This page, as all other English pages on www.ledningssystemet.se, has been subject to more or less machine translation. The prices as well as terms and conditions on the Swedish page take precedence over the corresponding information on the English page.
Prices
| Article | Price (excl VAT) | Info |
| Customer instance of Ledningssystemet.se | ||
| Monthly fee | 3 000 SEK / month 275 EUR / month | Per instance. Refers to up to 250 users in a SaaS delivery. When operated in the customer’s own environment, there is no upper user limit. Alternative for Swedish Public sector can be found here. |
| Partner instance of Ledningssystemet.se | ||
| Monthly fee | 0 SEK / month 0 EUR / month | Separate agreement in accordance with the general terms and conditions. Alternative for Swedish Public sector can be found here. |
General Terms and Conditions per 2024-12-292
1. Introduction
These general terms and conditions (the “Terms”) govern the contractual relationship between Ledningssystemet Sverige AB (the “Provider”) and the party (the “Customer” and/or “Partner”) with whom the Provider has entered into an agreement (the “Service Agreement”) for one or more services (the “Service”) that refer to these Terms. If no separate agreement has been signed, the use of the Service in combination with the Terms constitutes the Service Agreement.
2. Background
The Provider primarily offers the service ledningssystemet.se to the market, which is a multi-module product consisting mainly of customer instances and partner instances.
Ledningssystemet.se is used by organizations to establish and manage a management system related to their specific operations, either with or without the support of one or more connected partners.
Ledningssystemet.se is provided to the Customer either as a cloud service (SaaS), hosted by a hosting provider contracted by the Provider, or as an installed instance in the Customer’s own operating environment. The Customer and the Provider agree on the form in which the service will be delivered.
Ledningssystemet.se is provided to the Partner as a cloud service (SaaS), hosted by a hosting provider contracted by the Provider.
The Terms only govern the relationship between the Provider and the Customer or Partner. The Terms do not give rise to any rights or obligations in relation to the Provider’s hosting provider or other suppliers. The Provider is responsible for ensuring that the necessary agreements (e.g., Data Processing Agreements) are signed between the Provider and the contracted suppliers.
In the event that a separate agreement has been signed between the Provider and the Customer or Partner, such agreement shall, to the greatest extent possible, be interpreted in accordance with the Terms and the currently applicable price list published on the website.
3. Definitions
The following terms shall, to the greatest extent possible, be interpreted with the meanings defined below when reading the Terms:
• Service: ledningssystemet.se through a customer instance or partner instance. A customer instance and a partner instance may be linked to the same organization; in such cases, the organization acts as both Customer and Partner.
• Provider: The entity offering the Service and who, through such offering or other agreement, has entered into a Service Agreement with the Customer or Partner.
• Subcontractor: A supplier procured and provided by the Provider, who may be directly involved in delivering the Service to the Customer or Partner.
• Customer: The party who, through use of the Service or other agreement, has entered into a Service Agreement with the Provider.
• Partner: The party who, through use of the Partner instance of the Service or other agreement, provides input and support to Customers.
• Administrator: The individual holding the administrator role in a customer instance or partner instance. An administrator is also the contact person at the Customer or Partner responsible for payments to the Provider. Furthermore, the administrator is responsible for user administration within a customer instance or partner instance.
• User: An individual/person (e.g., employed or contracted by the Customer or Partner) who is granted access to the Service via the Customer or Partner. All individuals/persons using the Service must be identified through a unique account provided by the Provider or an Administrator.
4. Provider’s obligations
The Provider undertakes to provide the Customer or Partner with access to the Service. The Provider commits to taking reasonable and appropriate measures to ensure that the Service is available over the Internet, except during periods when the Provider or Subcontractors perform system updates or maintenance.
The Provider, either directly or through its Subcontractor, performs monitoring efforts to maintain the availability of the Service to the greatest extent possible.
The Provider is not conditionally liable for loss of data, deletion of data, or failure to store data or other information; however, the Provider will follow industry practices and standards to ensure that data and information are stored and backed up securely, in accordance with the Service specifications.
The Customer and Partner are, of course, aware that access to a relevant Internet connection cannot be guaranteed by the Provider; this is because the Provider’s Customers and Partners are responsible, professional organizations.
5. Customer’s and/or Partner’s obligation
The Customer and/or Partner shall comply with the security regulations communicated by the Provider, either in writing or through configuration of the Service, from time to time.
The Customer and/or Partner shall ensure that administrator and user information is accurate and updated when necessary.
The Customer and/or Partner shall ensure that a designated contact person (often the Administrator) is available for the Provider to reach.
The Customer and/or Partner is responsible for the activities and operations conducted within the Service and for ensuring that these comply with applicable legislation.
6. Right to Use the Service and Clarification on Intellectual Property Rights
The Customer and/or Partner has the right to use the Service and to grant administrators and users access to the Service. The Customer and/or Partner is responsible for the individuals who are granted access to the Service.
The Provider holds ownership of all intellectual property rights and technical solutions related to the Service or, alternatively, exclusive rights to the use of technical solutions associated with the Service. Such intellectual property rights may only be used by the Customer and/or Partner in accordance with the Terms and the Service Agreement. The Customer and/or Partner or any third party may not unlawfully acquire or otherwise appropriate intellectual property rights related to services, software, or technical solutions used in the Service; the same applies to trademarks owned or used by the Provider or Subcontractors.
The Partner retains intellectual property rights and copyright to content in the form of risk templates, document templates, and other similar materials created and stored in the Partner’s instance and not originally provided by the Provider.
The Customer retains intellectual property rights and copyright to content in the form of risk templates, document templates, and other similar materials created and stored in the Customer’s instance and not originally provided by the Provider.
7. Support, Error Reporting, and Incidents
The Provider offers relevant support to the Partner regarding specific questions related to the Service. Customers receive support via the Partner. The Provider offers support via email and direct messaging within the Service.
Customers may submit error reports and incident notifications to the Provider via email and direct messaging within the Service.
Support is primarily provided during office hours and to a reasonable extent.
8. Limited Liability of the Provider
In addition to the limitations stated in the Terms, the Provider shall be liable for losses resulting from the Provider’s direct negligence. In the event of such negligence, the Provider undertakes to act without unreasonable delay to correct any errors or deficiencies caused.
In the absence of direct negligence by the Provider, the Provider assumes no liability for errors or deficiencies in the Service; however, actions will be taken to ensure the availability of the Service to the greatest extent possible.
No right to price reductions, damages, or other remedies related to service disruptions or errors shall exist unless such events are directly attributable to the Provider’s negligence. If service disruptions or errors occur to such an extent that the Customer and/or Partner does not have access to the Service for a period exceeding one (1) month, all parties have the right to unilaterally terminate the Service Agreement with immediate effect.
The Provider’s liability under the Terms and the Service Agreement shall be limited as follows:
• The Provider’s total liability for damages is limited to direct losses up to a maximum amount equivalent to three (3) months’ license fees for a customer instance, provided that such license fees have been paid by the Customer and/or Partner during the period immediately preceding the breach of contract entitling compensation.
• In the absence of intent or gross negligence, the Provider shall under no circumstances be held liable for indirect losses, lost revenue, expected savings, loss of income, loss of data, or third-party claims in relation to the Customer and/or Partner.
• The Customer and/or Partner may claim damages as described above only if the Provider is notified thereof no later than 30 days after the Customer and/or Partner became aware or should reasonably have become aware of the grounds for the claim.
9. Management of Login Credentials
The Customer and/or Partner shall ensure that individuals who are assigned administrator or user accounts in the Service handle login credentials securely. The Service includes functionality for SSO via Microsoft 365 and thereby supports multi-factor authentication. In the event that login credentials are exposed to unauthorized parties, the Provider must be notified immediately.
The Customer and/or Partner is responsible for any losses or damages caused to the Provider due to administrator or user credentials being exposed to unauthorized parties or third parties in an unauthorized manner; unless the Customer and/or Partner notifies the Provider immediately upon suspicion of exposed login credentials. After the Provider has been informed of such suspicion, the Customer and/or Partner shall only be held liable if acting with intent or through gross negligence.
10. Restrictions and Limitations Regarding Access to the Service
If the Customer’s and/or Partner’s use of the Service may result in loss or risk of loss for the Provider, the Provider has the right to restrict access to the Service and take defensible actions. The Provider shall promptly inform the affected parties of any restrictions and any additional measures taken.
The Provider has the right, and in part the obligation, to immediately prevent the dissemination of information within the Service if there is reasonable suspicion that such activities violate applicable legislation or the Terms. The Provider shall promptly inform the affected parties if information is removed from the Service.
11. Force Majeure
A party shall be exempt from liability for damages and other corresponding consequences in cases where obligations are prevented due to circumstances beyond the party’s control. Such circumstances include, for example: bankruptcy, labor disputes, lightning strikes, fire, government decisions, failures in operators’ networks, general shortages of transportation, goods or energy, and significant delays in subcontractors’ deliveries related to similar circumstances.
If circumstances as described above result in service disruptions or errors to such an extent that the Customer and/or Partner does not have access to the Service for a period exceeding one (1) month, all parties have the right to unilaterally terminate the Service Agreement with immediate effect.
If the Customer and/or Partner is prevented from fulfilling their obligations due to the above or similar circumstances for a period of one (1) month, the Provider has the right to unilaterally terminate the Service Agreement with immediate effect.
12. Confidentiality
The Provider shall not disclose to third parties, or otherwise make available, information obtained through the provision of the Service to the Customer and/or Partner.
Confidentiality does not apply to information that the Provider can demonstrate was obtained by other means than through the provision of the Service, or if the Provider is required to disclose such information due to a government decision or applicable legislation.
Corresponding confidentiality applies, to the extent relevant, to the Customer and/or Partner in relation to information about the Service and the Provider’s operations.
Confidentiality shall remain in effect even after the termination of the Service Agreement.
13. Privacy, Data Protection, and Processing of Personal Data
The Provider acts as a data processor on behalf of the Customer and/or Partner. The personal data processing carried out by the Provider in its capacity as data processor is governed by the terms set out in the Data Processing Agreement below.
The Provider may act as a sub-processor to a Partner in cases where the Partner and the Provider have entered into a separate agreement stipulating that the Partner resells or distributes the Service. Personal data processing in the capacity of sub-processor is governed by the Data Processing Agreement below.
For a number of processing activities, the Provider and the Customer and/or Partner act as separate data controllers. The Provider’s processing activities are clarified in the Provider’s Information to Data Subjects.
14. Prices and Payment Terms
The Customer shall pay the Provider compensation in accordance with the current and published price list to gain access to the Service. Compensation is invoiced monthly in arrears with a payment term of thirty (30) days. If the Service is to be made available to the Customer with partner integration from the start, the first month will be invoiced upon setup of the Service. For Customers where the Service is to be operated in the Customer’s own environment from the start, the first month will also be invoiced upon setup.
Invoices must be paid on time, to the bank account specified on the invoice, and in the currency stated on the invoice. In the event of late payment, the Provider will charge a reminder fee and any applicable interest for delayed payment.
The Service must be terminated by written notice to the Provider at least one day before the end of a given calendar month if the Customer wishes to ensure that no billing occurs for the following month. In the event of early termination of the Service, the Customer is not entitled to a refund of any prepaid fees.
15. Changes and additions
To ensure the possibility of further development, the Supplier has the right to make changes to the Service, including changes regarding functionality, technical solutions, system specifications, and security measures. Changes are communicated to the Customer and/or Partner via a notice on the website www.ledningssystemet.se and through direct messages to Administrators.
The Supplier reserves the right to amend the Terms and any associated Service Agreements including, but in no way limited to, pricing. Changes are communicated to the Customer and/or Partner via a notice on the website www.ledningssystemet.se and through direct messages to Administrators. Changes are considered communicated to the Customer and/or Partner one (1) week after being published on the website or sent to Administrators. If the Customer and/or Partner objects to the change, they have 30 days from the date the change was communicated to terminate the agreement with immediate effect. If the agreement is not terminated, the change is considered accepted.
16. Contract term and termination
The Service Agreement and the Terms enter into force when the Customer and/or Partner commissions the Supplier to set up an instance. The Service Agreement and the Terms remain in effect indefinitely with one month’s notice of termination from either party.
The Supplier has the right to immediately block the Customer’s and/or Partner’s access to the Service and to terminate the Service Agreement prematurely if:
• The Customer and/or Partner uses the Service to commit a crime.
• The Customer and/or Partner uses the Service in a way that causes or risks causing loss to the Supplier or a third party.
• The Customer and/or Partner uses the Service in violation of the Supplier’s security instructions or other regulations.
• The Customer and/or Partner fails to pay the agreed compensation despite reminders.
• The Customer and/or Partner attempts unauthorized access to the Service or related services.
• The Customer and/or Partner is insolvent, at risk of bankruptcy, or otherwise financially distressed.
The Customer and/or Partner has the right to terminate the Service Agreement with immediate effect if:
• The Supplier materially breaches its obligations under the Service Agreement, the Terms, or the Data Processing Agreement and fails to make the necessary corrections after being requested to do so.
• The Supplier is insolvent, at risk of bankruptcy, or otherwise financially distressed.
Upon termination of the agreement, the Supplier is not responsible for any information created, collected, or generated within the Service. The Customer and/or Partner must ensure that necessary exports and backups are secured before the Service Agreement ends and the Supplier deletes the relevant instances and thereby the information.
The Supplier has the right to delete instances in the Service, and thereby all information, one (1) month after the Service Agreement and the Terms have ceased to apply. The Data Processing Agreement remains valid until backups at the Supplier’s subcontractor have been purged.
17. Transfer and resale
The Supplier has the right to transfer, in whole or in part, its rights and obligations under the Service Agreement and the Terms to a company within the same group or with the same ownership as the ownership of Ledningssystemet Sverige AB.
Transfers are communicated to the Customer and/or Partner via a notice on the website www.ledningssystemet.se and through direct messages to Administrators. Transfers are considered communicated to the Customer and/or Partner one (1) week after being published on the website or sent to Administrators. If the Customer and/or Partner objects to the transfer, they have 30 days from the date the change was communicated to terminate the agreement with immediate effect. If the agreement is not terminated, the transfer is considered accepted.
The Customer and/or Partner does not have the right to transfer their rights or obligations under the Service Agreement and the Terms without the Supplier’s written consent.
The Customer and/or Partner does not have the right to reproduce, duplicate, copy, sell, resell, or exploit the Service or access to the Service. Resale of the Service is only permitted as a result of written consent and a reseller agreement from the Supplier.
18. Governing law and dispute resolution
The Service Agreement and the Terms, as well as the subsequent relationship between the Supplier and the Customer and/or Partner, shall be interpreted in accordance with and governed by Swedish law.
In the event of a dispute related to this agreement, the dispute shall initially be fully and in good faith attempted to be resolved through executive-level negotiations, to the extent deemed reasonable under the prevailing circumstances. If the dispute cannot be resolved through executive-level negotiations, it shall be settled through simplified dispute resolution in accordance with ABK 09 Chapter 10.
19. Acceptance
By using the Service, the Customer and/or Partner has accepted the Service Agreement. The person who requests the Service from the Supplier is responsible for ensuring the authority to enter into the Service Agreement.
Data Processing Agreement per 2024-09-25
1. Data Processing Agreement
This Data Processing Agreement (hereinafter referred to as the agreement) is entered into between Ledningssystemet Sverige AB (the Data Processor, or Sub-processor) and the Customer and/or Partner (the Data Controller, or Data Processor in contexts where Ledningssystemet Sverige AB acts as Sub-processor) who uses the service ledningssystemet.se in accordance with the Service Agreement above and thereby commissions the Data Processor to process personal data on their behalf.
Data processor’s contacts:
Ledningssystemet Sverige AB
Byn Källekullen
511 74 SKEPHULT
Organization number: 559475-0530
info@ledningssystemet.se
2. Instructions
The Data Processor may only process personal data on behalf of the Data Controller in accordance with the instructions below.
Description of the processing
Service and purpose of the processing: Personal data processing in connection with the provision of the service ledningssystemet.se.
Processing activities: Collection, registration, logging, storage, copying, and deletion of personal data related to the use of the service.
Categories of data subjects: Customer and/or Partner Administrators and Users, as well as the personal data entered into the Service by Administrators and Users.
Categories of personal data: Name, email, contact details, IP addresses, geolocation data, and any additional personal data within the scope of the information entered into the Service by Users and Administrators during use. The Service is not constructed or designed to process special categories of personal data.
Location of processing: Personal data is processed within the EU/EEA and within the scope of the service provision in data centers provided by the Data Processor’s hosting provider as listed below. The current Sub-processor has its data centers located in Sweden.
Retention period / Deletion deadline: The Data Processor deletes personal data within the scope of the Service delivery 30 days after termination of the Service Agreement. Personal data will continue to be stored within the Sub-processor’s backups for an additional three (3) months.
Säkerhetsåtgärder
Physical access: Servers are locked in server rooms, and access is controlled by physical key and code, which is restricted to authorized personnel responsible for operations and maintenance.
System access / Logical access: The Data Processor controls access to the Service instances through permission management and login credentials that include multi-factor authentication. The Data Controller is responsible for managing access for Administrators and Users.
Transfer of personal data: Personal data is not transferred to external parties by the Data Processor within the scope of the Service delivery. Personal data is not transferred to third countries.
Access control: The Data Processor does not access the Data Controller’s instances beyond what is required for operations, maintenance, and potential support. Administrator rights are limited to individuals at the Data Processor who have tasks requiring such rights.
Encryption of stored data: The Service is provided through a web hosting service where the Service is continuously available; therefore, stored data is not encrypted.
Encryption of data communication: The Data Processor ensures that communication to and from the Service is encrypted.
Secure authentication: The Data Processor ensures that personnel with access to the Service and the operational environment are authenticated and verified. The Data Controller is responsible for authentication and identification of Administrators and Users.
Handling of storage media: Destruction of storage media is carried out by the Data Processor’s hosting provider.
Capacity and continuity planning: The Data Processor refers to the hosting provider’s continuity and capacity planning regarding ongoing operations of the commissioned services. To ensure sufficient capacity, the Data Processor has secured access to capacity from the hosting provider.
Data separation: Each Data Controller receives a separate instance. Thus, data is routinely logically separated in a virtualized operational environment.
Logging: Logging of activities in the Service is carried out by the Data Processor at the application level and regarding traffic requests to the Data Controller’s instance. Infrastructure-level logging is handled by the hosting provider.
Management of technical vulnerabilities: The Data Processor is responsible for identifying and remedying technical vulnerabilities at the application level. The hosting provider is responsible for identifying and remedying technical vulnerabilities at the infrastructure level.
Redundancy: The Data Processor is responsible for allocating sufficient capacity to the Service. Infrastructure-level redundancy is ensured by the hosting provider.
3. Content and purpose
This agreement has been established to meet the requirements for contracts between the Data Controller and the Data Processor in accordance with Article 28 of the General Data Protection Regulation (EU 2016/679). The purpose of the agreement is to uphold the protection of the fundamental rights of data subjects regarding the processing of personal data in accordance with the EU General Data Protection Regulation 2016/679 (GDPR), other applicable laws, regulations, and directives, as well as decisions and general guidelines from supervisory authorities concerning the processing of personal data (collectively referred to as “Data Protection Legislation”).
The Data Processor is informed that the Data Controller may, in certain situations, act as a Data Processor on behalf of another party. In such cases, the Data Processor may act as a Sub-processor. In the role of Sub-processor, the Data Processor has identical obligations regarding the handling of personal data under this agreement, and the terms of this Data Processing Agreement apply even when the Data Processor acts as a Sub-processor.
4. Responsibility and instruction
The Data Controller is responsible for all processing of personal data carried out under the Service Agreement and must ensure that the processing of personal data is conducted in accordance with Data Protection Legislation.
The Data Processor undertakes to process the agreed personal data solely to fulfill its obligations under this agreement, the Service Agreement, and the documented instructions provided by the Data Controller at any given time. The Data Processor may not process personal data for any purpose other than delivering the service in accordance with the agreement. The Data Controller is responsible for ensuring that personal data not covered by this agreement, the Service Agreement, or other instructions is not processed within the scope of the service.
The Data Processor further undertakes to process personal data in accordance with Data Protection Legislation. The Data Processor shall take all reasonably required measures to follow the Data Controller’s instructions regarding the processing of personal data. The Data Processor shall immediately inform the Data Controller if it considers that an instruction from the Data Controller would violate Data Protection Legislation or cause the Data Processor disproportionate cost or inconvenience.
The Data Processor may not transfer any personal data to a country outside the EU/EEA or to a country not covered by the exceptions to the prohibition on transfer to third countries under Data Protection Legislation, without prior written consent from the Data Controller and ensuring that such transfer complies with applicable law.
If the Data Processor suspects or discovers a security breach such as unauthorized access, destruction, alteration, or similar incidents involving personal data, or for any other reason cannot fulfill its obligations under this Data Processing Agreement, the Data Processor shall immediately investigate the incident, take appropriate measures to remedy it and prevent recurrence, and provide the Data Controller with a description of the incident. The Data Processor shall initiate incident reporting to the Data Controller without undue delay and no later than within 24 hours.
The description of the incident shall at a minimum:
• Describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned.
• Provide the name and contact details of the data protection officer or other contact points where more information can be obtained.
• Describe the likely consequences of the personal data breach.
• Describe the measures taken or proposed by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its potential effects.
The Data Processor shall immediately and in writing inform the Data Controller if it becomes aware that personal data has been processed in violation of the Data Controller’s instructions or this Data Processing Agreement.
If a type of processing, particularly using new technology and considering its nature, scope, context, and purpose, is likely to result in a high risk to the rights and freedoms of natural persons, the Data Processor shall, prior to carrying out the processing, assist the Data Controller in assessing the potential impact of the planned processing on the protection of personal data. A single assessment may cover a series of similar processing operations that present similar high risks.
The Data Processor shall, upon written request from the Data Controller, assist the Data Controller by providing necessary information and reasonable assistance required for the Data Controller to fulfill its obligation to respond to requests for the exercise of data subjects’ rights under Data Protection Legislation. If necessary, the Data Processor shall assist the Data Controller in fulfilling other obligations under Data Protection Legislation, including but not limited to reporting and informing about personal data breaches, conducting data protection impact assessments, and prior consultations with the relevant supervisory authority regarding such processing of personal data covered by this Data Processing Agreement. For such work, the Data Processor shall be compensated with reasonable agreed costs or actual verifiable expenses.
5. Security and confidentiality
The Data Processor shall implement appropriate technical and organizational measures to protect the personal data being processed. These measures shall ensure a level of security that at least complies with Data Protection Legislation and is appropriate considering:
• The technical possibilities available, taking into account the latest technological developments
• The cost of implementation
• The risks associated with the processing of personal data, considering, among other things:
– The consequences of loss of integrity, confidentiality, and availability of personal data during storage, data transfer, and other processing activities
– The purpose of the processing in relation to the risks
– The sensitivity of the personal data in relation to the rights and freedoms of natural persons
– The volume of personal data being processed
– The vulnerability of the categories of data subjects to whom the personal data relates
Agreed measures that fulfill this requirement shall ensure a level of security that the Data Controller, in consultation with any Data Protection Officer, deems appropriate.
The Data Processor shall consider generally accepted principles of information security when designing appropriate security measures, by applying ISO/IEC 27001 or an equivalent standard.
The Data Processor shall regularly and systematically evaluate the effectiveness of the security measures implemented to protect the personal data processing carried out on behalf of the Data Controller.
The Data Processor shall immediately notify the Data Controller in writing if the security of the personal data processing cannot be maintained.
All significant changes to technical and organizational measures shall be documented by the Data Processor and made available upon request by the Data Controller.
The measures taken shall at a minimum include the following areas in accordance with Data Protection Legislation:
• pseudonymization and encryption of personal data
• the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing
The Data Processor shall ensure that access control is properly maintained and that confidentiality is observed. The Data Processor shall take the necessary measures to ensure that the received information is only disclosed to individuals within its organization who are involved in the purpose of the Service Agreement. The Data Processor shall ensure that all employees, consultants, subcontractors, and others for whom the Data Processor is responsible and who process personal data are bound by an appropriate confidentiality obligation and are informed about how the personal data may be processed. The Data Processor is responsible for ensuring that individuals with access to personal data are informed about and understand how to process the data in accordance with the instructions from the Data Controller.
6. The Data Controller’s right to audit the Data Processor
The Data Controller has the right to conduct audits of the Data Processor, either directly or through a third party, or otherwise verify that the Data Processor’s processing of personal data complies with this Data Processing Agreement. In such audits or inspections, the Data Processor shall, without undue delay, provide the Data Controller with the necessary assistance to carry out the audit.
Upon request by the Data Controller, the Data Processor shall provide all available information regarding the processing of personal data to enable the Data Controller to fulfill its obligations as a Data Controller under Data Protection Legislation.
In cases where data subjects, supervisory authorities, or other third parties request information from the Data Controller or the Data Processor regarding the processing of personal data, the Parties shall cooperate and exchange information to the necessary extent. The Data Processor may not disclose personal data or information about the processing of personal data without prior documented consent from the Data Controller, except where required by a relevant authority or if the Data Processor is obligated to do so under mandatory legislation.
The Data Processor shall assist the Data Controller through appropriate technical and organizational measures so that the Data Controller can fulfill its obligations regarding data subjects’ rights in accordance with Chapter III of the General Data Protection Regulation.
7. Engagement of a sub-processor
The Data Processor has the right to engage sub-processors in order to fulfill its obligations under the Service Agreement.
If the Data Processor engages a sub-processor in accordance with the terms of the Service Agreement, the Data Processor has the authority and obligation to enter into a specific data processing agreement with such sub-processor regarding the sub-processor’s processing of personal data. Such agreement shall stipulate that the sub-processor has equivalent obligations as the Data Processor has under this data processing agreement.
The Data Processor shall, upon the Data Controller’s request, provide a copy of the parts of the Data Processor’s agreement with the sub-processor that are necessary to demonstrate that the Data Processor has fulfilled its obligations under this data processing agreement.
The Data Processor shall at all times maintain an accurate and up-to-date list showing which sub-processors have been engaged for the processing of personal data and where they are geographically located. Furthermore, the Data Processor shall, upon the Data Controller’s request and without undue delay, provide contact details for the sub-processors processing personal data.
The Data Processor shall inform the Data Controller of any plans to engage new sub-processors or replace existing sub-processors, so that the Data Controller has the opportunity to object to such changes. Such information shall be provided no later than 30 days before the change takes effect. The Data Controller shall inform the Data Processor in writing, within 30 days of being notified of the change, if it objects to the new sub-processor processing its personal data and shall provide a reasonable reason for the objection. If the Data Processor cannot comply with the Data Controller’s objection within a reasonable time without incurring unreasonable cost or inconvenience, the Parties shall cooperate to find an appropriate solution related to the reason for the objection. If the Parties cannot reach an agreement, the Data Controller shall have the right to terminate the agreement with immediate effect.
8. Dispute, applicable law and damages
Any dispute regarding the interpretation or application of this agreement shall be resolved in accordance with Swedish law and the provision on disputes in the Service Agreement.
In the event that the Data Controller becomes liable to a third party due to the Data Processor’s failure to comply with this agreement or the Service Agreement within the scope of personal data processing, the Data Processor shall compensate the Data Controller for the damage incurred in accordance with the Service Agreement.
9. Entry into force, termination, amendments and transfer of the agreement
This data processing agreement enters into force concurrently with the commencement of the Service Agreement and shall remain in effect between the Parties for as long as the Data Processor processes Personal Data on behalf of the Data Controller in accordance with the Service Agreement. This data processing agreement shall automatically terminate without prior notice when the Service Agreement ceases to apply.
Amendments and additions to this agreement shall, in order to be valid, be communicated in accordance with the Terms of the Service Agreement. This clause does not prevent the Data Controller from modifying or issuing additional written instructions in accordance with this agreement, provided that such additional changes may result in the Data Processor terminating the Service Agreement in accordance with the Terms.
Upon termination of the Agreement, the Data Processor shall delete personal data in accordance with the Instructions.
Assignment of this data processing agreement may take place in accordance with the provisions on assignment in the Service Agreement and only in connection with the assignment of the Service Agreement.
Subprocessors per 2024-09-25
Oderland Webbhotell AB
Organization number: 556680-8746
Services: Hosting provider of web hotel services and corresponding security services.
Data residency: Within EU/EES, Sweden
Verksamhetsfokus Sverige AB
Organization number: 559105-6501
Services: Consultancy services within development, support, issue management and provider of communication services (through Microsoft 365).
Data residency: Inom EU/EES
- Amendment as of 2024-12-29: Updated with clarification regarding the number of users included in the base license.
Amendment as of 2025-02-02: Updated regarding the right of use for fully publicly owned entities (such as government agencies and authorities, regions, municipalities, municipal companies, and publicly owned interest organizations and associations).
Amendment as of 2025-08-22: Removed the requirement for the number of customer instances for partnership. ↩︎ - Amendment as of 2024-12-29: Updated section 14. Prices and Payment Terms with a clarification that invoicing for the Service is done in arrears unless a partner connection is to be activated or the Service is to be operated in the customer’s operating environment. ↩︎