Last review: 16.12.2025

Viskan Terms of Service

Table of contents

Definitions

1. General terms

1.1. Order

1.2. Fees

1.3. Notifications

1.4. The Software

1.5. Viskan AI Solutions

2. Right of use

2.1. Customer

2.2. API and Development Accounts

3. Use of data 

4. Data Processing Agreement

4.1. Processing of Personal data

4.2. Subprocessors

4.3. Security

5. Miscellaneous

5.1. Confidentiality

5.2. Intellectual Property Rights

5.3. Warranty

5.4. Liability

5.5. Indemnification

5.6. Termination

5.7. Governing law and dispute resolution

Definitions

Terms may also be used in the plural, e.g. “Parties” or “Users”.

Term

Definition

Affiliate

A legal entity that:
(i) a Party directly or indirectly controls,
(ii) directly or indirectly controls a Party or
(iii) is directly or indirectly under common control with the Party. A legal entity shall be deemed to be controlled by another if that other legal entity has more than fifty percent (50%) of the votes in the entity and is able to direct its operations.

Accounting Office (AO)

Public accountant that provides AO Services to Clients and, if required under applicable regulations, is certified through the applicable Financial Supervisory Authority or other authority that regulates financial markets.

AO Services

Accounting, bookkeeping, auditing services or tax consultancy services.

API

Application Programming Interface.

API Credentials

Keys, tokens or other credentials in use to authenticate, access and use a Viskan API.

API Documentation

Documentation, data and information regarding the use of an API.

Breach*

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Client

A customer of an Accounting Office. Clients may also be a customer of Viskan, and vice versa.

Controller*

The entity that determines the purposes, conditions and means of the Processing of Personal Data.

Customer

The entity as defined in the Order Confirmation that has entered into this agreement.

Customer Data

Data belonging to the Customer (or Users) and processed by the Software, such as customer databases, invoices and other production data.

Data

A collective term for Customer Data and Usage Data, including Personal Data, data sets, as applicable in context.

Data Processing or Process(ing)*

Any operation performed on the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, erasure or destruction etc.

Data Subject*

A natural person whose Personal Data is Processed by a Controller or Processor.

Development Account

An account whereby an ISV is granted access to Development Environments for the purposes of testing, developing and supporting Integrated Applications, subject to specific terms.

Development Environment

A software development and operations environment provided by Viskan for the testing, development and support of Integrated Applications, subject to specific terms.

Fee(s)

The compensation, payable by the Customer, for the Limited Licence(s) granted by Viskan to the Customer under the Licence Agreement, as set out in the Order Confirmation and Viskan’s price list at the relevant point in time.

Including

Unless the context requires otherwise, the term “including” means “including but not limited to”.

Integrated Application

A non- Viskan software application or service integrated with the Software using a Viskan API, subject to specific terms.

Intellectual Property Rights or IPR

Any and all intellectual and industrial property rights, whether or not registered or registerable, including, but not limited to:
(i) patents, processes, and technology (whether patentable or not);
(ii) know-how, trade secrets, business models, and other confidential information;
(iii) authors' rights (e.g., in computer software, source and binary code and documentation), design rights, database rights, compilation of data, and technical information of all kinds;
(iv) copyrights, trademarks, trade names, and domain names; and
(v) other rights of a similar kind, whether or not registered or registerable, including all applications or rights to apply for, and renewals or extensions of, such rights and all similar or equivalent rights.

Internal Business Operations

In a non Accounting Office scenario, solely the Use of the Software to support the Customer’s own internal operations and/or administration, such as accounting and payments. “Internal Business Operations” shall not include operations and activities related to offering or making the Software available for third parties and similar activities.

ISV

Independent Software Vendor.

Limited Licence

A limited, non-transferable, non-exclusive, and fully revocable right.

Module

A functional package within the Software, such as a logistics module or report builder. Modules may have to be Ordered separately.

Order

An order for the Software (including Users and Modules), including self-service ordering from within the Software, or registering for a Development Account. Order in the TOS is also referred to as "Service Agreement(s)".

Order Confirmation

A confirmation in form of a software contract or separate order confirmation from Viskan specifying the Software (including Users and Modules) and Fees of the Customer’s Order, identifying the Viskan Company which the Customer is contracting, and any additional terms and conditions that apply.

Partner

A non-Viskan company certified as a partner by a Viskan Company.

Party

Viskan or the Customer as defined in the Order Confirmation.

Personal Data*

Any information relating to an identified or identifiable natural person (Data Subject).

Software

Software applications and related services as specified in the Order Confirmation, including modifications, new features, upgrades and data storage.

Processor*

The entity Processing Personal Data on behalf of the Controller.

Software Documentation

Documentation describing Software features, functionality and configuration, such as manuals and help files.

Special Categories of Personal Data* (Sensitive Personal Data)

Any Personal Data related to: Racial or ethnic background; Political opinions and affiliations; Religious beliefs and other beliefs of a similar nature; Trade union membership; Mental and physical health, including sexual orientation; Genetic and biometric data.

Subscription Period

Time period for which the Fees grant the Customer a Limited Licence to Use the Software, as set out in the Order Confirmation. The Subscription Period expires when either Party terminates the Licence Agreement (as defined below) in accordance with section 5.6.

Third Party Component

Software or IPR from a third party that is provided by Viskan as part of or in connection with the Software.

Usage Data

Certain data collected from and/ or generated from the Software and the use thereof.

Use

Any and all lawful actions performed on or with the Software by the Customer (including Users) or on its behalf.

User

A named individual user of the Software. Users may be employees of the Customer, or anyone granted a User account by the Customer, such as a consultant or accountant, or a Development Account user.

Viskan

The company in the Viskan Group as defined in the Order Confirmation, with which the Customer has entered into this Licence Agreement.

Viskan AI solutions

AI-powered (solutions based on artificial intelligence and/or using artificial intelligence) solutions such as applications, features, functions, AI assistants, AI agents and similar solutions offered by Viskan as a part of the platform or served by Viskan separate from the platform.

Viskan API

An API for the Software, provided by Viskan for the purpose of integrating third party software applications and services.

Viskan Company

A company within the Viskan Group.

Viskan Group

Viskan System AB and all its subsidiaries, either directly owned by Viskan System AB or indirectly through one of Viskan System AB’ subsidiaries or Affiliates.

*These terms shall have the same meaning and interpretation as in applicable privacy legislation, and are referenced here for convenience.

1. General terms

1.1. Order

1.1.1. The Customer orders the Software from Viskan through an Order, either directly by phone, email, webpages, in-product web shops, or through a Partner with their procedures for providing Client access to the Software.

1.1.2. These terms of service (the “Terms of Service” or “TOS”) are standard terms that govern the use of the Software. By:
(i) placing an Order,
(ii) signing the Order or the TOS, or
(iii) clicking or marking “I accept”, the Customer understands and accepts that the Customer enters into a legally binding Licence Agreement (as defined below) with Viskan which, unless otherwise set out in the Order Confirmation, becomes effective once Viskan issues an Order Confirmation. Viskan is not bound by the Licence Agreement before Viskan has issued an Order Confirmation and may, at its own discretion, choose not execute a contract with the Customer at any time before the Order Confirmation is issued. Only individuals with administrative, purchasing and representation rights for their company may do so.

1.1.3. The following information may appear in the Order Confirmation and invoice, depending on Software:

(i)The name of the Viskan Company the Customer is contracting with;

(ii)Software, Users and Modules the Customer has Ordered;

(iii)Fees for the Software Ordered;

(iv)Termination terms for a subscription or the customer relationship;

(v)Any additional terms and services as agreed between the Parties.

1.1.4. Unless agreed otherwise in writing, the TOS and Order Confirmation constitute the entire agreement for the Software (together the “Licence Agreement”). The Licence Agreement prevails in the event of a conflict between the Licence Agreement and any other agreement entered into between the parties. Other services from Viskan or a Partner, such as training, implementation or customisation, are not covered by the Licence Agreement.

Viskan has the right to assign its rights and obligations under the Licence Agreement to a third party without the Customer’s consent. Viskan has the right to make changes to the TOS.

1.1.5. Viskan may change the Licence Agreement by notifying the Customer in accordance with 1.3.1 and 1.3.2, as applicable. The changes become effective as of the date set out in the relevant notice. The Customer’s continued use of the Software after the changes have become effective constitutes the Customer's acceptance of the changes. If the Customer objects to any changes to the Licence Agreement, the Customer may terminate the Licence Agreement in accordance with section 5.6.1.

The latest version of the TOS is at all times available at https://media.viskan.com/v2/viskanprod/original/Viskan-TOS.pdf

1.2. Fees

1.2.1. The Customer agrees to timely pay Viskan the Fees in accordance with the Order Confirmation and the, at the relevant time up-to-date, price list made available online or in-Software.

1.2.2. Unless otherwise agreed in writing (e.g., in sections 1.4.4 and 1.4.5), all Fees are due on the date set out in the relevant invoice and non-refundable, with no refund for unused transactions, Users, Software or remaining days in a Subscription Period. That is unless the Software availability has been significantly reduced for reasons solely attributable to Viskan. Viskan may at its discretion and as the sole remedy, offer a reasonable refund for Fees accrued during such period of reduced availability.

1.2.3. Fees are exclusive of all taxes, levies and duties. Unless agreed otherwise, Viskan will add the applicable value added tax (VAT) to the invoice.

1.2.4. Viskan reserves the right to change the Fees and/or the Fee model, on three months’ notice in accordance with section 1.3.1 up to two times per year for any individual Software, and on one month notice if a subcontractor increases its prices towards Viskan. Further, Viskan has an annual right to increase prices in accordance with general price and cost level developments without notice and with effect from the 1st of January each year. By default, Viskan updates prices annually based on the Labour Cost Index in Sweden, with a minimum update of +2,0%.

1.2.5. In the event of the Customer’s non-payment or late payment of the Fees, Viskan reserves the right to suspend the Customer’s access to the Software or restrict the access to read-only, and charge penalty interest as permitted by law, with unpaid invoices sent to collection. If not resolved within a reasonable time, Viskan reserves the right to terminate the Customer’s right of use to the Software c.f. 5.6.

1.3. Notifications

1.3.1. Information about new features, price changes or planned maintenance, will be delivered inside the Software, on the Software’s webpages, online community, as an invoice attachment or by email.

1.3.2. Notifications regarding Order Confirmations, contract changes (other than changes mentioned in section 1.3.1), information of particular importance, security or privacy, will be sent to the Customer’s contact email.

1.3.3. The Customer is responsible for providing at all times up to date contact information, including a primary contact email. 

1.3.4. All notices are deemed notified and effective immediately when sent or posted by Viskan.

1.4. The Software

1.4.1. The Customer purchases a right to use, and is granted access to as set forth in this TOS, the Software as it is made available online by Viskan, or installed on the Customer’s computers. Software installed on the Customer’s computers may contain embedded online components and Software.

The Customer must not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code from the Software or parts thereof.

1.4.2. Support for login- or account issues or functional issues in the Software, or additional support such as user training, consulting or implementation may be purchased separately from Viskan or a Partner.

1.4.3. The Software is provided “as is” as standard software, without any expressed or implied representations or warranties of any kind. The Customer may access and use online Software as it is provided at any given time, such Software is not contingent on a particular version nor publications or materials. When Software is installed on the Customer’s computers, the Customer is responsible for using a supported version.

1.4.4. Viskan reserves the right to make improvements, add, change or remove functionality, or correct issues or omissions in the Software at its sole discretion without any obligation or liability accruing therefrom. In the event a modification disables functionality that forms a material part of the Software permanently or for more than two months, the Customer may terminate the subscription only for the affected Software, and request a pro-rated refund for any remaining Fees paid in advance for the affected Software.

1.4.5. Viskan has the right to discontinue any Software or its availability in a particular market on twelve months prior notice, unless the discontinued service is caused by force majeure circumstances outlined in section 5.4, where shorter notice periods may apply. The Customer is entitled to request a pro-rated refund for any Fees paid in advance for the period following the discontinuation. The Customer must cease using the Software after notified discontinuation and is not entitled to make any further claims against Viskan.

1.4.6. Certain Software may be subject to additional terms or restrictions, such as limitation on storage space or transactions. Some features, such as payment, may require separate registration on websites, as specified in the Order Confirmation or within the Software.

Specific terms concerning payment, reporting and financial services

1.4.7. The Customer authorises Viskan to, on the Customer’s behalf, place and authenticate invoices, payments, governmental reports (e.g. SAF-T) and information such as bank statements, made by or sent to the Customer using the Software, between the Customer’s banks, authorities, and other business-to-business and business-to-consumer relations. Certain payment Software may assign API Credentials to the Customer used to access, identify and authorise the Customer’s account, and Use of the Software with the payment API.

The Customer is responsible for notifying its banks or other parties of the above authorisation, and accepts any charges incurred from its banks or other related parties when using the Software. If Viskan is invoiced by any such third party when providing the Software, Viskan will re-invoice the Customer for said charges.

1.4.8. Viskan uses invoice networks, including third party networks, such as the PEPPOL network, bank- and mobile payment suppliers and other document and payment networks, as well as third parties for processing invoices, payments and documents, for example for scanning paper invoices. PEPPOL is an international network for electronic exchange of invoices and other business documents, further information and contact points can be found at the PEPPOL web pages (www.peppol.org).

The Customer authorises Viskan to exchange payment profile information, invoices and related business documents and data with such networks and providers as necessary to provide the Software, financial services modules and add-ons. Certain invoice networks such as PEPPOL and other financial services modules or add-ons to the Software, including linked or affiliated third party services, may also require subjecting the Customer to personal identification and other customer due diligence requirements, often referred to as a Know Your Customer (KYC) processes, and/or a credit check or credit score check processes. The Customer accepts that completing, updating and sharing data for a KYC process or credit checks may be a premise for accessing such networks and making use of the Software.

1.4.9. The Customer remains fully responsible for the business content of the datasets exchanged with such networks as mentioned in section 1.4.8, including compliance with applicable laws and regulations, as well as for any resulting business commitment. The Customer can be blocked from networks such as the Peppol network in case of suspected fraud, spam or other criminal acts.

The Customer may notify Viskan in writing not to be registered in the address registers of such networks or notify not to use all or some financial services modules and add-ons, and acknowledges such reservation may limit or disable the Software functionality in whole or in part.

1.5. Viskan AI Solutions

1.5.1. Users are responsible for how they interpret and apply the responses generated and actions performed by Viskan AI solutions. Unless otherwise stated, Viskan AI solutions are provided “as is”, without any express or implied warranties.

Viskan disclaims warranties of merchantability, fitness for a particular purpose, and non-infringement, and assumes no liability for consequences resulting from incorrect or inappropriate outputs.

1.5.2. Customer inputs and AI-generated outputs may be used internally to improve response quality and overall functionality.

Personal data must not be entered into Viskan AI solutions, and no personal data should be provided as input.

Any personal data that Viskan processes on behalf of the customer is subject to the applicable Terms of Service or other agreements between Viskan and the customer.

1.5.3. Viskan may update or further develop Viskan AI solutions on an ongoing basis. This may include improvements to functionality, performance, and user experience. Continued use of Viskan AI solutions after updated terms are published is considered acceptance of the terms of service.

2. Right of use

2.1. Customer

2.1.1. Subject to the Customer’s compliance with the Licence Agreement, Viskan grants the Customer, and its Affiliates (if Affiliates are included in the Order Confirmation), a Limited Licence to access and Use the Software, solely for Internal Business Operations. For Accounting Offices and Clients, please refer to 2.2.

2.1.2. The Customer is responsible for the legality of User actions and administration, integrations by third parties and for the Customer Data. The Customer must not, and undertakes to ensure that Users, and any other third parties the Customer is responsible for, do not transfer harmful code, unlawful data or viruses to or with the Software, or use the Software in or for any unlawful manner or purpose or in breach of the Licence Agreement.

2.1.3. User accounts are for single named individuals and may only be assigned to third parties performing normal usage of the Software on behalf of the Customer, such as accountants, auditors, and consultants.

2.1.4. The Customer will not share usernames and passwords to user accounts to any third party without Viskan’s written consent.

2.1.5. For avoidance of doubt, the Customer, its Affiliates, or any other third parties the Customer is responsible for, may not assign or transfer any rights or obligations under the Licence Agreement, including the Limited Licence to the Software, to any entity in whole or in part, including in connection with mergers, demergers or bankruptcy or to the Customer’s stakeholders, without prior written authorisation from Viskan.

2.2. API and Development Accounts

2.2.1. Subject to the Customer’s compliance with the TOS, the Customer is granted a Limited Licence to Use the Viskan API to integrate non-Viskan software applications with the Software (Integrated Application).

2.2.2. Using Viskan API as a Customer, developer or ISV, establishing Development Accounts and being granted access to Development Environments is subject to actively accepting additional terms and Partner Agreements available.

The API, the Development Environments, their documentation and Customer communities are fully owned by Viskan, and all are provided “as is” without any warranties in regards to availability, uptime, quality or fitness for the Customer or developers needs or requirements, and the Customer is solely liable for any damage brought by using them. Viskan may at its discretion and at any time with reasonable notice revoke and terminate the Limited Licence to Use the Viskan API.

Development Accounts or Developer Environments may further be closed, revoked, terminated or limited upon suspicion of over-use, misconduct, lack of security, a breach of terms, data processing laws or intellectual property laws, or unlawful Use. Viskan reserves the right to charge additional Fees for any Viskan API or Development Environment, current or future, including making the right of use or sale of Integrated Applications contingent upon payment of such Fees.

3. Use of data

3.1.When using the Software, the Customer, Users, Clients, and other third parties using the Software on behalf of the Customer, including Affiliates, if applicable, will add Customer Data to the Software and generate Usage Data, collectively referred to as Data. Data may contain both Personal Data and non-Personal Data. For more information regarding how Viskan Processes Personal Data, see section 4.

3.2. Data consists of:

(i) Technical information and traffic data (Usage Data), such as the type of operating system, browser type, device, browser language and IP address;

(ii) Customer- or user- generated data (Usage Data), such as page views, clicks, inactivity, session durations, number of sent invoices, expenses filed, accounting years created, password resets, context and content of support tickets, chat boxes, security logs and similar; and

(iii) Production data (Customer Data), such as images, files, invoices or any data included in the Software by the Customer as part of using the Software.

3.3. The Customer hereby grants Viskan and its Affiliates a non-exclusive and transferable right to access and use the Data for the following purposes:

(i) Software and user experience improvement, typically by aggregating and analysing usage patterns and indicated needs brought by the Users, Customers and Clients, enabling individual or customised user experiences by, for instance, offering to enable relevant additional modules or services tied to the Software based on user patterns, suggest more efficient ways of making use of the Software by analysing the usage of the Software, or otherwise enhance the Software and features thereto.

(ii) Marketing and displaying relevant information, for example for complimentary or value-adding Software or new features, seek to avoid providing marketing for Software the Customer has already subscribed to and providing relevant market updates or information within the Software to educate Customers and Users.

(iii) Security and related purposes, for example by analysing session and login data, incident records and similar in order to prevent, investigate and document security issues and incidents and improve the security of the Software.

(iv) Statistics and research, typically by analysing the amount and trend of invoices, payments or expenses etc. going through our systems, including the Software, using such aggregated and anonymous statistics in general marketing and reporting, and as part of developing value-adding Software such as additional modules, features or services tied to the Software.

(v) Compliance. Viskan may use Data for compliance purposes, for example by logging when a Customer accepts the TOS, fulfilling KYC or credit check purposes according to legislation or as part of operating the Viskan security program.

(vi) Contractual obligations. Viskan may use the Data for the purpose of fulfilling its contractual obligations towards the Customer.

3.4. Viskan may also use relevant information from public or commercially available sources and registers, and combine such information with Data as outlined above.

3.5. To the extent the Data contains Personal Data, Viskan undertakes to process such Personal Data in accordance with the data processing terms included in section 4, if Viskan is the Processor with respect to the relevant Personal Data. To the extent Personal Data is part of such Data processing, it shall primarily be anonymized, because identifying named individual users is seldom of any relevance for these purposes. If anonymization is not possible, due to technical or practical reasons, Viskan shall take alternative compensating measures to enhance protection, taking into account the requirements brought by the data processing terms included in section 4.

3.6. Viskan may share Data with its Affiliates, vendors and Partners in order to deliver the Software and fulfill the purposes outlined in section 3.3, including offering additional modules, services and add-ons, service improvements and comply with the rights and obligations according to the TOS. The Data may be shared with third parties as a part of a commercial cooperation tied to the Software, typically to develop and offer additional modules or add-ons to the Software.

3.7. Viskan will only share Data with public authorities or other third parties in the following situations:

(i) to comply with law or regulation, or to respond to a legally binding request such as a court order or warrant;

(ii) to deliver the Software according to this TOS;

(iii) to investigate or prevent security threats or fraud; or

(iv) a reorganisation, merger, sale or purchase of Viskan in part or whole, where Confidential Information may be disclosed to other companies in the Viskan Group, or to prospective purchasers and trusted advisors, that observe the obligations set forth herein by entering into a confidentiality agreement.

3.8. Viskan will promptly notify the Customer of requests from governmental authorities regarding disclosure of Data, unless such notification is legally prohibited or if such notification is taken care of by the governmental authorities themselves.

3.9. Viskan is entitled to compile, collect, copy, modify, publish, assign, combine with other data, and otherwise use anonymous and aggregate data generated from or based on Data both during and after the termination of the agreement between the Customer.

4. Data Processing

4.1. Introduction

4.1.1. This section 4 only applies to Viskan’s Processing of Personal Data as a Processor on behalf of the Customer.

4.1.2. Customer confirms to have the power of attorney to comply with all requirements in section 4. Data Processing.

4.1.3. If the Controller changes the contact person(s) mentioned in the table above, the Processor must be informed of this in writing.

4.1.4. The categories of Data Subjects and Personal Data, as well as the nature and duration of the Processing are outlined by this TOS, the Order Confirmation, the Customers use of the Software, and the document mentioned in clause 4.1.7 below or additional addendums entered into writing between the Parties, if applicable.

4.1.4. It is the Customer that submits the Personal Data into the Software, and thereby decides what kind of Personal Data Viskan Processes and who the Data Subjects are. This may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

• Customer’s employees;
• Customer’s own customers, including Clients.

4.1.5. The Customer may submit Personal Data into the Software and Processing may include, but is not limited to, the following categories of Personal Data:

• First and last name;
• Contact information (company, email, phone, physical business address);
• IP address;
• Professional life data;
• Personal life data;
• Invoicing, expense or payroll data.

4.1.6. The Customer undertakes to create and maintain an up-to-date document solely listing the Personal Data and Data Subjects subject to Processing pursuant to this section 4, which shall be considered a part of the Licence Agreement, complementing the list of Data Subjects and Personal Data set out above. For avoidance of any doubt, the Customer ensures that it will not include any other information, terms, or conditions in the document and agrees that the document only forms part of the agreement between the Parties in so far as it lists the Data Subjects and Personal Data reasonably meant to be subject to Processing in light of the purpose of the agreement. Any other information, terms, or conditions set out therein will be considered null and void.

4.1.7. The nature of the Processing includes collection, structuring, storage, alteration, retrieval, use, analysing, disclosure by transmission, anonymisation, erasure, and destruction.

4.1.8. The purpose of the Processing is to deliver the Software, and ancillary services, if applicable, pursuant to the TOS and the Order Confirmation.

4.1.9.The Personal Data Viskan Processes as a Processor on behalf of the Customer will be Processed for the duration of the Licence Agreement, unless the Customer instructs Viskan in writing to cease such Processing.

4.2. Definitions

4.2.1. The definition of Personal Data, Special Categories of Personal Data (Sensitive Personal Data), Processing of Personal Data, Data Subject, Controller and Processor is equivalent to how the terms are used and interpreted in applicable privacy legislation, including the EU 2016/679 General Data Protection Regulation (“GDPR”).

4.3. The Processor’s rights and obligations

4.3.1. The Processor shall only Process Personal Data on behalf of and in accordance with the Controller’s written instructions. The Controller instructs the Processor to process Personal Data in the following manner; i) only in accordance with applicable law, ii) to fulfil all obligations according to the Service Agreement(s), iii) as further specified via the Controller’s ordinary use of the Processor’s services and iv) as specified in the TOS.

4.3.2. The Processor has no reason to believe that legislation applicable to it prevents the Processor from fulfilling the instructions mentioned above. The Processor shall, upon becoming aware of it, notify the Controller of instructions or other Processing activities by the Controller which in the opinion of the Processor, infringes applicable privacy legislation.

4.3.3. The categories of Data Subject’s and Personal Data subject to Processing according to the TOS are outlined in Appendix A.

4.3.4. The Processor shall ensure the confidentiality, integrity and availability of Personal Data are according to the privacy legislation applicable to The Processor. The Processor shall implement systematic, organisational and technical measures to ensure an appropriate level of security, taking into account the state of the art and cost of implementation in relation to the risk represented by the Processing, and the nature of the Personal Data to be protected.

4.3.5. The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible and taking into account the nature of the Processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable privacy legislation with regards to request from Data Subjects, and general privacy compliance under the GDPR article 32 to 36.

4.3.6. If the Controller requires information or assistance regarding security measures, documentation or other forms of information regarding how the Processor processes Personal Data, and such requests exceed the standard information provided by the Processor to comply with applicable privacy legislation as Processor, the Processor may charge the Controller for such request for additional services.

4.3.7. The Processor and its staff shall ensure confidentiality concerning the Personal Data subject to Processing in accordance with the TOS. This provision also applies after the termination of the Order.

4.3.8. The Processor will, by notifying the Controller without undue delay, enable the Controller to comply with the legal requirements regarding notification to data authorities or Data Subjects about privacy incidents.

Further, the Processor will to the extent it is appropriate and lawful notify the Controller of;

i) requests for the disclosure of Personal Data received from a Data Subject,

ii) requests for the disclosure of Personal Data by governmental authorities, such as the police

4.3.9. The Processor shall ensure that persons that have the right to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3.10. The Processor will not respond directly to requests from Data Subjects unless authorised by the Controller to do so. The Processor will not disclose information tied to the TOS to governmental authorities such as the police, hereunder Personal Data, except as obligated by law, such as through a court order or similar warrant.

4.3.11. The Processor does not control if and how the Controller uses third party integrations through the Processor's API or similar, and thus the Processor has no ownership to risk in this regard. The Controller is solely responsible for third party integrations.

4.3.12. The Processor might process Personal data about users and the Controllers use of the service when it is necessary to obtain feedback and improve the service. The Controller grants the Processor the right to use and analyse aggregated system activity data associated with your use of the Services for the purposes of optimising, improving or enhancing the way the Processor provides the services and to enable the Processor to create new features and functionality in connection with the services. Viskan System AB shall be considered the Controller for such processing and the processing is therefore not subject to the TOS.

4.3.13. When using the service, the Controller will add data to the Software (“Customer Data”). The Controller acknowledges and does not object to the Processor using Customer Data in an aggregated and anonymized format for improving the services delivered to customers, research, training, educational and/or statistical purposes.

4.3.14. Viskan has no intention to make money by assisting our customers with GDPR compliance. Quite the opposite, we want to use our GDPR efforts as a competitive advantage. However, Viskan does see that Customer requests vary in time and scope and on this basis we reserve the right to invoice our assistance subject to prior notification.

4.4. The Controller’s rights and obligations

4.4.1. The Controller confirms by approving the terms in the TOS that:

• The Controller has legal authority to process and disclose to the Processor (including any subprocessors used by the Processor) the Personal Data in question.

• The Controller has the responsibility for the accuracy, integrity, content, reliability and lawfulness of the Personal Data disclosed to the Processor.

• The Controller has fulfilled its duties to provide relevant information to Data Subjects and authorities regarding processing of Personal Data according to mandatory data protection legislation.

• The Controller shall, when using the services provided by the Processor under the Service Agreement(s), not communicate any Sensitive Personal Data to the Processor, unless this is explicitly agreed in a separate contract between Customer and Viskan.

4.5.1. As part of the delivery of services to the Controller according to the TOS, the Processor will make use of subprocessors and the Controller gives its general consent to usage of subprocessors. Such subprocessors can be other companies within the Norvato group or external third party subprocessors. The Processor shall ensure that subprocessors agree to undertake responsibilities corresponding to the obligations set out in the TOS.

4.5.2. If the subprocessors are located outside the EU or the EEA, the Controller gives the Processor authorisation to ensure proper legal grounds for the transfer of Personal Data out of the EU /EEA on behalf of the Controller, hereunder by entering into EU Standard Contractual Clauses (SCCs).

4.5.3. The Controller shall be notified in advance of any changes of subprocessors that Process Personal Data. If the Controller objects to a new subprocessor within 30 days after a notification is given, the Processor and Controller shall review the documentation of the subprocessors compliance efforts in order to ensure fulfilment of applicable privacy legislation. If the Controller still objects and has reasonable grounds for this, the Controller can not reserve themselves against the use of such a subprocessor (due to the nature of online standard Software in particular), but the Customer may terminate the Service Agreement(s) for which the subprocessor in dispute is being used for.

4.6. Security

4.6.1. The Processor is committed to provide a high level of security in its products and services. The Processor provides its security level through organisational, technical and physical security measures, according to the requirements on information security measures outlined in the GDPR article 32.

4.6.2. The Service Agreement sets forth the measures or other data security procedures that the Processor implements in the Processing of the Personal Data. The Controller shall be responsible for the appropriate and adequate security of the equipment and the IT environment under its responsibility.

4.7. Audit rights

4.7.1. The Controller may audit the Processor’s compliance with the TOS up to once a year. If required by legislation applicable to the Controller, the Controller may request audits more frequently. To request an audit, the Controller must submit a detailed audit plan at least four weeks in advance of the proposed audit date to the Processor, describing the proposed scope, duration, and start date of the audit. If any third party is to conduct the audit, it must as a main rule be mutually agreed between the Parties. However, if the processing environment is a multitenant environment or similar, the Controller gives the Processor authority to decide, due to security reasons, that audits shall be performed by a neutral third party auditor of the Processor’s choosing.

4.7.2. If the requested audit scope is addressed in an ISAE, ISO or similar assurance report performed by a qualified third party auditor within the prior twelve months, and the Processor confirms that there are no known material changes in the measures audited, the Controller agrees to accept those findings instead of requesting a new audit of the measures covered by the report.

4.7.3. In any case, audits must be conducted during regular business hours at the applicable facility, subject to the Processors policies, and may not unreasonably interfere with the Processors business activities.

4.7.4. The Controller shall be responsible for any costs arising from the Controller’s requested audits. Requests for assistance from the Processor may be subject to fees.

4.8. Term and termination

4.8.1. The TOS is valid for as long as the Processor processes Personal Data on behalf of the Controller after the Service Agreement(s) or as otherwise stated in Appendix A.

4.8.2. The TOS is automatically terminated upon termination of Service Agreement(s). Upon termination of the TOS, the Processor will delete or return Personal Data processed on behalf of the Controller, according to the applicable clauses in the Service Agreement(s). Such deletion will take place as soon as reasonably practicable, unless EU or local law requires further storage. Unless otherwise agreed in writing, the cost of such actions shall be based on; i) hourly rates for the time spent by the Processor and ii) the complexity of the requested process.

4.9. Changes and amendments

4.9.1. If any provisions in the TOS become void, this shall not affect the remaining provisions. The Parties shall replace the void provision with a lawful provision that reflects the purpose of the void provision.

4.10. Liability

4.10.1. For the avoidance of doubt, the Parties agree and acknowledge that each Party shall be liable for and held accountable to pay administrative fines and damages directly to data subjects which the Party has been imposed to pay by the data protection authorities or authorised courts according to applicable privacy legislation. Liability matters between the Parties shall be governed by the liability clauses in the Service Agreement(s) between the Parties.

Appendix A - Data subjects, Types of personal data, Purpose, Nature, Duration

A.1. Categories of Data Subjects

• Customer end users
• Customer contact persons
• Customer customers

A.2. Categories of Personal Data

• Contact information such as name, phone, address, email etc.
• Purchase data such as products purchased, dates, prices etc. connected to customer’s customers.

A.3. Special categories of Personal Data (Sensitive Personal Data)

The processor shall not process any kind of special (sensitive) personal data, listed below:

• Racial or ethnic origin, or political, philosophical or religious beliefs
• Health information
• Sexual orientation
• Trade union membership
• Genetic or biometric data

A.4. Purpose of the processing

The purpose of the data processor’s processing of personal data on behalf of the data controller is:

• To enable delivering of services in accordance with the Service Agreement(s).

A.5. Nature of the processing

The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):

• Storing/hosting, adding/changing, reporting, sending.

A.6. Duration of the processing:

The duration of the processing of personal data is for as long as the Service Agreement(s) applies.

The Processor may engage other EU/EEA located companies in the Norvato Group as subprocessors without the Norvato company being listed above and without prior approval or notification to the Controller. This is usually for the purposes of development, support, operations etc. 

5. Miscellaneous

5.1. Confidentiality

5.1.1. Each Party may disclose or obtain information from the other Party that should reasonably be understood to be proprietary, confidential or competitively sensitive (“Confidential Information”). The Parties shall hold Confidential Information in confidence and take reasonable measures to protect the other Party’s Confidential Information, and not disclose it to third parties unless authorised by the other Party to do so, or if required under mandatory provisions of law or regulations or pursuant to court orders.

5.1.2. Confidential Information does not include

a) information the recipient can demonstrate was in the recipient’s possession or knowledge prior to entering into the TOS;

b) is or becomes publicly available through no fault of the recipient;

c) is received by the recipient from a third party without a duty of confidentiality; or

d) is independently developed by the recipient.

5.1.3. Viskan may disclose Confidential Information to Affiliates, Partners, subprocessors, or subcontractors to the extent necessary to provide the Software according to the TOS. The Confidential Information may also be shared for the purposes mentioned in section 3.6.

5.1.4. The confidentiality obligations set out in this section 5.1 lapse three years after the expiry of the Licence Agreement, unless otherwise is stipulated by law or regulations.

5.2. Intellectual Property Rights

5.2.1. Viskan, or its licensors where applicable, is the owner of, and retains ownership to, the Software and all related Intellectual Property Rights in and to the Software and any other services provided under the TOS, including any IPR arising out of Viskan’s processing of Data. With the sole exception of the Limited Licence(s) explicitly granted to the Customer under the Licence Agreement, nothing in the Licence Agreement constitutes a transfer of, or licence to, any IPR from Viskan or its licensors to the Customer.

5.2.2. Where IPR from a third party is part of the Software provision (“Third Party Components”), such Third Party Components are also subject to the TOS, unless separate terms are supplied, in which case the licensing terms for the Third Party Component shall prevail. If the Third Party Component is open source, then under no circumstance shall the Software, except for the Third Party Component, be deemed to be open source or publicly available software. Where a Third Party Component requires Viskan to provide licence or copyright attribution, this will be available from the “About box” in the Software or Software Documentation or Viskan customer contact person.

5.2.3. To the extent Viskan not already has the exclusive ownership thereto, the Customer hereby irrevocably and perpetually assigns to Viskan the worldwide, fully-paid-up, and royalty-free ownership of:

(i) anonymised and aggregated Data; and

(ii) all rights, titles, and interests, including Intellectual Property Rights, in and to, any application programming interfaces accommodating the integration of the Software with other platforms or software, and other developments designed to facilitate the interaction between the two, if not solely developed and implemented by the Customer. The preceding includes the right to use, modify, and further assign such rights, titles, interests, content, and information.

5.2.4. In the event of infringement of IPR, Viskan or its licensors may take all reasonable steps to protect its interests as available by law. The Customer, or its Clients as applicable, is the owner of the Customer Data and IPR in and to the Customer Data.

5.3. Warranty

5.3.1. Viskan shall use commercially reasonable efforts to ensure that the Software will perform substantially as described in the Software Documentation during the Subscription Period, provided it is properly configured (including the Customer’s choice of browser) and updated to a supported version. Supported versions may differ and are available from the Software Documentation. The Customer agrees that the Software and delivery will not be completely error free and that Software improvement is a continuous process.

5.3.2. Viskan does not warrant that the Software will meet the Customer’s requirements, operate correctly with the Customer’s choice of equipment, systems or settings, setup, configuration, modifications, plugins or integrations not performed or controlled by Viskan, or if delivered over the internet, be uninterrupted. Viskan is not responsible for the internet, internet service providers nor the Customer’s internet connection.

5.3.3. If the Software does not function in accordance with the limited warranty specified in this section 5.3, Viskan shall correct confirmed errors or defects in the Software at its own expense. “Confirmed errors or defects” means errors or defects that are reproducible by Viskan and/ or confirmed through Viskan’s support channels, and which occur during the Subscription Period. Viskan may choose to replace the Software or functionality instead of performing a correction.

5.3.4. If the confirmed error or defect is of a material nature, meaning that the Customer’s ability to use the Software is significantly reduced, and Viskan does not correct confirmed errors or defects or replace the Software within a reasonable period of time, c.f. 5.3.3, the Customer may terminate the Limited Licence for the affected Software. In such a case, the Customer has the right to a pro-rated refund for any Fees for the remaining Subscription Period for the affected Software, starting from the month following verification by Viskan of the errors or defects.

5.3.5. Except as expressly set forth herein, the Customer shall not be entitled to make any claims against Viskan.

5.3.6. Links to websites not controlled by Viskan that appear in the Software, associated webpages or documentation are provided for convenience only. Viskan is not responsible for such websites.

5.4. Liability

5.4.1. Viskan is not responsible or liable for the Customer Data, including its content, ownership and legitimacy, nor for Use or other activities performed upon the Customer Data by the Customer.

5.4.2. Viskan’s liability is limited to direct damages. Viskan shall not be liable for any indirect, incidental, consequential, punitive or special losses or damages, including but not limited to any loss of profit, loss of revenue, loss of business, loss of Data, lost savings, claims from third parties, loss of goodwill etc.

5.4.3. Total accumulated liability for Viskan during the Subscription Period shall in total not exceed an amount equalling 12 months’ license fees for the affected Software immediately preceding the event giving rise to liability.

5.4.4. Neither Party shall be liable for delay or failure in performance arising out of force majeure, including earthquake, riot, labour dispute, pandemics, swift or new temporary legislation pertaining to the internet, governmental or EU sanctions and other events similarly outside the control of the Parties. Cyber attacks that Viskan has not been able to prevent by reasonable measures are regarded as a force majeure event. In the event of legislation, directives or regulations being changed swiftly, or new legislation or directives being passed after the Software have been made available, preventing Viskan from fulfilling obligations under the TOS, in whole or in part, temporarily or indefinitely, this shall be considered a force majeure event.

If a subcontractor extraordinarily increases its fees towards Viskan partially or fully due to a force majeure event, or if Viskan due to a force majeure event is required to switch to a subcontractor with increased fees to sustain Software delivery, Viskan reserves the right to adjust its Fees towards the Customer accordingly and with notice as specified in 1.2.4.

5.4.5. The Customer acknowledges that the internet is an open system and that Viskan does not warrant or guarantee that third parties may not intercept or modify the Data. Viskan is not liable for such misuse, disclosure or loss.

5.5. Indemnification

5.5.1. Viskan undertakes, at its own expense, to indemnify the Customer against damages resulting from a third-party claim against the Customer asserting that the Software provided to the Customer under the Licence Agreement, or Use thereof, infringes the third party’s IPR, if the claim has been finally settled in favour of the third party by a competent court or in a settlement approved by Viskan.

5.5.2. Viskan’s obligation to indemnify the Customer pursuant to section 5.5.1 only applies if:

(i) the Customer notifies Viskan immediately upon becoming aware of the claim;

(ii) the Customer gives Viskan full control of the negotiations, legal processes, and settlement, if applicable;

(iii) the Customer cooperates with Viskan in accordance with Viskan’s reasonable instructions;

(iv) the claim is not related to, or caused by, the Customer’s breach of the TOS or Viskan’s instructions for preventing or mitigating the potential or actual IPR infringement; and

(v) the claim is not related to, or caused by, use, modification, integration, or customisation not carried out, or approved in writing, by Viskan.

5.5.3. Upon becoming aware of a potential or actual IPR infringement, Viskan may at its discretion:

(i) modify the Software so that it is not in conflict;

(ii) replace the Software, or parts thereof, with a functionally equivalent software,

(iii) obtain a licence for the Customer’s continued use of the Software; or

(iv) revoke the Customer’s Limited Licence to Use the Software against a refund of Fees paid in advance for the part of the Subscription Period exceeding the termination date. The remedies set out in this section 5.5 are the Customer’s sole remedies with respect to third-party IPR infringement claims.

5.5.4. The Customer shall, at its own expense, defend Viskan against claims or litigation where a third party claims that the Data, or use thereof, or the Customer’s use of the Software in violation with the Licence Agreement:

(i) is in conflict with or infringes the third party’s IPR or other rights; or

(ii) is in breach of applicable law. Viskan shall without undue delay notify the Customer of such claims.

The Customer shall indemnify Viskan for damages imposed under a court-approved settlement or court ruling, including lawyer fees, provided that Viskan reasonably cooperates at the Customer’s expense and gives the Customer control of the legal process and settlement.

5.6. Termination

5.6.1. The Customer and Viskan may terminate individual Software for convenience, in writing, according to the terms specified in the Order Confirmation. Terms may vary from Software to Software. Unless otherwise agreed in writing between the Parties, including in the Order Confirmation, the Parties may terminate the Licence Agreement for convenience upon two months’ prior written notice, effective as of the last day of the second month.

5.6.2. Viskan shall always have the right to terminate the Licence Agreement with immediate effect if:

(i) the Customer or its management has been sentenced or suspected to violate the local laws or

(ii) the Customer or its management is or becomes subject to, or operates in a country that is or becomes subject to, the sanctions imposed by the EU or United Nations from time to time.

5.6.3. If a breach of the Customer’s obligations under the Licence Agreement is confirmed or suspected on reasonable grounds, or if the Customer files for a petition in bankruptcy or insolvency or assigns a substantial portion of its assets to the benefit of creditors, or the Customer commits or threatens Viskan to make unlawful or offensive actions, Viskan may suspend the Customer’s access or restrict it to read-only, until the matter is resolved. Viskan gives prior notification and the Customer reasonable time to respond before restricting access, and reserves the right to terminate the Limited Licence(s) granted herein and the Licence Agreement if the Customer fails to remedy or correct its actions.

Viskan may at its discretion terminate the Limited Licence(s) granted herein with immediate effect if the Customer is in material breach of the Licence Agreement.

5.6.4. Upon termination, or when the Customer instructs Viskan in writing to cease the relevant Processing of Personal Data on behalf of the Customer, Viskan will delete the Personal Data from its systems within reasonable time, unless mandatory provisions of law or court orders require otherwise. In the event Viskan is legally required to not delete the Personal Data, Viskan will continue to maintain the security of the Personal Data as set out in the TOS. The timeframe within which the Personal Data will be deleted varies from Software to Software. After deleting the Personal Data, Viskan has no further obligations towards the Customer in regards to Personal Data processed on behalf of the Customer.

5.6.5. The Customer may request the return of Personal Data within 30 days following termination, or the data may be irrecoverably deleted. Return of Personal Data will be in a format, time and method of delivery determined by Viskan, and may vary from Software to Software. Viskan reserves the right to charge its, at the time, standard rates for such returns.

5.6.6. Immediately upon the termination of the Licence Agreement, for whatever reason, the Limited Licence(s) granted to the Customer are revoked automatically, and the Customer undertakes to cease using the Software.

5.7. Governing law and dispute resolution

5.7.1. The Customer is contracting with the Viskan Company from which the right of use for Software was ordered, as evident from the Order Confirmation and invoice.

5.7.2. The Licence Agreement is governed by and must be construed in accordance with the laws of the country in which Viskan has its head office, excluding any conflict of law provisions. A dispute in connection with, or arising out of, the Licence Agreement, or the use of the Software, shall be attempted to be resolved through amicable negotiations, and the Customer agrees to take part in such, including on e-mail and verbal meetings/phone calls on Viskan's request. If amicable negotiations do not result in a mutually acceptable solution, the Parties agree to refer the dispute to the ordinary courts of the country, and region, in which Viskan has its head office as the exclusive venue. Viskan is entitled to decide that the proceedings shall be held in English, to the extent possible.

5.7.3. The Parties agree not to bring claims arising out of the Licence Agreement when more than one year has passed after its termination.

5.7.4. In cases of doubt over interpretation between the TOS in English and any other language, English shall take precedence.