/EEA may also be based on a valid adequacy decision by the European Commission.

Confidentiality

The Data Processor undertakes not to disclose information about the Processing of Personal Data carried out under this DPA to third parties or otherwise reveal information received pursuant to this DPA. The confidentiality obligation does not apply to information that the Data Processor is obliged to disclose under EU law, national law within the EU or governmental decisions. In addition to this section 8, any confidentiality undertakings in the Agreements shall also be applicable. Upon the termination of this DPA, regardless of the reason therefor, this section 8 shall remain binding on the Parties.

Compensation

The Data Controller shall compensate the Data Processor for costs incurred for activities specified in this DPA that the Data Controller requests and which go beyond what can reasonably be expected of the Data Processor.

The Data Controller shall compensate the Data Processor for all reasonable costs incurred by the Data Processor as a result of amendments and/or additions to this DPA or the Instruction.

In addition to what is stated in sections 9.1 and 9.2, the Data Processor shall be entitled to separate compensation for obligations under this DPA to the extent specifically stated herein.

Liability towards Third Parties and Limitation of Liability

The Data Processor shall be liable for direct damage arising as a result of the Processing of Personal Data to the extent that the Data Processor acts outside or in breach of the Data Controller's lawful Instruction. In all other respects, the Data Controller shall be liable for all direct or indirect damage caused by the Processing of Personal Data under this DPA and in accordance with the Instruction that is in breach of applicable law. To the extent permitted by applicable law, the Data Processor's total liability for damage or loss (regardless of how the damage or loss was caused, including any damage or loss caused by negligence) under this DPA shall be limited in accordance with the limitations of liability set out in the Agreements.

Notwithstanding the foregoing, the Data Controller shall indemnify and hold the Data Processor harmless if and to the extent that the Data Processor is held liable by a Data Subject or third party for unauthorised or unlawful Processing of Personal Data, unless such liability has arisen as a result of the Data Processor's failure to fulfil the obligations under this DPA. The Data Controller shall also indemnify and hold the Data Processor harmless if and to the extent that the Data Processor is held liable by a Data Subject or third party for unauthorised or unlawful Processing of Personal Data if such liability has arisen as a result of the Instruction.

The limitation of the Parties' liability under section 10.1 above shall not apply to administrative fines imposed by the supervisory authority and/or court pursuant to Article 83 of the GDPR. Neither Party shall be entitled to compensation from the other Party for administrative fines that the Party becomes obliged to pay in accordance with a decision of the competent supervisory authority and/or court. The Parties acknowledge that they may each be held individually liable for administrative fines under Article 83 of the GDPR.

Upon the termination of this DPA, regardless of the reason therefor, this section 10 shall remain binding on the Parties.

Contract Period

This DPA shall remain in force for as long as the Data Processor processes Personal Data on behalf of the Data Controller under the terms of the Agreements.

Amendments and Additions

Amendments and additions to this DPA and/or the Instruction, including this section 12, must be made in writing and signed by both Parties in order to be binding.

If Applicable Data Protection Legislation is amended during the term of this DPA, or if the competent supervisory authority issues guidelines, decisions or regulations regarding the application of Applicable Data Protection Legislation that result in this DPA not meeting the requirements for data processing agreements, or if the Agreements are amended, this DPA shall be amended to accommodate such new or additional requirements and/or amendments.

Miscellaneous

This DPA constitutes the Parties' complete regulation of the subject matter of this DPA and supersedes all prior and contemporaneous negotiations and agreements, written as well as oral, between the Parties relating thereto. If the provisions of this DPA conflict with the provisions of any other agreement between the Parties, the provisions of this DPA shall prevail. The foregoing shall not, however, apply to provisions in a subsequently entered into agreement that are expressly stated to take precedence over the provisions of this DPA.

In addition to this DPA, all relevant provisions of the Agreements shall also apply to the Data Processor's Processing of Personal Data. If this DPA and the Agreements contain conflicting provisions relating to the Processing of Personal Data, the provisions of this DPA shall prevail.

Dispute Resolution and Applicable Law

This DPA shall be interpreted and applied in accordance with Swedish law, however with the exception of such rules of private international law as would result in the application of the law of any other jurisdiction.

Disputes arising out of this DPA shall be finally settled in accordance with the dispute resolution provisions of the Agreements.

Appendix 1.1 – Instruction for the Processing of Personal Data

1. Type of Personal Data

The Data Processor will Process the following types of Personal Data:

(1) contact information such as name, address, telephone number, email addresses, IP addresses and user agents;

(2) employment information such as employee number, department affiliation, position and period of employment;

(3) health and absence information, e.g. medical certificates and information about sick leave, leave of absence or parental leave;

(4) information about membership in the Church of Sweden (church tax);

(5) personal identity number/coordination number;

(6) information about financial circumstances such as bank account details, information about salary and other benefits, insurance details, vehicle details, bank account numbers;

(7) payroll details (payroll records).

2. Categories of Data Subjects

The Personal Data relates to the following categories of Data Subjects:

(1) The Data Controller's representatives and employees;
(2) The Data Controller's consultants;
(3) The Data Controller's customers and suppliers;
(4) The employees of the Data Controller's customers and suppliers.

3. Nature and Purpose of the Processing

The Personal Data shall be Processed in order to provide services in accordance with the Agreements.

4. Location of Processing

The Data Processor will Process Personal Data in the following countries outside the EU/EEA:

(a) USA.

6. Approved Sub-processors

The Data Controller hereby grants the Data Processor a general approval to engage Sub-processors.