kundcheck.se
Hem» T & C

Terms & conditions

  1. PARTIES AND DESCRIPTION OF THE SERVICE


    1. These Terms & Conditions govern the Customer’s procurement of the Service Provider’s Services. The Service Provider is BankID BankAxept AS, registered in Norway with business registration no 927 611 929. The "Services" means the services provided by the Service Provider relating to customer due diligence as further described below and as ordered by the Customer from time to time. “The Agreement” consists of these Terms and Conditions, including Appendix 1 Data Processing Agreement and Appendix 2 Sub-Suppliers list and the Order Confirmation issued by Service Provider to the Customer.


    2. The Service delivers information from public and private information sources, via integration through a web solution and/or API.

      The information will be available for search in connection with the requirements of statutory customer due diligence measures when establishing customer relationships in accordance with national money laundering legislation. Information is collected in the form of individual searches on companies and individuals when establishing these as the Customer's own customers, and the possibility of continuous screening by ongoing due diligence measures.


      The Customer will be able to perform searches with the following parameters:


      For corporate customers; organization name and organization number


      For private customers; name and date of birth and /or national identity number


    3. The Service will deliver AML reports to the Customer. The reports will be used by Customers in connection with their own risk assessments when onboarding new customers and subsequent ongoing due diligence measures. The Service will, through various products included in the Service, provide necessary tools to streamline necessary due diligence measures in accordance with the rules of the money laundering regulations.


  2. RIGHT OF USE – USE RESTRICTIONS


    1. Service Provider grants to the Customer a non-exclusive, non-transferable, revocable limited right to access and use the Service as agreed in the Agreement.


    2. Customer may only use the Services for its intended purpose as set out in theAgreement. The Customer shall not permit any third party to access and use the Services or data derived from it. The Customer may not use the Service to establish a separate database containing data derived from the Service.


  3. PROVISION OF THE SERVICE


    1. The Service is made available to the Customer as a web portal.


    2. Service Provider will offer support, maintenance, and service level to Customer as described in section 5.


    3. The Service Provider has the right to change the Service, provided that the change is based on new or amended regulatory- and other external requirements and/or orders, or the change is part of Service Provider’s ordinary development of the Services, security or market adaptation.


  4. FEES AND PAYMENT


    1. All fixed fees and subscription fees are invoiced monthly in advance. Variable fees are invoiced monthly in arrears.


    2. All fees under this Agreement shall be paid within fourteen (14) days of issue of an invoice by Service Provider.


    3. All fees under this Agreement are exclusive of value added tax.


    4. Payments that are more than thirty (30) days overdue will be subject to the amount determined by applicable law pertaining to overdue payments, on the overdue balance. If any payments are more than two (2) months overdue, Service Provider may, at Service Provider's discretion, without prejudice to any other rights and remedies and without liability to the Customer, suspend access to all or part of the Services until the invoices in question have been paid.


    5. The Service Provider may change the prices with 3 months’ notice to the Customer. If the Customer does not accept the new prices, the Customer may terminate the Agreement with effect from the date of the price change. In addition, the prices may be index regulated yearly without further notice in accordance with the Statistics Norway’s (SSB) wage index for the Information and communication industry.


  5. SUPPORT, MAINTENANCE AND SLA


    1. Support is available from Monday to Friday 08.00-16.00 CE(S)T all Working Days in Norway.


    2. Service Provider reserves the right to perform maintenance, upgrades, service, etc. related to the Services outside of business hours. While Service Provider in general aim to do maintenance without downtime, any changes might cause unavailability, interruptions, or changes to the service.


    3. The Service Provider is responsible for the daily operations of the Service as well as incident monitoring and handling.


  6. SECURITY AND COMPLIANCE


    1. Both Parties shall perform their services and obligations under this Agreement in compliance with all applicable laws and regulations. Service Provider may suspend the Customer's use of the Services without liability, at any time, temporarily or permanently, if the Customer’s use of the Services is in breach of the applicable laws and regulations.


    2. Both Parties warrant to adhere to all applicable privacy laws and regulations pertaining to the Services, including Regulation (EU) 2016/679 ("GDPR"). Further, by entering into this Agreement, the Parties also enter into Appendix 1 (Data Processing Agreement).


    3. Service Provider shall have a documented Information Security Management System (ISMS) with a set of relevant policies.


  7. CONFIDENTIALITY


    1. "Confidential Information" means the specific terms of this Agreement, and any information disclosed by either Party to the other Party, either directly or indirectly, in writing or in any other manner, relating to each Party’s business and/or customers, including without limitation confidential information about the Services. Confidential

      Information shall not include information (i) already in the possession of the receiving party without an obligation of confidentiality; (ii) hereafter rightfully furnished to the receiving party by a third party without a breach of any separate nondisclosure obligation; or (iii) publicly available without breach of this Agreement (i.e., information in the public domain).


    2. Neither Party shall use, or disclose to any person, either during the term or after the termination of this Agreement, any Confidential Information except in accordance with the other party´s prior written consent or as required by law.


    3. The duty of confidentiality gives way to national extradition orders, other statutory duty of disclosure, government orders pursuant to law or if court decisions require it.


      Disclosure of necessary information in connection with security audits or control and supervision by public authorities is not considered a breach of confidentiality.


  8. INTELLECTUAL PROPERTY RIGHTS


    1. All right, title and interest to any software, products, technology and/or information in any service, documentation or material provided or developed by

      Service Provider from time to time under this Agreement, shall remain exclusively with Service Provider or Service Provider’s licensors. As between Service Provider and the Customer, Service Provider also owns and holds all Intellectual Property Rights and other rights to the non-personal log data in and from Service Transactions, which will be used in an aggregate manner that does not identify the Customer or any other legal or natural persons.

      Customer acknowledges and agrees that it has no rights or claims of any type, other than the right of use granted under this Agreement, to the Services, all modifications (whether made by Service Provider, the Customer, or third parties), trademarks, the above mentioned log data, and the Intellectual Property Rights embodied therein, and the Customer irrevocably waives and releases any claim to title and ownership rights (including copyright ownership) thereto.


  9. LIMITATION OF LIABILITY


    1. The information from the Service is delivered "as is" from public and private sources, and there is no guarantee that the information is free from errors or omissions. The Service Provider shall not be liable for delayed delivery of identification or information or errors in the content of the data provided and shall have no liability to the Customer for the quality of the information provided by the sources through the Service under these Terms.


    2. For the avoidance of doubt, Service Provider accepts no liability whatsoever towards the Customer or any other third person, for:


      1. any loss caused by any transaction by use of the Services;


      2. errors or delays that are outside Service Provider’s reasonable control, including without limitation denial-of-service attacks (DoS), general internet failure, line delays, power failure or faults of any machines;


      3. loss caused by deficiencies in Service Provider’s Services that are caused by the Customer’s acts or omissions; or


      4. any loss suffered because of loss of data caused by the Services, excluding remedial expenses incurred to restore lost data in the event the loss of data was caused by Service Provider’s failure to make backups and such backup obligation was explicitly agreed upon.


    3. Neither Party shall be liable to the other Party in contract, tort or otherwise, whatever the cause thereof, for any loss of profit, business or goodwill or any other indirect damages of any kind arising under or in connection with this Agreement.


    4. The total and maximum liability of a Party under this Agreement shall in no event exceed an amount equal to the total amount (excluding VAT) paid by the Customer to Service Provider under the Agreement the 12 months preceding the event that incurs liability.


    5. If the tortious Party has demonstrated gross negligence or intent, the limitations on damages shall not apply.

  10. TERM AND TERMINATION


    1. The Agreement will have a fixed term of 12 months calculated from the first day of the month following the effective date of the Agreement (the date an order is placed by the Customer). Thereafter, the Customer may terminate the Agreement with 3 months’ written notice, calculated from the end of the month the notice is sent. The Service Provider may terminate the Agreement by giving twelve (12) months' notice.


    2. This Agreement may be terminated by either Party at any time if the other Party is in material breach of any term or condition of this Agreement and such breach continues unremedied for a period of thirty (30) days after the Party in breach has been notified of such breach by the other Party by means of a written notice.


    3. This Agreement may be terminated by either party, if a receiver is appointed for the other party or its property, if the other party makes an assignment for the benefit of its creditors, any proceedings are commenced by, for or against the other party under any bankruptcy, insolvency or debtor's relief law, or actions are taken to liquidate or dissolve the other party.


    4. This Agreement may be terminated by Customer subject to the conditions set out in the Data Controller Agreement.


    5. Upon expiration or termination of this Agreement:


      1. The Customer shall immediately cease its use of the Services; and


      2. The due dates of all outstanding invoices shall automatically be accelerated so they become due and payable on the date of termination or expiration, even if longer terms have been previously agreed.


  11. MISCELLANEOUS


    1. Service Provider may update these terms and conditions. Customer is always bound by the latest version of the terms and conditions. Service provider shall notify the Customer of changes if they are detrimental to the Customer.


    2. Neither Party may assign this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld.


    3. Neither Party shall be responsible for failure of performance due to causes beyond its control, including, but not limited to labor disputes and actions of any government agency, and other force majeure events defined by applicable law.


    4. This Agreement shall be governed by and construed in accordance with the laws of Norway. Any dispute, controversy or claim arising out of or in connection with this contract, or the breach, termination, or invalidity thereof, shall be settled by the courts of Oslo.


APPENDIX 1 – DATA PROCESSING AGREEMENT


  1. BACKGROUND AND PURPOSE


    1. The Service Provider act as a Data Processor to Customer, which act as a Data Controller


    2. Data Processor delivers a service (the “Services”), which collects and analyses data from public and private information sources.


      The information will be available for search in connection with the requirements of statutory customer due diligence measures when establishing customer relationships in accordance with national money laundering legislation. Information is collected in the form of individual searches on companies and individuals when establishing these as the Customer's own customers, and the possibility of continuous screening by ongoing due diligence measures.


      The Customer will be able to perform searches with the following parameters:


      For corporate customers; organization name and organization number


      For private customers; name and date of birth and /or national identity number


      The Service will then deliver AML reports to the Customer. The reports will be used by Customers in connection with their own risk assessments when onboarding their new customers and subsequent ongoing due diligence measures. The Service will, through various products included in the Service, provide necessary tools to streamline necessary due diligence measures in accordance with the rules of the money

      laundering regulations.


    3. To ensure BIDBAX’s processing as a Data Processor complies with the applicable data protection legislation, BIDBAX and the Customer has entered into this Data Processing Agreement (“Agreement”). This Agreement sets out the Parties rights and obligations with respect to BIDBAX’s processing on behalf of the Customer in connection with the delivery of the Services.

    4. The purpose of this Agreement is to ensure that the Parties´ rights and duties are settled according to the EU data protection regulation 2016/679/EC dated April 27, 2016 ("GDPR") and the Norwegian Data Protection Act no. 38 with regulations dated June 15, 2018. In case ofconflict between the terms of this Agreement and the data protection legislation or any other relevant legislation, this Agreement has no precedence.


      The Data Processor shall only process personal data as described in this Agreement or as agreed in writing between the Parties.


      Terms and definitions used in this Agreement shall be construed in the same way as in the data protection legislation.


  2. RIGHTS AND DUTIES

    1. General responsibility: The Data Controller determines the purpose of the processing of personal data and the means to be used for such processing. The Data Controller has overall responsibility for the processing of personal data in accordance with the requirements set by the data protection legislation. Among other things, the Data Controller is responsible for ensuring that there is a legal basis for the delegated processing of the personal data.

    2. Instructions: The Data Processor is subject to the Data Controller´s authority regarding the processing of personal

      data and shall only process personal data based on documented instructions from the Data Controller. If the processing is required under European Union law or the applicable Norwegian law to which the Data Processor is subject, the Data Processor shall notify the Data Controller about the aforementioned legal requirements before the processing, unless Norwegian law prohibits such notification for the sake of important social interests. If the Data Processor means that an instruction from the Data Controller is in breach of the data protection legislation or any other legislation, the Data Processor shall immediately notify the Data Controller about this.

    3. Security measures: The Data Processor confirms that it will take appropriate technical and organizational measures to ensure that all processing under this Agreement meets the requirements of the data protection legislation and ensures the protection of the data subject's rights, including compliance with all the requirements of GDPR article 32.


    4. Transparency: Unless otherwise agreed or required by law, the Data Controller is entitled to access the personal data processed and the systems used in accordance with the Agreement. The Data Processor is obliged to provide the Data Controller with necessary assistance in this regard. For access requirements, the Data Controller must provide the Data Processor with at least a 14 days' notice.

    5. Confidentiality: The Data Processor has a duty of confidentiality regarding the documentation and the personal data which it will have access to in accordance with the Agreement. This provision also applies after termination of the Agreement. The Data Processor is responsible for ensuring that the necessary agreements or obligations for confidential processing of such information are established with anyone who has access to that information.

    6. Assistance according to GDPR articles 32-

      36: The Data Processor is obliged to provide the Data Controller with access to its data security documentation, and to assist the Data Controller with fulfilling its own responsibility in accordance with the applicable data protection legislation. This is especially true for assistance with audits and inspections, as well as notification of personal data breach and impact assessment. The Data Controller is directly responsible towards the relevant supervisory authorities.

    7. Assistance with inquiries: The Data Processor shall assist the Data Controller in safeguarding the rights of the data subjects. This applies, but is not limited to, providing information on how the personal data is processed, handling inquiries which include, among others, access to the personal data and fulfillment of the data subjects' right to rectification or deletion of thepersonal data. For all and any inquiries that the Data Processor may receive directly, the Data Processor shall transmit those inquiries to the Data Controller as soon as possible.

    8. Access/Disclosure: The Data Processor shall not disclose personal data or information that it processes on behalf of the Data Controller to a third party without explicit instructions or permission from the Controller. Any access to / disclosure of personal data to third parties shall be further regulated in the Data Controller´s instructions, cf. Attachment 1 (The Data Controller’s instructions) in Data Processing Agreement.


  3. PROCESSING OF PERSONAL DATA

    1. Purpose and processing activities: The purpose of BIDBAX’s processing of personal data on behalf of the Customer, is for the Customer being able to use the Services, including any extra features available to the Customer, for its own defined purposes.

    2. Categories of personal data and data subjects: The personal data about the data subjects which the Data Controller

      authorizes the Data Processor to process for the Purpose as described in section

      1.2 above are:

      • various contact information related to employees, Customers or any other persons connected to the Customer’s business, which is necessary for BIDBAX to process to be able to provide the Customer with the Services, such as names, email addresses and IP addresses,

      • Personal data included in user-generated notes,

      • Personal data included in additional services specifically requested by and agreed with the Customer, such as PEP data, sanctions data or population register data, including any usage data (however in pseudomized form) in connection with any use of such services, and

      • Various usage data generated by the Customer’s users in connection with the Services (however in pseudomized form).

    3. Records of processing activities: The Data Processor shall maintain a record of processing activities under its responsibility, according to GDPR article 30.

    4. The Data Processor´s access to the personal data: The personal data processed by BIDBAX on behalf of the Customer, will either be data acquired separately by the Customer and uploaded to BIDBAX (e.g. by csv file or API integration), data acquired from a BIDBAX data Customer (e.g. providing of PEP- and sanctions data), or user-generated data entered directly through the BIDBAX web interface.


  4. SECURITY AND BREACH

    1. The Data Processor shall comply with the requirements for security measures according to the applicable data protection legislation. The Data

      Processor shall be able to document routines and security measures that meet these requirements, including, as appropriate, measures to prevent accessible or illegal destruction or loss of data, unauthorized access to or dissemination of data, as well as any other use of personal data that does not comply with this Agreement, and measures to restore access to the personal data in any event. The documentation must be available at the request of the Data Controller.

    2. The Data Processor undertakes to notify the Data Controller without undue delay and at the latest within 48 hours if the Data Processor has information about, or reason to believe, that the personal data is used in an unauthorized manner or otherwise handled in violation of the data protection legislation and/or the terms of this Agreement. This is especially true for any breach of personal data security that the Data Processor becomes aware of, including unauthorized access, dissemination, alteration, damage / destruction, but also for any circumstance that may cause a change in the risk assessment, and which has or may have an impact on data security.

    3. In the event of a personal data breach by the Data Processor, the Data Processor shall notify the Data Controller within 48 hours of the Data Processor becoming aware of the breach. Notification of breach shall contain, as a minimum, the requirements of GDPR Article 33 (3), including:

      • description of the nature of the personal data breach, including, where possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of personal data records concerned,

      • the name and contact information of the data protection officer or other contact point where more information can be obtained,

      • description of the likely consequences of the personal data breach, and

      • description of the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigateits possible adverse effects.


      The Data Controller is responsible for sending a notification to the supervisory authority at the latest 72 hours after the breach has been detected, and the Data Processor shall not send such notification or contact the supervisory authority without the instructions of the Data Controller. If all information cannot be provided in the first notification, the information should be given successively as soon as it is available.

    4. In accordance with section 2.3 above and in the event of a data security or privacy breach by the Data Controller, the Data Processor shall assist the Data Controller in obtaining the necessary information as described in GDPR Article 33 (3), cf. section 4.3 above.

    5. Any breach or suspicion of a breach to the personal data security at the Data Processor shall be recorded, hereafter logged, and stored at the Data Processor.

    6. The Data Processor shall, without undue delay, correct or implement measures to prevent personal data breach and nonconformities. Nonconformities or breaches which the Data Processor or its sub-processors are responsible for shall be corrected or prevented at no charge to the Data Controller and must be documented.

    7. The security level of the processing shall consider the nature of the personal data and the risk for personal data breach for the data subjects. For this reason, the Data Processor and the Data Controller must conduct a risk assessment to ensure satisfactory data security.

    8. The personal data shall only be made available to the Data Processor´s

      employees who have a need to access to the personal data to provide the Service. Personal data may also be made available to the Data Processor's sub-processors upon prior approval from the Data Controller and provided that the Data Processor has entered into a sub-processor agreement. Documentation of authorized access at the Data Processor shall be available at the request of the Data Controller.


  5. TRANSFER OF PERSONAL DATA OUTSIDE EU/EEA

    1. Personal data, which is processed by the Data Processor on behalf of the Data Controller, shall only be transferred to countries outside the EU / EEA (third countries) according to instructions from the Data Controller or as otherwise agreed between the Parties. Transfer to third countries requires, even with instructions and/or agreement in place, that the requirements for security and protection of the data subjects' rights according to the data protection legislation are met.

    2. When transferring or otherwise giving a third country access to the personal data, or when a sub-processor is incorporated in a third country or has ultimate ownership in a third country, the Data Controller or Data Processor on behalf of the Data Controller shall ensure that the Data Processor or Data Processor's sub-processors have provided the necessary guarantees, according to GDPR chapter V, to ensure an adequate level of protection of the personal data. Such necessary guarantees include, but are not limited to, the signing of the European Commission's standard contractual clauses.


  6. SUB-PROCESSORS

    1. A list of approved sub-processors is described in SaaS Agreement Appendix 2 (Sub-Suppliers List).


    2. The Data Processor has the Data Controller’s general authorization to engage other sub-processors than those

      mentioned in Appendix 2 (Sub-Suppliers List) . In such a case, the Data Processor shall notify the Data Controller well in advance, thereby giving the Data Controller the opportunity to object to such changes. The Data Controller may object in writing on reasonable grounds to the appointment of a new sub-processor, always provided that such objection includes all relevant details as to why the Data Controller objects to the appointment of a sub-processor. If the Data Controller does not object to any change of sub-processors, Appendix 2 (Sub-Suppliers List) shall be updated accordingly by the Data Processor and sent to the Data Controller´s contact person.

    3. The Data Processor is responsible for conducting a security analysis of the sub-processor's ability to comply with the requirements of this Agreement and other statutory requirements for the processing of personal data.

    4. The Data Processor shall ensure that all sub-processors are bound by the same requirements for data security and processing in general as set out in this Agreement. The Data Processor shall therefore ensure that its sub-processors only process personal data in accordance with the terms of this Agreement and not to a greater extent than is necessary to fulfill the service which the sub-processors provide. The Data Controller is entitled to access the Data Processor's sub-processing agreements, as well as the relevant sub-processors' documentation for the processing, such as security documentation.

    5. The Data Processor is fully responsible towards the Data Controller for all and any of the sub-processors´ violations to this Agreement´s requirements, as well as to other applicable data protection legislation. The Data Controller can order the Data Processor to stop the immediate use of the sub-processors who have acted in breach of their contractual obligations and/or applicable data protection legislation.

    6. Upon termination of this Agreement, the Data Processor shall ensure that the

      sub-processors fulfill, in the same manner as the Data Processor, the obligation to delete or properly destroy all personal data, including backups, as set forth in section 7.3 of the Agreement.


  7. TERM AND TERMINATION

    1. The terms of this Agreement apply as long as the Data Processor processes, including also has access to, personal data on behalf of the Data Controller.

    2. If the Data Processor breaches this Agreement, the Data Controller has the right to exclude the Data Processor from all access to the personal data and to decide that the Data Processor shall immediately stop further processing of the personal data for a defined period. In the event of material breach, the Data Controller shall be entitled to terminate the Agreement without notice.

    3. Upon termination of the Agreement, the Data Processor shall immediately stop the processing of all personal data and return it to the Data Controller or properly destroy all material, including backup copies, containing personal data as covered by this Agreement, unless the Data Processor must process the personal data any longer under legal requirements. If deletion of the personal data is not technically possible and return of the personal data to the Data Controller is not an option, the Data Processor shall then ensure that the personal data is made unavailable by the means of anonymization.


    4. The Data Processor shall document in writing to the Data Controller that deletion and/or destruction and/or anonymization has been carried out in accordance with the Agreement no later than 30 days after the termination of the Agreement.


  8. LIABILITY


    1. Each of the Parties is liable for damages and shall compensate the data subjects

      for any material or non-material damage suffered by the data subjects as a result of a breach of the data protection legislation in accordance with Article 82 (1) of the GDPR.


    2. If one of the Parties has paid full compensation for the damage under GDPR Article 82 (4), the paying Party shall have the right to claim back from the other Party the part of the compensation corresponding to the other Party's part of the liability for the damage. Any costs associated with establishing the division of responsibilities shall be charged equally to both Parties.


    3. If one of the Parties has paid full compensation for the damage pursuant to Article 82 (4) of the GDPR but can

      prove that it is in no way responsible or has contributed to the incident that caused the damage, the paying Party shall be entitled to claim back from the other Party the full amount of compensation.


    4. For any documented direct loss, the Party’s liability under this Agreement towards the other Party is upwards

      limited to the remuneration paid by the Data Controller for the services to which the breach relates to during the last 12 months before the breach occurred.


  9. AMENDMENTS

10.1 All amendments in this Agreement shall be in writing and approved by both Parties.


APPENDIX 2 – SUB-SUPPLIERS LIST


As of the Effective Date of this Agreement, the Data Controller has approved the following use of sub-processors to fulfill the Purpose pursuant to section 1.2 of Appendix 1 (Data Processing Agreement).


NAME and ORG.

No

BUSINESSADDRESS

TYPE OF SERVICE

TYPE OF PERSONALDATA

Dun & Bradstreet Norway AS. 975374939


and its sub-processor


Trapets AB, 556586-4773

Langkaia 1, 0150 Oslo, Norway


and


Kungsgatan 56, 111

22 Stockholm, Sweden

Providing data elements used in connection with PEP screening, (beneficial) ownership and shareholders.


Trapets AB is the sub-processor of PEP screening data.

Name, nationality, date of birth, gender, status (active/inactive), title, alias, address.

Data Factory AS, 917254532

Youngstorget 3, 0181 Oslo, Norway

Providing data elements used in connection with Norwegian private- and business

customers.

Postal address

T-Rank AS, 990092397

Bogstadveien 54,

0366 Oslo, Norway

Providing data elements used in connection with (beneficial)

ownership data

Name, date of birth, ownership of entities

Roaring Group AB, 559067-2613

Svärdvägen 7, 182 33 Danderyd, Sweden

Providing data elements used in connection with PEP-

screening, ownership

Name, address, PEP- status & sanction (y/n)

Valuation Europe AB, 556662-7914

Danderydsgatan 18

SE-114 26 Stockholm Sweden

Providing data elements used in connection with (beneficial) ownership and company information

Name, citizenship, ownership and roles in entities

Microsoft Norge AS, 957485030

Dronning Eufemias

gate 71, 0194 Oslo, Norway

Infrastructure provider

All data elements in the Service

Orange Business Services AS, 982211743

Nydalen allé 37, 0484 Oslo, Norway

Infrastructure provider

All data elements in the Service


Några av våra kunder och partners