Terms of Service
Updated: 20th of July, 2024
These terms form a binding agreement between you, or the entity you represent, on the one hand as the Client, and 365Sentri on the other hand as the Service Provider. Please read these Terms carefully before subscribing to or using any Services. These terms become binding either upon express acceptance or indirect acceptance by commencing the use of the services.
1. Definitions and Interpretation
1.1 The following capitalised terms and acronyms shall have the meanings assigned to them below, unless the context requires otherwise:
1.1.1 Account means the central means of access to the Platform;
1.1.2 Affiliate means an entity that is (a) directly or indirectly owning or controlling a Party; (b) under the same direct or indirect ownership or control as a Party; or (c) directly or indirectly controlled by a Party; for so long as such ownership or control lasts. Ownership or control shall exist through direct or indirect ownership of fifty per cent (50%) or more of the nominal value of the issued equity share capital or of fifty per cent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions;
1.1.3 Applicable Laws means all local, state, national, and international laws, regulations, and treaties that apply to the Parties. This includes, without limitation, all forms of statutes, regulations, judgments, injunctions, orders, and decrees, as well as any governmental authorisations, licenses, and permits;
1.1.4 Client means the entity identified in the Order that is purchasing Services from the Service Provider;
1.1.5 Client Data means all data, information, and materials provided, disclosed, or submitted by or on behalf of the Client to the Service Provider in connection with these Terms. This includes, but is not limited to, personal data, confidential business information, customer details, technical data, and any other information provided by the Client for the purpose of enabling the Service Provider to perform its obligations under these Terms or as otherwise agreed upon by the Parties;
1.1.6 Confidential Information means the data and documentation related to the businesses and clients of the Party and its Affiliates, including know-how and all other specifications, trade secrets, technical information, software, models, designs, business information, unpatented technology, research information, statistical information and analyses, information on methods, processes and facilities related either to any software or business activities of any of the Parties. For the avoidance of doubt, client information shall be deemed to be confidential. However, information that was in the possession of the disclosing Party without an obligation of confidentiality, before its disclosure and information that is generally available to the public shall not be deemed confidential;
1.1.7 Documentation means manuals, user guides, technical documentation, and any other relevant material related to the Services provided by the Service Provider to the Client;
1.1.8 Effective Date means the date when these Terms take effect between the Client and the Service Provider as identified in the Order;
1.1.9 Fees means the service or other fees payable by the Client in consideration for the Services;
1.1.10 Force Majeure Event means unforeseeable circumstances which the Party, who has violated the obligation, is unable to control and the prevention of which by the same cannot be expected proceeding from the principle of reasonableness. Force majeure events include but are not limited to severe acts of nature, war, riot, acts of terrorism, the activities of public authorities (e.g. the state, local government) and other circumstances independent of the parties (e.g. strike, the general failure of the computer system, failure of communications lines or power failure, denial-of-service attack);
1.1.11 GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as well as other applicable data protection laws;
1.1.12 Intellectual Property Rights or IPR means all intellectual and industrial property rights and similar rights of whatever nature anywhere in the world whether currently existing or coming into existence in the future, whether recorded or registered in any manner or otherwise, including (but not limited to) any copyrights and related rights, industrial design rights and other design rights, registered designs, patents, utility models, inventions (whether or not patentable), trademarks, service marks, database and software rights, rights to layout-designs of integrated circuits, trade secrets, know-how, confidential information, business names, trade names, brand names, domain names and all other legal rights anywhere in the world protecting such property including, where applicable, all renewals, extensions and applications for registration, the right to apply for registration, and the right to sue for damages for past and then-current infringement in respect of any of the same;
1.1.13 Order means the document agreed upon by the Client and the Service Provider upon the initial paid or free subscription and which may be amended from time to time. The order document details the specific subscription terms, e.g. specific services, chosen options, and payment terms;
1.1.14 Party, Parties means the Client and the Service Provider separately or together;
1.1.15 Personal Data means any information relating to an identified or identifiable natural person defined in the GDPR;
1.1.16 Platform means the web-based Microsoft 365 tenant configuration and management platform provided by the Service Provider;
1.1.17 Services means all services provided by the Service Provider to the Client under these Terms, including the Platform, the exact scope of which is chosen by the Client upon subscribing to the Services in the Order, which may be amended from time to time;
1.1.18 Term means the period for which these Terms stay in effect, provided in Section 11.1;
1.1.19 Terms mean these terms of use, the Order, any annexes, and other accompanying documentation which applies directly to the provision of the Services;
1.1.20 Trial Version means a version of the Platform used only to review, test, and evaluate it for a limited period, which may have limited features and will cease operating after a predetermined amount of time;
1.1.21 User means any individual who is authorised by the Client to access and use the Platform under these Terms. This includes, but is not limited to, the Client’s employees, representatives, consultants, contractors, agents, or other entities authorised by the Client.
2. Access To and the Use of the Platform
2.1 Subject to payment of all applicable Fees as well as all limitations and restrictions contained herein, the Service Provider grants the Client a non-exclusive, non-sublicensable, and non-transferable subscription right to access and use the Platform and the Documentation for the Term. The Client may use the Platform solely for its internal business purposes, specifically for the purposes of:
2.1.1 accessing and using the Platform via a web interface;
2.1.2 accessing and using the Platform via API endpoints if API usage rights apply for the Client, in which case separate API usage terms may apply; and
2.1.3 managing Users’ access to the Platform.
2.2 The Client shall have the right to manage User accounts, the users are permitted to access the Platform subject to User rights assigned to them by the Client. The Client agrees and acknowledges that they approve all creation, designation, and termination of User accounts.
2.3 The Client is responsible for keeping the Account secure while using the Platform. The Client is solely responsible for all Client Data uploaded and all activity that occurs under the Account. The Client will promptly notify the Service Provider if the Client becomes aware of any unauthorised use of, or access to, the Platform through the Account.
2.4 The Client may have an unlimited number of Microsoft 365 active Users within the Account. The Services are however limited to be used by only one or more Microsoft production tenants, as chosen by the Client upon subscribing. If the Client wishes to amend the number of Microsoft production tenants, it must submit a request to change the subscription.
2.5 The Client shall use the Platform only in accordance with these Terms and Applicable Laws. Unless expressly otherwise agreed upon between the Parties, the Client shall not:
2.5.1 modify, copy, enhance, improve, alter, reverse engineer, decompile, disassemble, deconstruct, translate, decrypt, reverse compile or convert into human readable form the Platform or any part thereof, except to the extent permitted by Applicable Laws;
2.5.2 work around any technical limitations of the Platform or restrictions in the product documentation of the Platform;
2.5.3 remove, deface, cover or otherwise obscure any proprietary rights notice or identification from the Services or documentation of the Platform (including without limitation any copyright notice); or
2.5.4 use the Platform in any way that is or may be unlawful, illegal, fraudulent, harmful or in connection with any unlawful, illegal, fraudulent or harmful purpose or activity;
2.5.5 transmit malware to the Platform or use the Platform maliciously;
2.5.6 authorise or permit any third party to engage in the aforementioned activities.
2.6 The Service Provider may improve, alter, enhance, or add additional features to the Platform, provided that the changes do not materially adversely affect the Client. The Client agrees that its continued usage of the Platform constitutes a binding acceptance of the altered Platform and that it is not bound by the description and functionalities at the time of subscribing. The Client further agrees that no written or oral statements about future functionalities or developments of the Platform are binding and such information cannot be relied upon.
3. Intellectual Property Rights
3.1 All IPR to the Services, especially the Platform, including its components, any upgrades, additions, corrections, improvements, and any other proprietary software made available by the Service Provider to the Client will at all times remain the sole property of the Service Provider or its licensors. These Terms do not transfer or convey any IPR from the Service Provider to the Client, nor does it grant the Client any rights in or to the Service Provider’s IPR.
3.2 The Parties acknowledge and agree that the Client and/or its Affiliates shall retain sole ownership of all IPR in and to the Client Data. These Terms do not constitute a transfer of any IPR over the Client Data from the Client to the Service Provider. The Service Provider is authorised to use the Client Data exclusively for the purpose of rendering the Services as stipulated in these Terms. Any such use shall be in compliance with these Terms, the GDPR, and the Service Provider’s privacy policy. The Service Provider acknowledges that it has no right to disclose, replicate, or use the Client Data for any purpose other than as expressly permitted in these Terms and the Data Processing Agreement.
4. Fees
4.1 The Client shall pay to the Service Provider as consideration for the Services the advance payment Fees specified in an Order, as it may be amended from time to time. The Fees cover the total fees for all Services to be performed under these Terms unless the Parties agree on additional fees payable by the Client for ancillary services. The pricing is modular and the Client may upgrade their subscription at any time via the Platform. Any modifications to an Order, inclusive of adjustments to Fees, shall take effect at the commencement of the subsequent billing cycle, whether monthly or annual.
4.2 All Fees are exclusive of ancillary fees and taxes. If VAT or any other taxes are applicable to any Fee, such taxes shall be added to the respective automatically issued invoice pertaining to the relevant Fee. The Service Provider shall issue automatic invoices to the Client per the applicable Fees.
4.3 The Fee shall be deemed to be paid if such Fee is credited to the Service Provider’s bank account. The Client shall pay any additional costs required for payment of the Fee, such as bank transfer fees. The Service Provider may use a third-party payment processor for handling Fees. If the processing of the payment is cancelled for any reason, the Client shall bear the responsibility for duly executing the payment at the earliest opportunity. The Service Provider reserves the right to restrict or limit the Client’s access to the Platform and it does not have the obligation to provide Services to the Client for the duration that the Client is in delay with any payment, the Client is deemed as not having paid for the Services for this period.
4.4 Payments shall be automatically charged to the Client’s credit card on a recurring basis using the designated payment provider. The charge will occur without any required action by the Client once the credit card information is on file with the Service Provider.
4.5 Except as otherwise expressly provided in these Terms, all Fees are non-refundable, non-cancellable, and non-creditable.
4.6 The Service Provider reserves the right to adjust the Fee rates and amend the Terms at its discretion at any time. In the event of such an adjustment, the Service Provider is obligated to provide the Client with a written notice at least 30 days prior to the implementation of the new rates and amended Terms. Should the Client find the revised Fee amount and the amended Terms unacceptable, it retains the right to terminate these Terms by unsubscribing from the Platform via the Account. The Client’s ongoing payment for the Platform after the effective date of the new Fee rates and amended Terms shall be deemed as the Client’s acceptance of the said adjustment and shall be binding.
5. Support
5.1 The Service Provider commits to providing support to the Client for issues relating to setup, functionality, and technical issues related to the Services. The Client may submit support requests to the Service Provider, who will respond to the Client’s request according to reasonable effort.
5.2 Support will, however, not entail issues related to or resulting from:
5.2.1 using the Services in a way that breaches these Terms; or
5.2.2 any integrations or services that make the Services available.
5.3 The Service Provider may perform scheduled maintenance to ensure the continued operation of the Platform. Maintenance may result in temporary interruptions in the accessibility of the Platform. The Service Provider will give the Client a reasonable advance notice before conducting scheduled maintenance.
5.4 The Service Provider shall make a reasonable effort to keep unscheduled maintenance at a minimum. However, some critical issues may necessitate extraordinary maintenance, in which case the Service Provider will notify the Client of the estimated time of resuming access to the Platform.
6. Confidentiality
6.1 The Parties shall maintain and keep confidential and shall not disclose directly or indirectly to any third party the other Party’s Confidential Information and shall prevent the third parties’ access to such information. Either Party shall:
6.1.1 use Confidential Information only for performing their obligations under the Terms;
6.1.2 treat all Confidential Information as being strictly confidential and implement and maintain all such technical and organisational security measures as may be reasonably available (having regard to technical developments at the time) and as are appropriate in the circumstances to protect Confidential Information against unauthorised or unlawful processing, accidental loss, distribution or damage;
6.1.3 not, without the express prior written consent of the disclosing Party, disclose any Confidential Information to any person other than its advisers and members of governing bodies, directors, officers, members, employees, agents, managers, consultants, and individuals required to perform these Terms, and will ensure that all those to whom Confidential Information is disclosed are aware of and observe the obligations laid out in these Terms in all respects as if they were a party to these Terms;
6.1.4 not, without the disclosing Party’s prior written consent, use Confidential Information for its advantage, commercial or otherwise.
6.2 Notwithstanding the foregoing, disclosure of Confidential Information is not considered a breach of these Terms if the receiving Party is required to disclose it by applicable law or a court of competent jurisdiction, but only to the minimum extent of such requirement.
6.3 In case of any reasonable doubt, whether the particular information shall be treated as Confidential Information and whether and to what extent it might be disclosed to third parties, the Parties shall consider such information as Confidential Information.
6.4 The disclosing Party makes no representation or warranty as to the accuracy, completeness or otherwise of Confidential Information supplied, and the receiving Party agrees that it is responsible for making its own evaluation of such information.
6.5 Upon termination of these Terms, each Party shall:
6.5.1 return to the other Party all documents and materials (and any copies) containing, reflecting, incorporating or based on the other Party’s Confidential Information; and
6.5.2 erase all the other Party’s Confidential Information from computer and communications systems and devices used by it, including such systems and data storage services provided by third parties (to the extent technically practicable).
6.6 The confidentiality obligation in this Section 6 shall remain effective for an indefinite term after the termination of these Terms due to whatever reason.
7. Indemnification
7.1 The Service Provider shall defend and indemnify at its own expense the Client against claims and actions that the use of the Services infringes the IPR of a third party (the IPR Claim), provided that the Client notifies the Service Provider without delay, in writing, after becoming aware of such claims, permits the Service Provider to independently defend or settle the claims, gives the Service Provider all reasonably necessary information and assistance available and all necessary authorisations and does not agree to the settlement of any such claim prior to a final judgment thereon, or make any admission in relation to the claim, without the prior written consent of the Service Provider. The Service Provider shall, to the extent possible, endeavour to protect the goodwill and reputation of the Client in connection with such claims. The Service Provider shall, however, not have any liability nor indemnification obligations toward any IPR Claim that results from: (i) the Client’s non-compliance with applicable laws; (ii) Client Data; or (iii) using the Services in breach of these Terms.
7.2 The Client shall defend and indemnify the Service Provider, its Affiliates, licensors, employees, service providers, and agents from and against any losses, damages, fines, and costs awarded to or claimed by a third party in relation to: (i) the use of the Services, excluding for IPR Claims; (ii) Client Data; (iii) any legal action by the Client’s customers in connection with a breach of an agreement between the Client and its customers; or (iv) non-compliance with international or domestic standards or laws.
7.3 The indemnified party shall provide: (i) prompt written notice of any claim subject to indemnification under this Section 7 (each, a Claim); (ii) the indemnifying party with sole control over the defence or settlement of such Claim; provided, that the indemnifying party will not settle any Claim or consent to any final judgment with respect to any Claim, without the indemnified party’s prior written consent; and (iii) all reasonable information and assistance to settle or defend any such Claim. The failure of an indemnified party to comply with the foregoing requirements shall not relieve the indemnifying party of its obligations under this Section except to the extent the indemnifying party is prejudiced by such failure.
7.4 This Section 7 states the entire liability of the Service Provider and the Client’s sole and exclusive remedies for any IPR Claim. The Service Provider shall indemnify the Client and pay all direct damages, costs and expenses (including reasonable legal costs and expenses) awarded against or incurred by the Client as a result of any IPR Claim but shall not be responsible under this indemnity for any settlement or compromise made by the Client without its consent.
8. Limitations of Liability
8.1 Neither Party shall be liable to the other Party for any loss of profits, use, goodwill, revenue, or profits or for any incidental, indirect, special, consequential, or exemplary damages. However, neither Party limits its liability for causing death or personal injury, fraud, and any other act, error, or omission, for which liability may not be limited under Applicable Laws.
8.2 The Service Provider shall not be liable for any errors, unavailability, or malfunctions of the Platform that result from actions or omissions not attributable to the Service Provider, including:
8.2.1 Force Majeure Events;
8.2.2 the fault or failure of computer systems or networks (including fault or failure of the internet or any public telecommunications network, network overload, disturbances or malfunctions);
8.2.3 third party integrations or the software or systems that make the Platform available;
8.2.4 loss, alteration, or unauthorised access to the Client Data; or
8.2.5 any errors, bugs or any inappropriate functioning or malfunctioning of the Platform which results from any changes or modifications to the Platform made by the Client or any third party acting on behalf of the Client.
8.3 Without limiting the above, the Service Provider’s liability shall be strictly limited to damages arising directly from its own wilful misconduct. The Service Provider shall not be liable for any acts, errors, or omissions that do not constitute wilful misconduct as defined under Applicable Laws. The Service Provider is also not liable for any damages suffered by third parties.
8.4 Should the Service Provider fail to uphold the uptime for the Platform at levels consistent with prevailing market standards, the Client shall be eligible to receive service credits or a discount. The amount and form of such compensation shall be determined exclusively by the Service Provider and applied to the Fee due for the subsequent billing period.
8.5 The Service Provider’s liability is limited whether or not the Service Provider has been informed of the possibility of such damages, even if a remedy set forth in the Terms is found to have failed its essential purpose. The Service Provider will have no liability for any failure or delay due to matters beyond the Service Provider’s reasonable control. Subject to Sections 8.1 and 8.2, the maximum aggregate liability of the Service Provider shall in no event exceed the amount that is equal to the Fees the Client paid to the Service Provider in the course of the previous three months from the occurrence of the event that resulted in the Service Provider’s liability, or if fewer than three months have passed since the Effective Date, 100% of the Fees attributable to the full calendar months that have passed since the Effective Date.
9. Representations and Warranties
9.1 The Services, including the Platform, are provided “as is” and, except as expressly set forth in these Terms, without any warranties or representations of any kind, either express or implied. The Service Provider specifically disclaims all implied warranties, including but not limited to warranties of merchantability, non-infringement, and fitness for a particular purpose. Furthermore, the Service Provider makes no warranties or representations regarding the use of the Services, or results obtained or intended to be obtained in the course of using the Services. The Client acknowledges that it has relied on no warranties other than the express warranties in these Terms and that no warranties are made by any of the Service Provider’s agents, employees, or representatives.
9.2 The Client acknowledges and agrees that, while the Service Provider endeavours to deliver high-quality services, no software service can be guaranteed to be completely free from bugs or errors. Accordingly, the Service Provider does not represent or warrant that the Platform will operate with 100% uptime or be entirely free from bugs and errors. Furthermore, the Service Provider disclaims any warranties regarding the acts and omissions of third-party vendors and hosting partners, including but not limited to their ability to provide the necessary hardware, software, networking, storage, and related technology required to deliver the Platform.
10. Notices and Communications
10.1 Any notices, requests, or other communications to be given or made under these Terms to a Party shall be directed to the respective designated contact person(s) indicated in an Order or otherwise agreed upon. Each Party is obliged to promptly notify the other of any changes in their designated contact person(s).
10.2 All documents to be furnished or communications to be given or made under these Terms shall be at least in a form that can be reproduced in writing and in the English language unless the Parties agree otherwise.
11. Term and Termination
11.1 These Terms shall become effective and binding upon the Parties as of the date of submitting and accepting the Order. Unless the Parties agree otherwise, these Terms are concluded for an initial term of 1 (one) month or as specified in the Order (the Initial Term). These Terms are also subject to a renewal period of 1 (one) month or as specified in the Order (the Renewal Period) and unless the Parties terminate the Terms or expressly agree otherwise, the Terms will automatically renew for the Renewal Period at the end of the Initial Term and the end of each subsequent Renewal Period.
11.2 The Client is entitled to terminate these Terms and unsubscribe from the Platform at their discretion, without the need to provide any reason for such termination. Such termination by the Client shall be effective commencing at the start of the subsequent billing cycle following the Client’s notice of termination. Upon the Client’s termination of this Agreement, no refunds shall be issued for any Fees previously paid by the Client for the current billing period during which termination occurs.
11.3 The Service Provider may terminate these Terms and the Client’s access to the Platform for any reason with immediate effect. If the Service Provider terminates these Terms and the Client’s access to the Platform without any cause, it refunds the Client for the duration of the subscription that remains unused due to the Terms being terminated.
11.4 Termination of the Terms does not release the Parties from their outstanding obligations arising from the Terms and does not affect the rights or remedies of a Party arising out of breach of the Terms.
11.5 Termination of these Terms shall, however, not affect the validity of such terms which by their nature survive the termination of these Terms.
12. Final Provisions
12.1 The Service Provider is an independent contractor and nothing in the Terms shall render the Service Provider an agent, affiliate, or broker to the Client, and the Service Provider shall not present themselves towards third persons as such.
12.2 The Client may not transfer or otherwise assign any of their rights or obligations arising from the Terms to a third party without the prior written consent of the Service Provider.
12.3 If any provision of the Terms is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
12.4 These Terms are governed by and construed in accordance with the laws of the Republic of Estonia.
12.5 The Parties shall endeavour to settle amicably and in good faith any dispute that emerges from or relates to these Terms, including matters of existence, validity, or termination. Should such disputes prove to be immune to resolution through mutual negotiations, the Parties agree to submit the matter to the exclusive jurisdiction of Harju County Court in Tallinn, which shall serve as the court of first instance.
ANNEX 1.
DATA PROCESSING AGREEMENT
This Data Processing Agreement and its Schedules (the DPA) reflects the Parties’ agreement with respect to the Processing of Personal Data by the Service Provider on behalf of the Client in connection with providing the Services under the Terms between the Parties.
This DPA is supplemental to, and forms an integral part of, the Terms and is effective upon its incorporation into the Terms. The term and expiry of this DPA will follow the term set forth in the Terms. In case of any conflict or inconsistency with the provisions of the Terms, this DPA will take precedence over the provisions of the Terms to the extent of such conflict or inconsistency.
1. Definitions
1.1 In this DPA, Data Protection Laws means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (the GDPR) and any national laws implementing or supplementing the same and any updated, additional, modified or replacement laws, provisions, directives, guidance or regulations thereto even as may be promulgated after the effective date of this DPA.
1.2 The capitalised terms used in this DPA shall have the meaning given to them in the GDPR or applicable Data Protection Laws. Any other capitalised terms shall have the meaning given to them in the Terms.
2. Subject Matter
2.1 The Service Provider provides services to the Client on the basis of the Terms agreed upon between the Parties. The Client as the Controller hereby authorises The Service Provider as the Processor to process Personal Data in accordance with this DPA and its Schedules.
2.2 Subject matter of the DPA, type and purpose of the data Processing, types of Personal Data and categories of Data Subjects are described in Schedule 1 to this DPA.
2.3 This DPA shall, unless otherwise agreed upon by the Parties, apply as long as The Service Provider processes Personal Data on behalf of the Client.
3. Processing of Data Bound by Instructions
3.1 The Parties acknowledge that, in relation to this DPA, the Client has provided the Service Provider with the instructions for processing Personal Data as set out in Schedule 1.
3.2 The Client further acknowledges that no data processing shall occur outside of the scope laid out in Schedule 1, unless required to do so by Union or Member State law to which the Service Provider is subject, in such a case, the Service Provider shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4. Obligations of the Client
4.1 The Client bears primary responsibility for ensuring that processing activities under this DPA are done in accordance with any Data Protection Laws.
4.2 The Client is responsible for:
4.2.1 providing the Service Provider with the relevant instructions, specified in Schedule 1 of this DPA;
4.2.2 maintaining a record of processing under its responsibility;
4.2.3 implementing, reviewing and updating either directly or through its service providers’ appropriate technical and organisational measures to ensure adequate level of protection of Personal Data;
4.2.4 the transparency and information provided to its customers in its service terms, privacy policies and contracts regarding the details of the services provided by the Service Provider.
5. Obligations of the Service Provider
5.1 The Service Provider shall only process Personal Data entrusted by the Client and exclusively in accordance with the Client’s instructions and for the specific purposes described in Schedule 1 of this DPA.
5.2 Where the Service Provider considers that the Client’s instructions infringe the Data Protection Laws, the Service Provider shall inform the Client without undue delay.
5.3 The Service Provider is responsible for:
5.3.1 ensuring strict confidentiality of the Personal Data and imposing confidentiality obligations, under an appropriate statutory obligation of confidentiality, on all persons authorised to process the Personal Data (employees, consultants, subprocessors, etc.);
5.3.2 ensuring that persons acting under its authority only process Personal Data according to instructions from the Client, unless the person is required to do so by Union or Member State law;
5.3.3 properly documenting any act of Personal Data Processing carried out when providing the services;
5.3.4 ensuring the security of the Personal Data it processes by implementing appropriate technical and organisational measures as required by article 32 of the GDPR or any other applicable Data Protection Laws and taking into account the state of the art, the appropriate standards, the costs of implementation as further described in the Terms in relation to the services performed by the Service Provider and the nature and associated risks of the processing of Personal Data;
5.3.5 assisting the Client for the fulfilment of its obligations to respond to data subject requests. For the avoidance of doubt, the Service Provider shall not itself respond to any data subject requests, unless expressly required by applicable law;
5.3.6 notifying the Client about any Personal Data Breach in accordance with this DPA.
6. Engaging Another Processor
6.1 The Service Provider may engage Subprocessors listed in Schedule 3. The Client gives the authorisation of engaging these Subprocessors. The Service Provider shall inform the Client of any intended changes concerning the addition or replacement of Subprocessors by updating Schedule 3.
6.2 The Service Provider shall impose on the Subprocessors the same data protection obligations which are set out in this DPA. Where the Subprocessor fails to comply with the data protection obligations set out in this DPA, the Service Provider shall remain fully liable to the Client for compliance with the data protection obligations of the Subprocessor.
6.3 The Service Provider shall properly verify compliance with the data protection obligations by the engaged Subprocessor on a regular basis.
7. Transfer of Personal Data
7.1 Any transfer into a third country (incl. giving access to personal data) either by the Service Provider itself or any Subprocessor is subject to prior written approval, including in electronic form, by the Client. The Client gives the authorisation for third-country transfers to engaged Subprocessors, which are listed in Schedule 3.
7.2 Where personal data is transferred from the Service Provider located in the European Union (EU) or the European Economic Area (EEA) to a Subprocessor located in a country not recognised by the European Commission as providing an adequate level of protection for personal data, the Client appoints the Service Provider and the Service Provider assures to enter into the EU Standard Contractual Clauses on the Client’s behalf with such Subprocessor based outside of the EEA or the EU. The Client will accede to these Standard Contractual Clauses concluded between the Service Provider and the Subprocessor.
8. Cooperation and Support Obligations
8.1 The Service Provider assists the Client with all necessary and economically appropriate means as well as by appropriate TOMs for the fulfilment of the Client’s obligation to respond to requests for exercising the Data Subjects’ rights.
8.2 Direct communication with the Data Subject shall only take place with the prior written permission of the Client. The Service Provider shall forward all inquiries related to the Data Subjects’ rights to the Client without undue delay.
9. Assistance in Ensuring Compliance with the Obligations of the Client
9.1 The Service Provider is aware that in case of a Personal Data Breach, the Client must notify the Personal Data Breach the supervisory authority and/or the Data Subject without undue delay and, where feasible, not later than 72 hours after having become aware of the Personal Data Breach. In the event of a Personal Data Breach, the Service Provider will support the Client by all necessary and economically reasonable means in performing its notification duties pursuant to Art. 28 (3) (f) GDPR. The Service Provider will inform the Client of any Personal Data Breach as well as suspected cases and provide at least the following information:
9.1.1 the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and of Personal Data records concerned;
9.1.2 the name and contact details of the data protection officer or another contact point, where more information can be obtained;
9.1.3 the likely consequences of the Personal Data Breach;
9.1.4 the measures taken or proposed to be taken by the Client to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
10. Deletion and Return of Personal Data
10.1 Upon expiration of the services provided under the Terms, or as the case may be, where no further processing is required, The Service Provider shall, at the Client’s choice, either delete, anonymise or return all Personal Data, provided there is no legal obligation to keep records for retention periods set by Schedule 2 to this DPA or any applicable law. In this latter case, The Service Provider shall ensure the confidentiality and security of the Personal Data.
11. Demonstrating Compliance with the Obligations and Contributing to Audits
11.1 The Service Provider makes available to the Client all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
11.2 The Service Provider undertakes to assist the Client in accordance with applicable Data Protection Laws on queries by the Client, the Client’s auditors or supervisory authorities for audits or inspections. Such assistance is subject to the audit conditions already provided in the contractual documentation or if these do not already exist, with The Service Provider’s internal audit protocols and procedures. The Service Provider may invoice the Client with all related reasonable costs and expenses.
12. Further Obligations
12.1 In the event of suspicion of violations of the data protection obligations or other data breaches or complaints regarding the processing of Personal Data or resulting from inspections or other measures taken by the supervisory authorities, the Client shall be immediately notified.
12.2 Where required by law, The Service Provider shall appoint in writing a data protection officer according to Art. 37 GDPR and a representative according to Art. 27 GDPR.
13. Liability
13.1 Either Party’s liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms. The relevant Party’s liability for a breach of this DPA shall in no event exceed the liability cap set forth in the Terms, if applicable. Neither Party shall however limit or exclude its liability that cannot be limited or excluded, including under Data Protection Laws.
14. Indemnity
14.1 The Client will indemnify, keep indemnified and hold harmless The Service Provider, its clients, officers, directors, employees, agents, representatives, and affiliates (each an Indemnified Party) from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of the Client’s non-compliance with the requirements of this DPA.
15. Other Provisions
15.1 The Parties shall keep confidential all business secrets and data security measures they gain knowledge of in the context of the contractual relationship. Business secrets are all (but not limited to) business-related facts, circumstances and activities which are not generally accessible, but only accessible to a limited group of persons unless The Service Provider has no legitimate interest in non-proliferation. Data security measures are all TOMs taken by one contracting party. This obligation of secrecy remains effective after the termination of this DPA.
15.2 In the event of contradictions, inconsistencies, or discrepancies between this DPA and the Terms, the provisions of this DPA shall take precedence over the provisions of the Terms. Furthermore, the provisions of the standard contractual clauses/standard data protection clauses shall take precedence, if applicable.
15.3 Should any of the provisions of this DPA be or become invalid, the remaining provisions shall remain valid and unaffected.
15.4 Any modification of this DPA, including its termination, must be in a written form.
15.5 Irrespective of the provisions concerning the duration of the DPA, both Parties shall be entitled to termination upon good cause in the event of serious violations of the data protection provisions laid down in this DPA.
Schedule 1. Subject Matter of this DPA
1. Parties
| Party | Details |
|---|---|
|
The Client |
The Client, as defined in the Terms, a Microsoft partner, provides support services for Tenants and is the Data Processor. |
|
The Service Provider |
The Service Provider, as defined in the Terms, provides the Services for the Client and is the Subprocessor. |
|
Microsoft |
Microsoft 365 services are provided by Microsoft Corporation. Microsoft processes personal data as a Data Processor on behalf of the Tenant (who is the Data Controller) according to their instructions. |
|
Tenant |
The Data Controller for end-user personal data that is processed on Microsoft 365. |
|
End-User |
The data subject of the Tenant (e.g. employees, students, consultants) who are assigned a user account in the Microsoft 365 services. |
2. Nature, Purpose, and Subject Matter of Data Processing
| Aspect | Description |
|---|---|
|
Nature of Processing |
The Service Provider is optimising operations, bolstering security, and elevating service delivery with the Platform, in the course of which it has access to End-User personal data. |
|
Purpose of Processing |
Providing the Services to the Client under the Terms. |
|
Subject Matter of Processing |
Processing involves End-User personal data. |
3. Data Categories
| Category of Data | Examples |
|---|---|
|
End-User |
Names, email addresses, Microsoft 365 configuration data. |
4. Data Subjects
| Type of Data Subject | Description |
|---|---|
|
End-User |
An individual engaged by the Tenant and using Microsoft 365 services. |
Schedule 2. Retention Periods
| Data Category | Retention Period |
|---|---|
|
End-User data |
End-User data is retained for the duration the related tenant is active. If the Client removes the tenant from its subscription or the subscription is terminated, the End-User data is treated in accordance with our Privacy Policy |
Schedule 3. List of Engaged Subprocessors
| Subprocessor | Location of the processing | Type of Service |
|---|---|---|
|
Azure |
The hosting location chosen by the Client from the predetermined list. Refer to this link https://365sentri.com/geo for the list of locations. |
Hosting the Platform and End-User data |
|
Hubspot |
EEA |
Client relationship management |
ANNEX 2.
PLATFORM SECURITY
This Annex “Platform Security” is an integral part of the provision of services by the Service Provider to the Client in accordance with the Terms. The capitalised terms used in this ANNEX 2 shall have the meaning assigned to them in the Terms.
1. Infrastructure
1.1 The Client data is stored in multi-tenant storage systems accessible to Clients via only application user interfaces and application programming interfaces. Clients are not allowed direct access to the underlying application infrastructure. Client data may be stored in a separate tenant upon the Client’s request with an extra cost. The Service Provider does not run its own routers, load balancers, DNS servers, or physical servers.
1.2 A list of all cloud providers used to maintain security and provide services can be found in the Data Processing Agreement.
2. Application security
2.1 All code is reviewed by a senior engineer before being deployed to production systems. Code reviews are designed to ensure the security, performance and quality of code released to production.
2.2 The Service Provider employs Single Sign On (SSO) with Microsoft Entra ID for user authentication. The security and monitoring of user login credentials fall under the client’s purview, and the Service Provider does not have oversight over this aspect of login management.
2.3 The deployment of the Services is entirely automated. Changes to both infrastructure and code are subject to automated testing using a Continuous Integration (CI) tool before being released to production. A change that passes the review and testing process is then deployed to production using a CI tool.
2.4 The Service Provider encrypts data both at rest and in transit. All network communication uses TLS encryption to protect it in transit. The Service Provider leverages the encryption tools included in public cloud data stores to encrypt data at rest.
3. Policies and Compliance
3.1 The Service Provider is committed to protecting Users’ information. While the Service Provider has not undergone a 3rd party security audit for SOC-2 or ISO27001, 27018, it holds to the security controls present in those frameworks and has chosen cloud hosting providers that are SOC and ISO compliant.
3.2 The Service Provider enables access to systems and infrastructure only to personnel who require access as part of their job responsibilities. Access removal processes are used to revoke access to personnel who no longer need it.
3.3 The Service Provider enforces a password policy and a requirement for multi-factor authentication when available to protect its accounts.
3.4 The Service Provider manages all of its infrastructure as code, allowing it to audit and peer review any changes and to provide a secure and automated process for applying these changes.
3.5 The Service Provider complies with GDPR requirements for data breach notification standards. In the event of a security breach, the Service Provider will take actions to contain, investigate and mitigate the breach. The Service Provider will notify the Client in the event of a breach in writing within 72 hours of a breach being confirmed.
3.6 A security incident with no repercussions will not be subject to notification, i.e. that results in no unauthorised access to Personal Data or to any equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
4. Regular Security Updates and Audits
4.1 The Service Provider commits to regular security reviews and updates of the Services to address evolving cyber threats and technology advancements. This includes, but is not limited to, updates to encryption standards, access controls, and threat detection mechanisms.
4.2 The Service Provider shall conduct third-party security audits as it deems necessary to verify the effectiveness of the implemented security measures and identify areas for improvement. The findings of these audits will be used to inform and guide subsequent security enhancements.
5. Training and Security Awareness Programs
5.1 The Service Provider shall implement ongoing training programs for all employees, focusing on cybersecurity best practices, emerging threats, and the importance of data protection. This training will be updated regularly to reflect the latest security trends and threats.
5.2 The Service Provider will foster a culture of security awareness through regular communications, updates, and workshops. This includes ensuring that all employees are aware of their roles and responsibilities in maintaining platform security and data protection.