Terms and conditions
The Solution is, at the time of the conclusion of the Agreement, built on the Microsoft Azure platform. The Customer is at all times obligated to ensure and bear the costs of ensuring that the Customer possesses the required hardware and network capacity in their own environment to be able to use the Solution optimally, including future updates.
The Supplier reserves the right to change these terms – with the exception of Annex 1 – without notice. It is incumbent on the Customer to keep abreast of the applicable terms of business at any time.
About the solution
We refer to the description of the Solution available on our website: https://www.os-gir.org/ and the information available in the Microsoft Azure Marketplace.
At the beginning of the agreement period, the Solution will be set up for the Customer and include the features and modules presented on our website.
The Supplier is entitled to change the functionality and design of the Solution continually at its own discretion. The Supplier strives not to change the core functionality of the Solution.
Commencement and duration
The Agreement commences as specified in the offer signed by the Customer.
Prices and payment
Prizing is stated in the Microsoft Azure Marketplace. The Supplier will inform the Customers of the specific prices of their consumption.
The monthly subscription price per month for the Customer is based on the number of staff registered in the Solution per month. Payment for monthly subscription is made in advance.
Payment terms are 30 days from the date of invoice.
It is a precondition for the Customer’s use of the Solution that the Customer has subscribed to a valid subscription for that period. The Supplier reserves the right, with reasonable notice, to change the price of the subscription for the Solution.
The hourly rate is 135 Euro.
Prices apply to the customer’s total commitment. The Supplier assembles invoices monthly in arrears for development tasks, while service agreements and subscriptions are invoiced in advance. The Supplier internally coordinates the customer’s total commitment, so that the customer’s total hourly consumption on all solutions and services counts in the discount. At the start of the year, the annual hourly consumption is estimated based on last year’s consumption, and the discount rate is determined on the basis of the estimate. The discount applies to the total hourly consumption.
License and intellectual property rights
The solution is open source software under the terms of MPL 2.0 read more here:
Maintenance and updates
To keep the Solution running optimally and to ensure more value for the Customer, it is necessary to continuously maintain software. The aim is to perform updates without inconvenience to the Customer, but it may be necessary to restrict access to the Solution for a limited time to perform these. In the event of restricted access, this will occur, to the extent possible, outside regular office hours.
Support and Service Level Agreement (SLA)
The Supplier provides support for errors and defects by chat, helpdesk, and email on ordinary business days from 8:30 a.m. until 4:00 p.m. (“Opening Hours”) (CET).
The Incident Management processes all service requests and incidents:
A service request is a request for information, advice or access to an IT service. E.g. reset password, order a new user and similar change requests for services.
Incidents denote potential errors and problems on the available services – E.g. an unplanned interruption of an IT service with a lack of availability as a result. Incidents are reported to the Supplier’s service desk, either automatically from monitoring systems or from users and technicians.
Impact is an expression of how many users are affected by an incident. Impact is used in conjunction with Urgency (see below) to assign priority.
Urgency indicates how great the need is to rectify the incident in question.
Incidents are thus prioritized in collaboration with the user on the basis of Impact and Urgency.
P5 Very low
Incident Prioritization Help
P5 Very low
Time for response
An incident that is critical for solving the Customer’s tasks and where reasonable workarounds is not possible
Response is started immediately during normal working hours.
An incident that is critical for solving the Customer’s tasks, but where reasonable workarounds according to the Supplier’s instructions is possible
Response will begin as soon as possible, but within 2 working days
An incident that is not critical for solving the Customer’s tasks, but where reasonable workaround is not possible
Response will begin as soon as possible, but within 4 working days (Monday-Friday)
An incident that is not critical to the solution of the Customer’s tasks, and where reasonable workaound according to the Supplier’s instructions is possible
Response will begin as soon as possible, but within 8 working days (Monday-Friday)
P5 Very low
A task or defect that has no or merely trivial significance for solving the Customer’s tasks
The task begins as soon as possible, but within 15 working days (Monday-Friday)
The Customer reports incidents and service requests via the Supplier’s reporting system, Redmine, and indicates the priority that the Customer believes is relevant to the task at hand. The customer’s prioritization is considered a proposal for negotiation. The Customer must, if it is within the Supplier’s opening hours, and in the case of Incidents of Critical or High Priority, contact us by telephone so that awareness of the problem is secured and agreement on the priority can be reached immediately.
Both the Customer and the Supplier may, for errors of a High and Critical nature, request an investigation, a Root Cause Analysis, which is carried out in collaboration between the Customer and the Supplier. This may be necessary to identify the correct cause of an error and thus also where the responsibility should finally be placed.
Escalation is made to the system owners at the Customer and the Supplier and then to the management level at the Supplier and the Customer.
Processing of personal data
In order to provide the Solution, the Supplier will process the Customer’s personal data. The Customer is the Data Controller for the processing of personal data in the Solution, and the Supplier is the Data Processor on behalf of the Customer.
The Supplier’s processing of the Customer’s personal data is regulated in a separate agreement concluded between the Parties (Annex 1 (“Data Processing Agreement“)). The Data Processing Agreement contains separate provisions on modification and termination of the Data Processing Agreement.
Restrictions of use
The Customer may not:
- Break the technical limitations of the Solution.
- Improperly delete, de-compile, reverse engineer, reverse compile, modify, translate or make any similar changes to the Solution.
- Remove, modify or add information of the Supplier’s copyright, trademarks and/or property rights (including information on physical media).
The Solution must not be used for any kind of illegal, pornographic, harmful, racist, harassing, violent, threatening or similar purpose or otherwise used to send viruses or spam or used to harm third parties. The Customer is obliged to comply with the laws of relevant countries when using the system.
The Solution must not be used if the Customer provides services in direct competition with the Supplier. The Customer is obliged to notify the Supplier if this is the case and immediately cease using the Solution.
The Customer assumes the full liability and risk of planning the user administration in such a way that usernames and passwords cannot be misused to obtain unauthorized access to the Solution.
Termination of the contract
The Agreement may be terminated at any time by either of the Parties with a prior written notice of two months.
The Parties may also terminate the Agreement if the other party materially breaches its obligations under the Agreement.
Upon termination of the Agreement, the Customer has the option to conduct one free download session of its data from the database of the Solution, which the Customer can order from the Supplier and will be invoiced based on elapsed time. Additional download sessions of the Customer are invoiced separately. The Supplier ensures that the Customer has the opportunity to download its data for up to one month after the termination of the Agreement. It is the Customer’s responsibility to ensure that the data is extracted from the Solution.
Liability and limitation of liability
The Supplier is not responsible for the Customer’s failure to comply with minimum system requirements for the Solution.
The Supplier shall not be liable for indirect loss or consequential damages. Loss of business opportunities, loss of profits, loss of goodwill, loss of data, including losses related to the restoration of data, loss of interest, and fines paid by/to third parties, as well as costs of re- establishment and reinstallation, etc. shall in any event be considered as indirect loss or consequential damages.
Supplier is not liable for any interruptions in operation that may occur in the transmission of data between the Supplier’s operations center and the Customer, its internet domain(s) or licensed users, unless such interruptions are caused by errors in the Solution.
If errors in third-party software are observed, the Supplier is only obligated to inform the manufacturer of the error, encouraging the manufacturer to remedy the defective software within a reasonable period. In the event of critical errors or errors that significantly reduce the use of the Solution for the Customer, the Supplier is obligated to use reasonable efforts to create a temporary “work around”.
Irrespective of the cause of the damage, the Supplier’s liability to the Customer may never exceed the lower of the following amounts: (i) the last two months’ payment from the Customer, or (ii) EUR 2,650.00.
The Supplier shall not be liable to the Customer when circumstances arise which impede or postpone the Supplier’s fulfilment of its obligations, including, among other things, the following: war, mobilisation, insurgency and unrest, terrorist actions, natural disasters, strikes and lockouts, viruses, hacking, spamming, crashes or other unforeseen and extraordinary strain on the IT systems or telecommunication networks used by the Supplier, orders or injunctions from public authorities and rightsholders, or other circumstances over which the Supplier has no direct control. If one or more of the aforementioned circumstances occurs, the Supplier is entitled to postpone the supply of its services or cancel the Agreement without liability. The Customer’s refund is suspended for the same period.
“Confidential Information” is non-public information that is designated “confidential” or that a reasonable person should understand is confidential. Each party will protect the other’s Confidential Information and will use the other party’s Confidential Information only for purposes of this Agreement. Neither party will disclose that Confidential Information to third parties, except to its employees, contractors, advisors and consultants (“Representatives”) and then only on a need-to-know basis under nondisclosure obligations at least as protective as this agreement. Each party remains responsible for the use of the Confidential Information by its Representatives and, in the event of discovery of any unauthorized use or disclosure, must promptly notify the other party.
These obligations apply for the duration of the Agreement and for a period of five years after termination of the Agreement.
Transfer of the agreement
The Customer may not transfer the Agreement to third parties without the Supplier’s prior written consent.
However, the Supplier may transfer the Solution with related agreements, data, and content if the transfer is made in connection with the transfer of business or similar circumstance.
Applicable law and venue
This Agreement is governed by Danish law, excluding the UN Convention on Contracts for the International Sale of Goods and any conflict of law provisions.
Disputes, which cannot be amicably resolved by the Parties, must be brought before the ordinary courts of Denmark with the City Court of Copenhagen as agreed venue with access to referral and appeal in accordance with the Danish Administration of Justice Act.
ANNEX 1 - DATA PROCESSING AGREEMENT
Background and instructions
As part of the delivery of the Solution, the Customer will entrust the processing of personal data to the Supplier. The purpose of the Data Processing Agreement is to regulate the processing of personal data by the Supplier on behalf of the Customer and to ensure that the Supplier complies with its obligations under regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“General Data Protection Regulation / GDPR“) and additional supplementary rules adopted.
The Supplier acts as a Data Processor on behalf of the Customer, and the Customer acts as the Data Controller for the processing of personal data described in this Data Processing Agreement.
The Supplier collects, processes, and stores personal data via the Solution on behalf of the Customer. The Supplier shall process the personal data only to the extent necessary to carry out the tasks described in this provision and the documented instruction from the Customer at any time.
The Supplier may not process or use the personal data for any other purpose and/or otherwise than specified in the instruction, unless the Supplier has been required to do so by virtue of EU law or national law to which the Supplier is subject.
Categories of personal data processed in the Solution: The types of personal data that are processed in the Solution include, as a starting point, only general data, such as identification information, profile picture, and identification number. Depending on the
circumstances, sensitive and/or confidential data may also be processed, including civil registration numbers, passwords, and reasons for absence (information about health).
Categories of data subjects processed in the Solution: The data subjects to whom the personal data relate include especially: 1) administrative staff, 2) IT administrators, 3) employees, 4) external consultants.
The Supplier shall notify the Customer immediately if the Supplier finds that an instruction violates the applicable data protection law at any time.
The customer's rights and obligations
The Customer is responsible for ensuring that any transfer of personal data to the Solution is in accordance with the applicable data protection laws in all relevant countries where the Customer uses the Solution.
If the Customer chooses to integrate the Solution with other IT systems, the Customer bears the full responsibility for this, including the responsibility for the conclusion of a valid data processing agreement with the Supplier of that system where required.
The Supplier will assist the Customer in ensuring compliance with the obligations under Article 32-36 of the GDPR, taking into account the nature of the processing and the data available to the Supplier. The Supplier is entitled to invoice the Customer a reasonable remuneration for this assistance.
The Supplier shall take appropriate technical and organizational security measures to prevent the processing of personal data (i) being accidentally or unlawfully destroyed, forfeited or altered, (ii) disclosed or made available without authorisation, or (iii) otherwise processed in contravention of the law, including the General Data Protection Regulation.
- The Data Processor shall be obliged to notify the Data Controller without undue delay of any data breach, which shall be construed as an infringement of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed (“Security Breach“). The notification about the Security Breach shall, to the extent possible, include:A description of the nature of the breach, including the categories and approximate number of data subjects and records of personal data concerned.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed by the Data Processor or sub- processor to address the breach, including measures to mitigate its possible adverse effects.
The Supplier is responsible for ensuring that the Supplier’s employees comply with this Data Processing Agreement. The Supplier is obliged to limit the processing of personal data to
the necessary personnel of the Supplier. All employees of the Supplier who process personal data on behalf of the Customer must be subject to a duty of confidentiality or other appropriate statutory secrecy. This obligation of confidentiality has no time limit and continues regardless of whether the cooperation of the Parties otherwise ceases.
The use of data sub-processors
The Supplier has the Customer’s general approval to use subcontractors for hosting the Service and associated data. If using subcontractors, the Supplier shall ensure that a legal transfer basis exists at all times.
Upon signature of the Terms, the Supplier has specified the use of the following sub- processors:
- Microsoft Corporation
One Microsoft Way, Redmond, WA 98052, United States of America
Transfer basis: EU Commission standard contractual clauses and certification under the EU-U.S. Trans-Atlantic Data Privacy Framework
The Supplier enters into a written data processing agreement with any subcontractor, in which the subcontractor is required to be subject to at least the same obligations as the Supplier has agreed to in this Data Processing Agreement with the Customer. Upon entering into the Data Processing Agreement, the Customer has approved that Microsoft is to be used as a sub-processor. This approval includes the terms that the Supplier has accepted as part of the subscription to Microsoft Azure. Microsoft’s data processing agreement applicable at any time can be found at www.microsoft.com under “Online Services Terms (OST)”. The data processing agreement is currently available in Annexes 3 and 4.
The Customer shall be entitled to obtain a copy of the Supplier’s contract with the subcontractor for the purposes of the provisions of that Agreement relating to data protection obligations. The Supplier shall notify the Customer by a written notice of one month when there are changes or additions to the list of subcontractors. If the Customer has reasonable and specific reasons for not being able to accept the Supplier’s use of a new subcontractor, the Customer is entitled to terminate the Agreement without notice. The right of the Customer to extract its data in accordance with the terms of section 10.3 is not affected in any way.
Transfer to third countries
Transfers of personal data to third countries (countries outside the European Union (“EU”) and European Economic Area (“EEA“)) may only be carried out in accordance with the Customer’s instructions. The Customer shall, on an ongoing basis, be kept sufficiently aware of the legal basis applied at any time for the transfer of personal data outside the EU/EEA.
Documentation and supervision
At the Customer’s request, the Supplier shall provide all necessary information to the Customer to enable the Customer to verify compliance with the obligations of the Supplier under this Data Processing Agreement. The Supplier shall provide access to the physical facilities of the Supplier and contribute to audits, including inspections, carried out by the Customer or by the Customer’s auditor or other external advisor mandated by the Customer. In addition, the Supplier shall provide all information requested in relation to the data processing task to the public authorities, the Customer and the Customer’s external advisors, to the extent that the information is necessary for their assignments. The Supplier may, by a written agreement, invoice the Customer with equitable remuneration for such assistance.
The Supplier is obliged to supervise its subcontractors on the same terms as the Customer’s supervision of the Supplier. The Supplier is obliged to make available to the Customer any documentation to demonstrate that the Supplier is complying with its supervisory obligation.
Term, termination and deletion
This Data Processing Agreement shall continue to apply as long as the Supplier processes personal data of the Customer for which the Customer is the data controller.
In the event of termination of the Data Processing Agreement, the Supplier shall return all personal data processed by the Supplier under this Data Processing Agreement to the Customer to the extent the Customer does not already have the personal data.
The Supplier is obliged to erase all the Customer’s data when three months have elapsed from the termination of the Data Processing Agreement, or immediately at the Customer’s request unless the Supplier is subject to other legislation that prescribes the Supplier’s retention of the Customer’s data for a longer period.
In any event, the Supplier is entitled to retain data in anonymised form for the compilation of statistics, etc., without any time limit. “Anonymised form” means that, after anonymisation of the Customer’s data, it is not possible in any way to restore the link to individuals. The Supplier shall be fully responsible for the proper and permanent anonymisation of the Customer’s data.