Happeo - TERMS OF SERVICE 18
Welcome to Happeo (the “Service”). The Service is provided by Universe Company Oy, Business ID FI28021882 (“Happeo"), located at Köydenpunojankatu 2, 00180 Helsinki Finland.
By using the Service you are agreeing to these Terms of Service. Please read the terms carefully. If you do not agree with these Terms of Service, you may not use the Service.
The Terms of service may be subject to change. The updated TOS is found https://www.happeo.com/tos/
USING THE SERVICE
You must follow any policies made available to you within the Service.
Do not misuse our Service, for example, do not interfere with the Service or try to access it using a method other than the interface and the instructions provided by us. You may use the Service only as permitted by law, including applicable export and control laws and regulations. We may suspend or stop providing the Service to you if you do not comply with our terms or policies or if we are investigating suspected misconduct.
Using the Service does not give you ownership of any intellectual property rights in the Service or the content that you access. Any content from the Service may not be used unless you obtain permission from its owner or are otherwise permitted by law.
In connection with your use of the Service, we may send you service announcements, administrative messages and other information. You may opt out of some of those communications.
The service is available on mobile devices. Do not use the Service in a way that distracts you and prevents you from obeying any traffic or safety laws.
YOUR CONTENT IN THE SERVICE
The service allows you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content.
When you upload, submit, store, send or receive content to or through the Service, you give Happeo a worldwide licence to use, host, store, reproduce, modify, communicate, and distribute such content. The licence are for the limited purpose of operating and improving the Service.
We will store your active session info in order to prevent unauthorized access to your or your organisation information. This session information may include but is not limited to: device MAC address, IP address and browser information. This information is deleted after session is disconnected.
MODIFYING AND TERMINATING OUR SERVICE
We are constantly developing, changing and improving the Service. We may add or remove functionalities or features and we may suspend or stop the Service altogether.
You can stop using the Service according to the service agreement. Happeo may also stop providing the Service to you or add or create new limits to the Service at any time.
If Happeo stops the Service, we will give you reasonable advance notice and a change to remove information from the Service. The Service will be available to customers for a predetermined period after the advance notice, minimum of 12 months from the advance notice date. During this period the service will be provided as is.
Other than as expressly set out in these terms or additional terms, neither Happeo nor its suppliers or distributors makes any specific promises about the Service. For example we do not make any commitments about the content within the Service, the specific functions of the service or their reliability, availability or ability to meet your needs. The Service is provided “as is”
TO THE EXTENT PERMITTED BY LAW, WE EXCLUDE ALL WARRANTIES.
LIABILITY FOR THE SERVICE
Happeo and Happeo’s suppliers and distributors will not be responsible for lost profits, revenues or data, financial losses or indirect, special, consequential, exemplary or punitive damages. The total liability of Happeo and its suppliers and distributors for any claims under these terms, including for any implied warranties, is limited to the amount that you paid us to use the Service. (or, if we choose, to supplying you with the Service again).
In all cases, Happeo and its suppliers and distributors will not be liable for any loss or damage that is not reasonably foreseeable.
The Company using the Service shall hold harmless and indemnify Happeo and its affiliates, officers, agents and employees from any claim, action or proceedings arising from or related to the use of the Service or violation of these terms, including any liability or expense from claims, losses, damages, judgements, litigation costs and legal fees.
ABOUT THESE TERMS
We hold the right to modify these terms or any additional terms that apply to the Service, for example, but not limited to, reflect changes to the law or changes to the Service. You should look at the terms regularly. We will post notice of modifications to these terms on this page. We will post additional terms in the Service. Changes will not apply retrospectively and will become effective no earlier than fourteen days after they are posted. However, changes addressing new functions or features for the Service or changes made for legal reasons will be effective immediately. If you do not agree to the modified terms for the Service, you should discontinue your use of that service.
If there is any inconsistency between these terms and additional terms, the additional terms will prevail to the extent of the inconsistency.
These terms govern the relationship between Happeo and you. They do not create any third party beneficiary rights.
If you do not comply with these terms and we do not take action immediately, this does not mean that we are giving up any rights that we may have.
If a particular term is not enforceable, it does not affect any other terms.
The laws of Finland will apply to any disputes arising out of or relating to these Terms of Service. All claims arising out of or relating to these terms or the Service will be litigated exclusively in the district court of Helsinki, Finland.
AGREEMENT REGARDING PROCESSING OF PERSONAL DATA
This Agreement forms an integral part of an agreement for development and provision platforms and solutions for enterprise communication, such as the Happeo intranet service, and related consultancy, technical and support services (“Service Agreement”), concluded by and between the Parties. Where applicable, the terms of the Service Agreement, such as governing law and dispute resolution, shall be applied to this Agreement. The limitation of Supplier’s liability provisions included in the Service Agreement are also applied to this Agreement.
Supplier offers certain services to Customer which might require the processing of Customer Data (as defined below). The purpose of this Agreement is to ensure the implementation of consistent privacy and data protection practices to be applied in the provision of services by Supplier to Customer.
In the event that Service Agreement or another agreement under which Supplier performs Services to Customer requires the processing of Personal Data by Supplier, Parties shall always include at least the following information regarding processing activities: (a) the purpose of the processing of Personal Data; (b) the categories of data subjects; (c) the applicable information security measures; and (d) duration of processing of Personal Data under the Agreement. The said information shall be detailed in Exhibit 1 (processing of Personal Data) of this Agreement.
“Customer Data” shall mean any and all Customer’s data processed by Supplier as a data processor whilst providing the Services on the basis of the Service Agreement or any other agreement between the Parties.
“Personal Data” shall mean any information relating to an identified or identifiable natural person Supplier processes on behalf of Customer.
“Security Measures” shall mean technical methods and organizational practices necessary to ensure the security of the Customer Data, including without limitation the technical methods and organizational practices relating to the data centres, premises, equipment, systems, programs and persons taking part in the processing of Personal Data.
“Services” shall mean the services Supplier delivers to Customer pursuant to the Service Agreement or any other agreement between the Parties.
Customer shall be the sole data controller for the Personal Data pursuant to the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation”) and/or any applicable national data protection law, and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that the data is kept accurate.If and to the extent the legal basis for processing Personal Data is an individual’s consent, Customer is liable for obtaining the consent and managing it as provided in the Regulation.
Customer acknowledges that due to the nature of Services, Supplier cannot control and has no obligation to verify Personal Data Customer transfers to Supplier for processing on behalf of Customer when Customer uses Services. Supplier does not generally review Personal Data provided by its customers for processing. Customer ensures that Customer is entitled to transfer the Personal Data to Supplier so that Supplier may lawfully process the Personal Data on behalf of Customer.
Customer shall be responsible for the lawful collection, processing and use, and for the accuracy of Personal Data transferred to Supplier for processing, as well as for preserving the rights of the data subjects. If and to the extent legally required, Customer shall inform the individuals concerned regarding the processing of their Personal Data by Supplier, and shall obtain their consent if necessary.
Supplier shall not use Customer Data for any purpose other than that of rendering the Services and will not assert liens or other rights over, or sell or disclose the Customer Data to any third parties, without Customer’s prior written approval. Supplier shall process Customer Data in accordance with this Agreement and documented instructions from Customer. Customer’s instructions must be commercially reasonable, compliant with applicable data protection laws and consistent with the Agreement. Supplier shall not be obliged to verify whether any instructions given by Customer are consistent with applicable laws, as Customer is responsible for such compliance verification of its instructions. Both Parties shall comply with the Regulation and any applicable European or foreign data protection laws as amended, as well as data protection authorities’ orders and guidelines.
Supplier implements and maintains appropriate technical and organizational security measures to protect Personal Data within its area of responsibility as detailed in Appendix 1 to this Agreement and in the Regulation article 32. Supplier may modify its security measures from time to time but will not decrease the overall security during the term of this Agreement.
To respond to requests from individuals exercising their rights as foreseen in applicable data protection law, such as the rights outlined in the Regulation chapter III, hereunder the right to access and the right to rectification or erasure, Supplier shall provide Customer with commercially reasonable assistance, without undue delay, taking into account the nature of the processing. Supplier shall further provide Customer with commercially reasonable assistance in ensuring compliance with Customer’s obligations to perform security and data protection assessments, Breach Notifications (see clause 7.1) and prior consultations of the competent supervisory authority, as set out in the applicable data protection law, such as in the Regulation article 32-36, taking into account the nature of the processing and the information available to Supplier.
In case any individual or supervisory authority makes a request for assistance directly to Supplier concerning Personal Data, such as a request for access, rectification or erasure, delivering any information or executing any other action, Supplier shall inform Customer on such request as soon as reasonably possible and as far as allowed by applicable law.
In addition, Supplier shall, and shall procure that its personnel (including its subcontractors’ personnel) shall:
- only process Personal Data in accordance with Customer’s written instructions and not for Supplier’s own purposes, including without limitation e.g. Supplier’s marketing purposes;
- ensure that individuals processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- include in any contract with subcontractors who will process Personal Data directly or indirectly on behalf of Customer, provisions which are materially equivalent to those in this Agreement.
PERFORMING ASSISTANCE TASKS
If Supplier is required to assist Customer in complying with data controller’s obligations set forth in the Regulation and applicable laws (e.g. relating to data breaches, data subjects’ rights, data protection impact audits), then these assistance tasks are by default performed within the scope and time limitations provided in the parties’ monthly-fee Services Agreement or maintenance agreement (if any). If the parties have not concluded a monthly-fee services or maintenance agreement, or the time required for assistance tasks exceeds the time limitations of such an agreement, Supplier is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with its then current hourly rates or rates specifically agreed between the parties. Invoicing the time used for the assistance tasks requires that Customer has accepted that Supplier can use time to perform assistance tasks.
LOCATION AND TRANSFER OF PERSONAL DATA
To provide Services, Customer accepts that Supplier may have Personal Data processed and accessible by its Subprocessors (as defined in clause 6.1). Supplier is also entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers. Adequate safeguards may include the use of EU Commission model clauses, transfer to a whitelisted jurisdiction (as specified by the EU Commission from time to time) or to a EU-US Privacy Shield certified transferee (if the transferee is a US-based company). Supplier aims to notify Customer of international transfers of Personal Data outside the EU or EEA.
Customer shall have the right to audit the facilities and processing activities of Supplier under this Agreement to examine the Security Measures, the level of protection and security provided for Personal Data processed under this Agreement and the Service Agreement and the privacy of the individuals to whom such Personal Data relates and to assess the compliance of Supplier and its subcontractors with this Agreement, the Service Agreement and applicable data protection law. Supplier aims to procure for Customer the same rights of audit in respect of Supplier’s subcontractors. Each Party shall bear its own costs for any such audit. Customer must provide at least 20 days advance notification to Supplier of planned audits.Where an audit may lead to the disclosure of business or trade secrets of Supplier or threaten intellectual property rights of Supplier, Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound to confidentiality to Supplier’s benefit.
General authorization. Customer gives its general authorization to allow Supplier to involve Supplier’s affiliated companies and other subcontractors as subprocessors to process Personal Data in connection with the provision of Services (“Subprocessors”), to the extent such appointment does not lead to non-compliance with any applicable law or Supplier’s obligations under this Agreement. Supplier ensures that the involved Subprocessors are properly qualified, will be under a data processing agreement with Supplier, and comply with data processing obligations similar to the ones which apply to Supplier under this Agreement. Supplier shall be liable towards the Customer for the processing of Personal Data carried out by Subprocessors.
Change of Subprocessor. Supplier is free to choose and change its Subprocessors. Upon request, Supplier shall inform Customer of Subprocessors currently involved. In case there is a later change of Subprocessor (addition or replacement), Supplier shall notify Customer of such change. In case Customer objects such change of Subprocessor on reasonable grounds, Customer has the right to request change of the Subprocessor. If the Supplier is not willing to change the Subprocessor Customer has objected, Customer shall have the right to terminate the Service Agreement.
Supplier shall, without undue delay after having become aware of it, inform Customer in writing about any data breaches relating to Customer Data and any other events where the security of the Personal Data processed on behalf of Customer has been compromised (“Breach”). Supplier’s notification about the Breach (“Breach Notification”) to Customer shall include at least the following:
description of the nature of the Breach
name and contact details of Supplier’s contact point where more information can be obtained;
description of the measures taken by Supplier to address the Breach, including, where appropriate, measures to mitigate its possible adverse effects.
DELETION OR RETURN OF PERSONAL DATA
During the term of an Agreement between the Parties, Supplier shall not take any action to intentionally erase any Personal Data processed on behalf of Customer, without Customer’s explicit request or mutually accepted data processing instructions.
Within a reasonable time after the termination or expiry of the Service Agreement, Supplier shall either delete the Personal Data in its possession or return it to Customer as well as remove user rights it has to Customer’s data processing systems (if any), except to the extent that Supplier is under a statutory obligation to continue storing such Personal Data. In such event any further processing of the Personal Data is prohibited, except to the extent required by law. On Customer’s request, Supplier shall confirm the deletion in writing.
As Supplier will either delete or return Personal Data within a reasonable time period following the date of termination or expiration of the Service Agreement, Customer should ensure prior to such termination or expiration that it has copies or backup files of the Personal Data processed by Supplier, if it considers it necessary.
LIMITATION OF LIABILITY
Subject to the liability cap mentioned in the Service Agreement, Supplier shall indemnify Customer, and Customer shall indemnify Supplier for (i) administrative fines paid by the indemnified party and imposed on it by the competent supervisory authority, and (ii) direct damages paid by the indemnified party to data subjects based on a settlement (agreed by the indemnifying party) or final judgement, if the claim against the indemnified party results from breach of this Agreement or applicable data protection law by the indemnifying party, and only to the extent such breach is attributable to the indemnifying party. The indemnifying party shall provide, at its own cost, all reasonable support to the indemnified party in defending the claim. Neither Party shall be liable to the other Party for any indirect or consequential loss or damage, including but not limited to any loss of profits, revenue, reputation or goodwill.
Notwithstanding anything to the contrary in the Service Agreement, both Parties’ total and aggregate liability to the other Party for indemnification payments as described above and for breaches of this Agreement shall be limited cumulatively to the total amount of license fees paid by Customer to Supplier during a 12month period of the Service Agreement prior to the first breach.
This Agreement enters into force on the first date of signature. This Agreement shall continue to be in force until the Service Agreement or any other agreement between the Parties relating to processing of personal data is terminated or expires.
Compliance with laws. Either Party shall comply with the provisions of the data protection laws that specifically apply to its role and operations. More particularly, either Party shall comply with the requirements of Regulation and the applicable EU member state’s data protection law implementing Regulation, as of when they become enforceable and as far as they specifically apply to its operations. In the event any such statutory provision requires this Agreement to be amended, upon request of either Party, the necessary amendments shall be discussed in good faith, documented in writing and duly signed by both Parties.
Appendix 1: Description on the Processing of Personal Data
Supplier performs Services to Customer that will include processing of Personal Data by Supplier as further specified below with respect to: (a) the purpose of the Processing of Personal Data; (b) the categories of data subjects and categories of personal data; (c) the applicable information security measures; and (d) duration of the Processing of Personal Data under the Agreement, as further agreed below.
The purpose of the processing of Personal Data
Supplier shall process Personal Data on behalf of Customer as a data processor for the purposes of providing platforms and solutions for enterprise communications and for services relating thereto, to the extent such provision of services requires processing of Personal Data on behalf of Customer.
The categories of data subjects and categories of personal data
Primarily organisation employees of Customer, unless specified in advance by the Customer and agreed by Supplier. By default all organisations Google G Suite users.
The categories of personal data mainly include:
Full user profiles and personal data within them, synchronized from G-Suite directory. This includes:
- User google id
- User name
- User emails
- User phone numbers
- User addresses
- User organisation profile (title, cost center, manager, address)
By default this does not include categories of sensitive personal data
Full indexing of Google Sites and all personal data they might contain
- Happeo user id
- Happeo organisation id
- Content including personal data added directly by the Customer to Happeo content management system
The Supplier does not control or generally review what kind of personal data the Customer puts into the service (see section 2).
The applicable information security measures
Supplier ensures that the organisation, employees, subcontractors and processes are validated to Supplier standards and information security policies.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by Supplier hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Such measures shall include, where appropriate and relevant for each processing action:
the pseudonymisation and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Google Ireland Ltd. (Ireland) (Privacy Shield)
- Pusher Ltd. (UK) (GDPR Compliant)
- The Rocket Science Group, LLC. (US) (Privacy Shield)
- Functional Software Inc. (US) (Privacy Shield)
- Stripe Payments Europe Ltd. (Ireland) (Privacy Shield)
- HubSpot Inc. (US) (Privacy Shield)
- Segment.io Inc. (US) (Privacy Shield)
- SC AESIR TECHNOLOGY SRL (Romania)
- Varga Consulting Oy (Finland)
Duration of the processing of Personal Data under the Agreement
Personal Data shall be processed by the Supplier on behalf of the Customer until the Service Agreement or any other agreement between the Parties and when the Service Agreement or any other Agreement has been terminated or has expired.