Dear Lucy General Terms and Conditions of Services

1 Applicability

These General Terms and Conditions of Services apply between the Service Provider and the Customer regarding the purchase of the Service through the Service Provider’s website. By submitting a Purchase Order the Customer accepts these General Terms and Conditions of Services as well as the Service levels appendix, which are both incorporated into the Purchase Order as an appendix. The Service Provider’s written or oral acceptance of the Purchase Order constitutes an Agreement between the Parties. In addition, the Purchase Order shall be deemed to be accepted by the Service Provider if it begins to perform the Service to the Customer in accordance with the Purchase Order. In case of any discrepancies between these General Terms and Conditions of Services and the Purchase Order, these General Terms and Conditions of Services shall prevail.

All third-party products and/or services integrated into the Service under this Agreement shall, however, be exclusively governed by the terms and conditions of the third parties in question.

2 Scope of the Agreement

The implementation of the Service shall be performed by the Customer as self-service. Technical support for the use of the Service is provided by Service Provider.

The Customer shall order any additional services related to the Service directly from the Service Provider and the Parties shall agree on the terms and conditions for such additional services separately in writing.

3 Definitions

Agreement shall mean the Purchase Order accepted by the Service Provider, these General Terms and Conditions of Services and the Service levels appendix, by which the Par-ties have agreed on Customer’s right to use the Service.

Customer shall mean the party that purchases the Service from the Service Provider and submits a Purchase Order.

Customer’s Data shall mean the Customer’s data that is stored and used in the Service based on this Agreement.

Free Trial Period shall mean the period during which the Customer is entitled to access and use the Service for free in accordance with this Agreement, and the length of which at a time given shall be specified in the applicable Purchase Order or in Free Trial signup process (in website or similar platform).

Group Company shall mean (i) a company of whose voting shares the Customer holds directly or indirectly at least fifty percent (50 %); (ii) a company which holds directly or indirectly at least fifty percent (50 %) of the Customer’s voting shares.

Implementation Service shall mean the Service Provider’s consulting services relating to the implementation of the Service as agreed in this Agreement, such as integration and parameterization work and other similar services related to the implementation of the Service.

Party shall mean individually either Customer or Service Provider, as the case may be, and Parties shall mean Customer and Service Provider jointly.

Purchase Order shall mean the purchase order that the Customer submits through the Service Provider’s website for the use of the Service.

Service shall mean the Dear Lucy Business Dashboard Cloud, including any updates, improvements, Service Components (if any) and changes to it, provided by the Service Provider and made available to customers as a SaaS service.

Service Package shall mean a form of purchase in which the Service is being purchased by the Customer as a set of certain predefined services or service components at a single fixed price. Service Package is defined in more detail in Service Providers website or in other marketing material made available to Customer. The contents and functionalities of different Service Packages made available by the Service Provider from time to time shall be subject to the Service Provider’s sole discretion.

Service Provider shall mean Dear Lucy Oy, the entity that provides the Service and related services.

4 Customer’s rights and responsibilities

Right to use the Service

The Customer and its Group Companies may use the Service in countries where it has a place of business or another equivalent presence. The Customer’s right to use the Service includes a right to use the Service in processing Customer’s Data in its internal operations. On the basis of this right, the Customer can give access to the Service to its employees or other partners. Except for its partners, the Customer is not entitled to transfer or give the right to use the Service to any third party. The Service Provider shall not be responsible for the Service being suitable for the purpose of use planned or intended by the Customer. The Customer has a right to use the Service for the term of the Agreement.

Applications, devices and data connections

The Customer shall be responsible for obtaining at its own cost all necessary applications, devices and data connections for using the Service.

Entering data into the Service

The Data processed in the Service shall be acquired from solutions used by the Customer. The Customer shall represent and warrant, that the transfer of Customer Data from mentioned Solution to Service is lawful. Furthermore, The Customer shall be responsible for the Data being structured as defined in Purchase Order, valid and in compliant with laws and authoritative regulations. Service Provider shall have no liability whatsover of monetary damages or expenses occurred in case the transfer of the Customer Data from third party solution results breach of contract (e.g. third party IPR rights) between third party solution provider and the Customer. In case third party lisence is required to enable the transfer of Customer Data to Service, Customer is fully liable to cover all costs and expensed related to acquiring and maintaining such lisence.

Passwords of the Service

The Customer shall be obliged to safeguard the passwords and user names related to the Service. The Customer shall be responsible for any use of the Service under its pass-words or user names regardless of the identity of the user. The Customer shall be obliged to notify the Service Provider if there is a reason to suspect or believe that the passwords or user names in question have been accessed by an unauthorised third party.

Contribution obligation

The Customer shall give the Service Provider adequate and, to the best of its understanding, accurate information in the given form and schedule for the performance of the Service and the related support services.

The Customer shall be responsible for any information, instruction and orders it has given to the Service Provider.

5 Service provider’s rights and responsibilities

The Service Provider agrees to perform the tasks it is responsible for as agreed, with care and with the expertise the tasks require.

The Service Provider agrees to ensure that the Service functions in the manner described in the Agreement and any Appendices to it. The Service Provider shall not, however, be responsible for the functionality of the Service in case the non-functionality or error in the Service results from the non-functionality of or error in a third-party product or service integrated into the Service.

The Service Provider agrees to ensure that the Service does not violate laws and authoritative regulations in Finland.

The Service may be, for example, made available in various Service Packages, the contents and extents of which, as well as the prices valid at the time, shall be presented in connection with the submitting of a Purchase Order and on the Service Provider’s website. In case the Customer wishes to extent or reduce the contents of the Service Package purchased, the terms and conditions, as well as the price, for such change, shall be determined by the Service Provider in its sole discretion.

The Service Provider shall always have the right to change the prices charged for the Service if a legislative change (e.g. a tax increase) or an authoritative regulation requires such change. The Service Provider shall also have the right to change prices charged for the Service based on other grounds by informing the Customer 60 days prior to the changes taking effect.

If the Service includes a third party application or product and the third party in question changes its price list, the Service Provider shall have a right to change its prices accordingly. The Service Provider shall notify the Customer of such change at least 30 working days prior to the change becoming effective.

The Customer is entitled to terminate the Agreement on the last day of the initially agreed price level, if it does not accept the changes in the prices.

The Service Provider may monitor and process any anonymous data relating to the use and maintenance or development of the Service (e.g. the load information of the Service etc.).

6 Prices and payment

Service fee

The right to use the Service shall be charged as agreed in the Purchase Order. The right to use the Service shall be charged in advance for agreed periods starting from the commencement of the Service. The charging for the Service shall, however, start only after the termination of the Free Trial Period, if such period is being exploited by the Customer prior to the commencement of the actual chargeable Agreement term. The Service fees charged for the Service after the Free Trial Period shall be determined based on the Service Provider’s prices applicable at a time given.

Service fee concerning Service or Service Packages are based, unless otherwise stated on Order Form or Service Providers website, on the number of users or user bundles, as applicable, in the Service on the first day of a new period.

Professional services

Any consultancy work or other professional services under-taken by the Service Provider and agreed upon separately shall be charged according to the Service Provider’s price list in effect at the time.

Travel expenses

The Service Provider shall have the right to charge ordinary and reasonable travel and accommodation expenses and daily allowances. Furthermore, the Service Provider shall have the right to charge half of the agreed hourly rate for any travel time required by the Service. Any trips made within the metropolitan area of Helsinki shall not be charged.

The expenses and daily allowances shall be charged monthly in arrears.

Terms of payment and VAT

The applicable term of payment is net 10 calendar days from the date of an invoice. Applicable penalty interest shall be in accordance with the Interest Act (633/1982). The Customer shall dispute all or part of any invoice within eight (8) calendar days from the date of the invoice at the latest. The Customer shall, however, pay the undisputed part of the in-voice on the due date of the invoice at the latest. A separate fee shall be charged for any reminder.

VAT in effect at the time of an invoice shall be added to all of the notified prices.

For credit card payments, there is a credit card payment service offered through the Service Provider’s website which is operated and provided by an independent third party payment service provider. The Service Provider shall not be responsible for or have any liability with respect to the said payment service. Service Provider does not process any credit card information of the Customer under or in connection with this Agreement.

7 Changes to the Service

The Service Provider is entitled to change the Service as it sees it fit. The changes made to the Service shall not change the Service in a material way. The changes to the Service may involve the software, data connections or other similar products or components used in the production of the Service. The Service Provider will endeavor to inform the Customer of any material changes in advance, at least 30 calendar days prior to the change becoming effective. The responsibility to inform does not concern urgent changes (e.g. data security up-dates or other measures estimated as sudden needs of change by the Service Provider). If the Service changes materially from what has been agreed under this Agreement, the Customer shall have a right to terminate this Agreement on giving 30 calendar days’ written notice.

8 Processing personal data

The Service Provider shall process personal data in the Service in accordance with Appendix 1.

9 Intellectual property rights

Intellectual property rights of the Service

The ownership, copyright and other intellectual property rights arising in the Service and any software or components used in its production belong to the Service Provider or its partners. In connection with the right of use defined in Section 4 the Customer shall not obtain any rights relating to the applications, processes, operations models or their execution solutions included, used by or exploited by the Service.

Customer’s data

The Customer retains ownership and the intellectual prop-erty rights in the data it has stored and that is used in the Service. The Customer grants to the Service Provider a right to process the Customer’s data in order to complete its agreed obligations. The Customer shall in every respect be responsible for its data stored and used in the Service.

Other material and data relating to Service

The ownership, copyright and other intellectual property rights of the material belonging and related to the Service (e.g. instructions manuals etc.) belong to the Service Pro-vider or its partner.

The Customer is granted a royalty-free and perpetual right to use the material ((including right to amend and modify) which has been produced by the Service, which arises in connection with the use of the Service and which is based on the Customer’s data.

Rights of consulting services

The copyright and other intellectual property rights of any documents and other results produced as a result of the consulting services (section 10) agreed between the Parties belong to the Service Provider or its partner. For the term of this Agreement the Customer is granted a right to use the results of the consulting services for its own internal use.

10 Service Provider’s consulting services

General principles of consulting service

The Service Provider shall deliver the Implementation Services to the Customer as a consulting service. The Customer shall be responsible for the consulting services under this Agreement meeting the Customer’s use and requirements. The Service Provider shall be responsible for the consulting services corresponding to what has been agreed upon in the Purchase Order.

The Service Provider shall be responsible for implementing the consulting services as agreed, with care and profession-ally complying with generally accepted consulting principles, in the given form and schedule.

The Service Provider’s working practices and processes shall be used when implementing the consulting services. The ServiceProvider may freely change those practices and processes if the changes does not cause any additional expense or damage to the Customer.

The Parties shall reserve any necessary workspace and equipment for their own part for the performance of the consulting services. Both of the Parties shall be responsible for making the decisions required for the implementation of the consulting services without delay.

Acceptance of consulting services

The Service Provider’s consulting services shall be regarded as accepted when the Service Provider has notified the Customer that the consulting services have been supplied and completed as agreed upon and the Customer has notified the Service Provider in writing (by e-mail) of acceptance of the results of the consulting services, or if the Customer has not notified the Service Provider of any other than minor defects in writing within thirty (30) calendar days from the delivery at the latest, or when the Service Provider has repaired the defects which the Customer has notified the Service Provider of within the aforementioned time.

If the Customer has commenced using the results of the consulting services, it shall be regarded as having accepted the consulting services.

The Customer shall be charged for the consulting services after the acceptance of the service’s results in accordance with this section.

Service Provider’s responsibility for the consulting services

The Service Provider’s responsibility for the result of the consulting services shall in every case be limited to per-forming the defected consulting task again to render the task as materially corresponding to what has been agreed upon.

11 Subcontractors

The Service Provider is entitled to use a subcontractor when fulfilling its obligations under the Agreement. The Service Provider shall be responsible for the work of such subcontractors in the same manner as for its own.

12 Interruption in the Service

The Service Provider shall be entitled to interrupt the Implementation Service or supplying the Service to the Customer completely or partly due to the following reasons:

a) Interrupting the Service is necessary for repairing or maintaining the Service or its part or other similar measures. Where reasonably possible, the Service Provider shall notify the Customer of such interruption in advance;

b) The Customer has not paid its undisputed payments based on the Agreement in spite of being sent a reminder;

c) The Customer’s action or any matter for which it is responsible has caused or causes problems, threat or damage to the Service or to the other users of the Service;

d) There is a reason to suspect that the Customer’s user names or passwords are unlawfully in a third party’s possession and the Service is accessed via such user names or passwords;

e) According to the Service Provider’s reasonable understanding the Service has been used or is used for operations violating law or authoritative regulations;

f) The Customer has entered into liquidation or been declared bankrupt or the Customer been found insolvent in some other way; or

g) The Customer is in material breach of its obligations under this Agreement and has not corrected such breach of contract within thirty (30) calendar days from the Service Provider’s written notice specifying the breach.

The Service Provider shall notify the Customer in writing of the interruption of the Service without undue delay. If reasonably possible, the Service Provider shall send the notice in advance. Any interruption to the use of the Service shall not suspend the Customer’s obligation to pay the applicable service charges.

13 Confidentiality and secrecy

The Parties undertake to keep any documents and information relating to the Agreement and the Service confidential, unless otherwise separately agreed in writing, and they are not to be disclosed, given or notified to third parties to any extent without a written consent given by the other Party in advance. Each Party shall be entitled to disclose the other Party’s confidential data to its subcontractors on a need to know basis, provided that such subcontractor is bound by confidentiality obligations no less stringent than those agreed herein. Furthermore, each Party shall always be entitled to hand over the other Party’s confidential data by virtue of a court decision, authoritative rule or another similar reason.

Notwithstanding the above, the confidentiality obligation shall not concern material or information, (a) generally publicly available or public in other respect, (b) obtained by the Party from a third party without a confidentiality obligation or (c) known to the Party without a confidentiality obligation prior to obtaining it from the other Party or (d) developed by the Party independently without exploiting any material, documents and/or information obtained from the other Party. The confidentiality obligation shall be valid for five (5) years from the moment the Agreement has terminated.

When the Agreement is terminated the Party shall immediately give up using any confidential material or information obtained from the other Party and, unless otherwise agreed in writing on the elimination of the material, return the material in question with all copies of such information. The Party shall, however, be entitled to keep copies of the material required by the law or the authorities. The Party may use the expertise and knowledge gained under the contractual relation.

For the avoidance of doubt, the obligations of confidentiality set out herein shall also be applicable and binding on the Parties during the Free Trial Period of the Service.

14 Force majeure

Each Party shall be released from its contractual obligation and its obligation to pay damages, if its compliance with a contractual obligation is prevented or delayed by a cause beyond its reasonable control (“Force Majeure”) including, but not limited to, unreasonable hardships in fulfilling a Party’s contractual obligations, national state of emergency, labour dispute, fire, thunder, storm, natural disaster, authoritative rule, damage in cabling caused by a third party, flood and water damage, overvoltage in the power-distribution network, a flaw or a disturbance in general data connection, disruption in the supply of energy or another substantial raw material or another unusual cause with similar effects not depending on the affected Party. An event of Force Majeure encountered by a Party’s subcontractor will also be regarded as a basis for release if the subcontracting cannot be acquired from elsewhere without unreasonable costs or a substantial loss of time.

15 Governing law and dispute resolution

This Agreement shall be governed by and construed in accordance with the laws of Finland.

Any dispute arising out of or relating to this Agreement shall be primarily settled by private negotiations between the Parties. If the negotiations do not result in an agreement, the dispute shall be finally settled by arbitration in accordance with the Arbitration Rules of the Central Chamber of Commerce of Finland. The number of arbitrators shall be one. The arbitrator shall be nominated by the Arbitration Institute of the Finland Chamber of Commerce. The location of the arbitration shall be Helsinki and the language shall be Finnish. Notwithstanding the above, the Service Provider shall always be entitled to bring matters pertaining to undisputed invoice claims to a district court.

16 Damages and limitations of liability

LIABILITY CAP. TO THE MAXIMUM EXTENT PERMITTED BY AP-PLICABLE LAW, IN NO EVENT WILL SERVICE PROVIDER BE LIABLE UNDER ANY THEORY OF LIABILITY, WHETHER IN AN EQUITABLE, LEGAL, OR COMMON LAW ACTION ARISING HEREUNDER FOR CONTRACT, STRICT LIABILITY, INDEMNITY, TORT (INCLUDING NEGLIGENCE), ATTORNEYS FEES AND COSTS, OR OTHERWISE, FOR DAMAGES WHICH, IN THE AG-GREGATE, EXCEED THE AMOUNT OF SIX (6) MONTHS SERVICE FEES PAID BY CUSTOMER FOR THE SERVICES WHICH GAVE RISE TO SUCH DAMAGES. IN CASE THE SERVICE HAS BEEN IN USE FOR A PERIOD UNDER SIX (6) MONTHS BY THE CUSTOMER, THE DAMAGES SHALL BE LIMITED TO THE AMOUNT PAID IN THE MONTHS FOR WHICH THE AGREEMENT HAS BEEN EFFEC-TIVE.

DISCLAIMER OF DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL SERVICE PROVIDER BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND AND HOWEVER CAUSED INCLUDING, BUT NOT LIMITED TO, AT-TORNEYS FEES AND COSTS, BUSINESS INTERRUPTION OR LOSS OF PROFITS OR DATA, BUSINESS OPPORTUNITIES, OR GOOD-WILL.

THIRD-PARTY INTEGRATIONS. IN NO EVENT SHALL THE SERVICE PROVIDER BE LIABLE FOR ANY DAMAGES IN THIRD-PARTY PRODUCTS OR SERVICES INTEGRATED INTO THE SERVICE OR FOR ANY DAMAGES RESULTING FROM THE SERVICE DUE TO REASONS ATTRIBUTABLE TO SUCH THIRD-PARTY PRODUCTS, INTEGRATIONS OR SERVICES. THE SERVICE PROVIDER HEREBY ALSO DISCLAIMS ANY AND ALL LIABILITY FOR ANY DAMAGES RESULTING FROM THE SERVICE IN CASE THESE DAMAGES ARE ATTRIBUTABLE TO MODIFICATIONS MADE TO THE INTEGRATIONS OF THE SERVICE BY THE CUSTOMER.

THEFOREGOING LIMITATIONS APPLY EVEN IF NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

17 Amending and transferring the Agreement

Any additions and amendments to the Agreement shall be made in writing by a specific amendment contract, unless otherwise stipulated in these terms and conditions.

This Agreement may not be transferred without the prior written consent of the other party. Each Party has, however, the right to transfer this Agreement to a corporation belong-ing to the same corporate group or in connection with a reorganization of business structures (e.g. a business purchase).

18 Termination of the Agreement

The Agreement shall become effective upon the Service Provider’s acceptance of the Purchase Order and shall re-main effective in agreed time periods (invoicing periods).

Termination of the Agreement shall be made in writing.

The Customer has the right to terminate this Agreement for cause with immediate effect any time during the term of the Free Trial Period.

The Customer has the right to terminate this Agreement with immediate effect if the Service differs materially from what has been agreed, and the Service Provider has not corrected the matter within 30 calendar days from a written notice from the Customer specifying how the Service differs. The Customer’s termination right under this section requires that the defect is of material importance to the Customer and that the Service Provider should have been aware of this. The termination shall be made in writing.

The Service Provider has the right to terminate the Agreement with immediate effect either completely or partly and discontinue the supply of the Service, if: a) the Customer has not paid service charges regardless of a written remind-er, b) the Customer’s usage of the Service violates this Agreement and the Customer continues those actions violating the Agreement.

Either Party has the right to terminate the Agreement with immediate effect, if the other Party has: a) been declared bankrupt, went into reorganization proceedings or other insolvency proceedings, or it is otherwise evident that the Party cannot fulfill its financial obligations under the Agreement; b) substantially violated its obligations under this Agreement and has not corrected the defect within 30 calendar days from receiving a written notice related to it.

Any charges refunded to the Customer upon termination of the Agreement shall not accrue interest. If the Customer terminates the Agreement other than due to the Service Provider’s material breach of this Agreement, any advance payments shall not be refunded.

19 Other provisions

The Service Provider may use the Customer’s name and brand in its marketing material and web pages as a reference. Any possible reference meetings and other coverage shall be agreed upon separately between the Parties.

Appendix: Terms and conditions regarding the processing of personal data

1 Definitions

”Data Protection Regulation (“GDPR”)” means the EU General Data Protection Regulation (2016/679/EU) “GDPR” and other relevant privacy legislation in Finland;;

”Personal Data Breach” means an event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed;

”Personal Data” means any information relating to a natural person who can be identified, directly or indirectly, by reference to such information.

2 General

This Appendix sets out the terms under which the Service Provider shall process the Customer’s Personal Data. The purpose of this Appendix is to take into account the responsibilities and obligations set by the GDPR between the Parties.

The Customer is the data controller of the Customer’s employees’ or other natural persons’ Personal Data processed in connection with the Service. The Customer is responsible for the Personal Data stored in the Service as well as for the lawfulness of the Personal Data. The Service Provider shall process the Personal Data on Customer’s behalf and by the order of the Customer as agreed in the Agreement and this Appendix. The Service Provider shall process the Personal Data for the purpose of providing the Service. The processing activities carried out by the Service Provider, categories of data subjects, security measures and other services performed by the Service Provider are set out in more detail in an up-to-date service description and privacy policy or as part of the customer contract.

The Parties acknowledge that data protection authorities may provide regulations and guidelines regarding the application of the GDPR and agree to update this Appendix based on such regulations and guidelines, if needed.

3 Customer’s responsibilities

The Customer shall process the Personal Data in accordance with the Data Protection Regulation. The Service Provider shall process the Customer’s Personal Data in accordance with the documented, lawful instructions set out in this Appendix. The Customer is, in accordance with the GDPR, responsible for the lawfulness of the agreed instructions and that the instructions are not defective. The Service Provider shall inform the Customer if, in its opinion, an instruction by the Customer infringes applicable data protection legislation.

The Service Provider shall not monitor the contents, quality or currency of the Personal Data stored in the Service.

The Customer is responsible for the purpose and grounds of the processing of Personal Data being in accordance with the Data Protection Regulation, including that, the Personal Data have been collected and stored in accordance with the Data Protection Regulation and that the Customer has the right to transfer the Personal Data to the Service Provider.

4 Service Provider’s responsibilities and information security of the Service

The Service Provider shall process the Personal Data in accordance with the Data Protection Regulation and this Appendix, unless otherwise required by laws applicable to the Service Provider. In such case, the Service Provider shall notify the Customer of that legal requirement before the processing, unless the law prohibits such notification.

The Service Provider shall assist the Customer with appropriate technical and organizational measures at its choice, insofar as possible, to fulfill the Customer’s obligation to respond to requests from the data subjects regarding the exercising of the following data subject’s rights laid down in Chapter 3 of the GDPR:

a) right to access the data;

b) right to rectify and erase the data;

c) right to restrict the processing of the data;

d) right to transfer the data from one system to an-other;

e) right to object the processing of the data.

The Service Provider shall assist the Customer in ensuring that the following obligations of the Customer laid down in articles 32-36 of the GDPR are complied with (taking into account the nature of the processing and the information available to the Service Provider):

a) implementing appropriate technical and organizational measures;

b) assisting in notifying Personal Data Breaches to the supervisory authority and the data subjects;

c) participating in the data protection impact assessment and prior consultation of the supervisory authority, if needed.

The Service Provider has the right to charge the Customer for the aforesaid measures according to its price list in effect at the time in so far as the measures are not included in the recurring charges of the right to use of the Service.

The Service Provider shall implement the technical, physical and organizational measures to protect the Personal Data from accidental or unlawful processing or disclosure of Personal Data. Such measures may include:

a) the pseudonymisation and encryption of Personal Data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organization measures for ensuring the security of the processing.

The Service Provider shall process the Personal Data in connection with the Service in accordance with its own documented data security instructions. The Customer has the right to review the data security procedures and certificates of the Service Provider.

The Service Provider shall ensure that the persons processing the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Service Provider shall take required measures to ensure that such persons process the Personal Data only in accordance with the lawful instructions of the Customer.

5 Both Parties’ responsibilities

Each Party shall notify the other Party of a data subject’s request regarding the exercise of the data subject’s rights if the fulfillment of the request requires measures from the other Party. In connection with the notification, the Party shall provide all information that are necessary to fulfill the request to the other Party.

The Service Provider has the right to charge the Customer for all measures taken to fulfill the data subject’s request to exercise the data subject’s rights according to its price list in effect at the time.

6 Location of Personal Data

The physical location of the Service is described in the up to date service description. The Service Provider has the right to transfer the Personal Data in its discretion within the EU or EEA for the purpose of providing the Service. The Service Provider may transfer the Personal Data outside the EU or EEA in accordance with the Data Protection Regulation.

7 Subcontractors

The Service Provider is entitled to use subcontractors in the provision of the Service and the processing of Personal Data. The Service Provider shall inform the subcontractors it uses to the Customer. The Service Provider shall inform the Customer of any intended changes or additions to the sub-contractors participating in the processing of Personal Data. The Customer has the right to object to such changes on reasonable grounds. The Customer shall inform the Service Provider of its objection without undue delay after receiving the information from the Service Provider. If the Customer does not accept the change or addition of subcontractors, the Service Provider shall have the right to terminate the Agreement by 30 days’ notice.

The Service Provider is responsible for its subcontractors processing the Personal Data in accordance with this Appendix and the Data Protection Regulation.

8 Personal Data Breaches

Each Party shall notify the other Party without undue delay if it becomes aware of any Personal Data Breach. When notify-ing the Service Provider of the Personal Data Breach, the Customer shall provide the Service Provider with all information that may be considered necessary in addressing, restricting and preventing the Personal Data Breach.

When notifying the Customer of the Personal Data Breach, the Service Provider shall in so far as is possible provide the following information to the Customer:

a) a description of the Personal Data Breach, including in so far as is possible the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned;

b) the name and contact details of a person who can pro-vide more information on the matter;

c) a description of the likely consequences of the Personal Data Breach;

d) a description of the measures taken by the Service Provider to address the Personal Data Breach and measures to mitigate its possible adverse effects.

If the Personal Data Breach is caused by a reason attributable to the Customer, the Customer shall pay all costs caused to the Service Provider from the Personal Data Breach. The Customer is responsible for notifying the supervisory authority and the data subjects of the Personal Data Breach in accordance with the GDPR.

9 Record of processing activities

The Service Provider shall maintain a record of the processing activities carried out on behalf of the Customer. The record shall contain the following information:

a) the name and contact details of the Customer, the Service Provider and the Service Provider’s information regard-ing possible subcontractors;

b) the categories of processing activities carried out on behalf of the Customer;

c) where applicable, information on the transfers of Person-al Data outside the EU or EEA; and

d) a description of the technical and organizational security measures implemented.

10 Right to audit

The Service Provider shall provide the Customer the infor-mation required to demonstrate its compliance with the obligations laid down in this Appendix. The Service Provider shall not, however, disclose any information regarding its other customers or partners or otherwise breach any confi-dentiality undertakings it has given to other parties. If the audit is performed by a third party auditor, the auditor and the Service Provider shall conclude a confidentiality agreement before the audit.

During the term of the Agreement, the Customer or an independent third party auditor appointed by the Custom-er, which cannot be the Service Provider’s competitor, has the right to inspect that the Service Provider complies with the obligations set out to it in this Appendix. The audit is focused on the Service Provider’s necessary material related to the processing of Personal Data and the Service Provider’s systems and premises used in the processing of Personal Data. The audit may be performed at a maximum once per year and the Service Provider must be notified of the audit at least 30 days in advance. The Service Provider shall participate in the audit.

The audit may not cause any detriment to the Service Provider’s service production and the auditor shall not have the right to access any information of the customers or partners of the Service Provider. The Customer shall bear all costs in connection with the audit.

11 Termination of data processing activities

After the termination of the processing of Personal Data, the Service Provider shall, in accordance with the Custom-er’s written request, either destroy or return to the Customer all Personal Data as separately agreed. The Service Provider has the right to charge the Customer from the return of the Personal Data. The destruction of Personal Data will not be charged. The Service Provider shall delete all existing copies of the Personal Data, unless the Service Provider is required to store such Personal Data according to law or regulatory provision.

12 Damages caused by the processing of Personal Data

Each Party is responsible for the responsibilities and liabilities for damages and administrative fines addressed to it in accordance with the Data Protection Regulation.

The limitation of liability term of the Agreement is applied to this Appendix.