Terms of Service

Introduction

Please read these Terms of Service (the “Terms”) carefully before using the services provided through the website precisely.se, operated by Precisely AB (”Precisely, “we”, “us” or “our”), a company incorporated under the laws of Sweden.

Your access to and use of our contract management platform (the “Platform”) is conditioned on your acceptance of and compliance with these Terms and its appendices. These Terms apply to all visitors, users and others who access or use our Platform.

If you are using the Platform on a free trial or otherwise free subscription, the following clauses does not apply to you: 7.4, 10.4, 13.1-13.3 and 14.1-14.9.

By accessing or using our Platform you agree to be bound by these Terms.

Please direct questions related to these Terms to legal@precisely.se.

1. Definitions and Interpretations

Account” means, in these Terms, a personal password-protected account used to identify specific Users during use of the Service.

Content” means, in these Terms, all documents and all other information provided by a User to the Platform.

Platform” means, in these Terms, the contract automation platform provided by us at app.precisely.se, or when applicable, at your designated domain.

Site” means, in these Terms, the website precisely.se

Service” means, in these Terms, access to and use of the Platform and/or the Site

Precisely”, “we”, “us” or “our” refers to, in these Terms, Precisely AB, company registration no 556963-5286, a company registered under the laws of Sweden, with its registered office at Kämpegatan 10, 411 04 Göteborg, Sweden.

User” means, in these Terms, your users of the Service.

You” or “your” means, in these Terms, the legal entity executing these Terms.

Third Party Applications” means, in these Terms, online, web-based applications and offline software products or services that are (a) provided by third parties, (b) interoperate with us, and (c) may be either separate or conjoined with us and whether or not such are indicated by us as being third-party applications.

The definitions above shall apply in these terms regardless if they are capitalized or not.

2. The Platform

2.1 The Platform is a contract automation platform to manage the complete contract lifecycle, allowing Users to, inter alia,

  • author contracts and set up contract workflows to be shared and used by your entire organization
  • collaborate with internal and external parties in relation to contracts, and to review, edit and comment on contracts
  • sign contracts electronically
  • upload and store contracts in a digital archive, and
  • analyze and monitor contracts and metadata.

3. Payment

3.1 If you have entered into a separate Proposal with Precisely, the fees applicable for using the Platform (“Fees”) are stated in the Proposal agreement between you and Precisely.

If you have signed up directly on our website, the Fees are available on the Site and/or in our then current published price list.

You are responsible for any taxes and for all other charges (for example, bank fees, provision fees (or other fees charged by your bank), data charges and currency exchange settlements). The price stated for the Service excludes all taxes and VAT charges, unless stated otherwise.

3.2 Payment shall always be made in advance for the entire term of Service, i.e. monthly or yearly, unless specifically agreed otherwise. You will pay the Fees in the currency we have quoted for your account or in the Proposal. We reserve the right to change the quoted currency at any time.

3.3 We are entitled to adjust the prices for the Service from time to time according to the Harmonised Index of Consumer Prices (HICP) Adjusted prices shall take effect upon any subsequent term of Service. Payment shall be made by bank transfer to our bank account or via online payment at the Platform as stipulated in the invoice, as noted on the Platform or as otherwise instructed by us from time to time. We may do invoicing to the e-mail address given by the User.

3.4 We will of course notify you in advance, either through the Service or to the email address you have most recently provided to us, if we change the price of the Service. If there’s a specific length and price for your Service offer, that price will remain in force for that time. After the offer period ends, your use of the Service will be charged at the new price. If your Service is on a period basis (for example, monthly) with no specific length, we will notify you of any price change at least 30 days in advance. If you don’t agree to these changes, you must cancel and stop using the Service via filling out a form no later than fourteen (14) days prior to the conclusion of your current payment term, whether monthly, yearly, or otherwise.

3.5 In addition to any Fees, you may still incur charges incidental to using the Service, for example, charges for Internet access, data roaming, and other data transmission charges.

3.6 You must be authorized to use the payment method that you enter when you create a billing account. You authorize us to charge you for the Service using your payment method and for any paid feature of the Service that you choose to sign up for or use while these Terms are in force.

You must keep all information in your billing account current. You can access and modify your billing account information in your Account.

You may change your payment method at any time. If you tell us to stop using your payment method and we no longer receive payment from you for the paid Service, we may cancel that Service. Your notice to us will not affect charges we submit to your billing account before we reasonably could act on your request.

3.7 If you cancel, your Service ends at the end of your current Service period or, if we bill your account on a period basis, at the end of the period in which you canceled. If you fail to cancel as required, we will automatically renew the Service for the same term and will charge your payment information on file with us commencing on the first day of the renewal term or in accordance with the Proposal agreement between you and Precisely.If we do not receive payment on the due date, your Account will be frozen, inaccessible, and all shared links will be turned off until all outstanding payments have been processed by us.

3.8 Unless we notify you otherwise, if you’re participating in any trial period offer, you must cancel the Service by the end of the trial period to avoid incurring new charges. If you do not cancel your Service and we have told you the Service will convert to a paid subscription at the end of the trial period, you authorize us to charge your payment method for the Service.

3.9 Except as prohibited by law, we may assess a late charge if you do not pay on time. You must pay these late charges after the invoice is overdue. The late charge will be the lesser of 8 percent of the unpaid amount each year or the maximum rate permitted by law. You must pay for all reasonable costs we incur to collect any past due amounts, including reasonable attorneys’ fees and other legal fees and costs. We may suspend or cancel your Service if you fail to pay in full on time.

4. Amendments

4.1 We may update and change any part or all of these Terms at any time and for any reason, including the fees and charges associated with the use of the Service (but, your fees and charges won’t change during the term of your subscription except as we explain in the ‘Payment’ section above.) If we update or change these Terms, the updated Terms will be posted at http://www.precisely.se/terms and we will let you know via email or in-app notification. The updated Terms will become effective and binding on the next business day after it is posted.

All new functionality and features introduced to the Platform will be subject to what is stipulated in these Terms.

5. Changes to the Platform

5.1 We strive to deliver improvements to the Platform to you as soon as possible and do deployments every week. Therefore we reserve the right to modify the Platform at any time including, but not limited to, (i) functionality, (ii) features, and (iii) services, Notice of at least 60 days will be given for major changes that my negatively affect workflow or functionality. The main meta data of the managed contracts and all necessary data on the content of a contract will be preserved.

All new functionality, features or services introduced to the Platform will be subject to what is stipulated in these Terms.

We will take best efforts to keep the Platform operational and fully functional during changes described above.

6. Code of Conduct

6.1 You may use the Platform for lawful purposes only. You agree that when using the Platform or communicating via the Platform you may not use the Platform to post, transmit or otherwise distribute illegal material.

You further agree to the following:

  • You shall not defame, abuse, harass, threaten or otherwise violate the legal rights of others or of any third party, including us,
  • You shall not in any manner publish, post or – in any other way express – any material or information that is, defamatory, infringing, obscene, pornographic, racist, terrorist, , indecent or unlawful,
  • You shall not contribute to destructive activities such as dissemination of viruses, spam or any other activity that might harm the Platform, its Users or us in any way,
  • You shall not monitor the Service’s availability, performance or functionality for any competitive purpose, meaning, inter alia, that you agree not to access the Service for the purpose of developing or operating a competitive product or service or copying the Service’s features or user interface.

6.2 If we find that you are violating these Terms or any other provisions set up by us or our affiliates, we reserve the right to suspend or revoke your access to the Platform.

We advise you to use the Platform carefully and to keep in mind that legal documents distributed by you or other users might be subject to non-disclosure provisions and/or contain trade secrets or other sensitive information.

7. Content

7.1 The Platform includes functions for uploading, posting, linking and communicating and otherwise making Content available to others. You are at all times responsible for all distribution or other actions under your designated Account(s).

7.2 By uploading Content to the Platform you warrant that you are either the owner of the uploaded Content or that you hold a valid license to such Content from the appropriate rights holder and that the Content or your use of the Content is in no way a violation of any national or international legislation. We will not supervise whether any Content is lawfully uploaded or distributed through the Platform. If you have any complaints or other questions related to any Content, please contact legal@precisely.se.

7.3 By posting Content to the Platform you are aware that, depending on the settings of your Account(s) and as a function of sharing contracts and documents with third parties such Content might be shared with others, for example your counterparties or other persons you invite, and Precisely’s sub-processors and vendors used to maintain the Platform.

7.4 If Content should be lost and not recoverable within 14 days and it is mainly at fault of Precisely, Precisely will pay as liquidated damage EURO 200,– per document up to 15% of the annual license fee per annum.

7.5 Precisely will provide best practice backup for the database and the files according to current state-of the art.

7.6 We do not take any responsibility with regards to the validity of Content provided by you or any other user.

8. Registration and Accounts

8.1 By registering an Account on behalf of a legal entity the user warrant that such user has the legal capacity to enter into these Terms on the behalf of you and use the Platform as an Admin. For the sake of clarity, since each Account is personal, you are also obliged to ensure that only one physical person may use each individual Account.

8.2 When you register yourself on the Platform you shall provide current, true and complete information requested in the registration form. You are responsible for keeping such information updated and complete.

8.3 You agree that you will be entirely responsible for any and all access or your use of the Platform under your Account(s) and that you are liable for all actions and activities conducted under your designated Account.

8.4 You are responsible for your users’ personal passwords and warrant to treat them as sensitive and confidential information. We further advice you to use personal passwords with sufficient password strength and to change the personal passwords at regular intervals to prevent unauthorized access.

8.5 We reserve the right to terminate any Account(s) if activities occur which constitutes or may constitute a violation of these Terms or of any applicable local or international laws, rules or regulations.

9. Intellectual Property

9.1 The Platform and its original content, features, functionality, and design elements are and will remain the exclusive property of Precisely and it’s licensors. Our intellectual property may not be used in connection with any product or platform without the prior written consent of Precisely.

9.2 The User generated meta data belongs solely to the User.

10. Limitation of Liability

10.1 We are, with the limitations set out below, liable towards you for damages caused by our negligence, regardless of what legal ground you use for such claim.

10.2 Unless set out in the Agreement, we are not liable for damage caused by modifications or changes to the Service made according to your instructions or performed by anyone other than us (including but not limited to changes made by you or on your behalf).

10.3 We are not, under any circumstances and with the exemption of Sec. 7 above, liable for your loss of profit, revenue, savings, or goodwill, loss due to operational, power or network interruptions, loss of data, your potential liability towards a third party or indirect or consequential damages of any kind.

10.4 Except for breaches referred to in Appendix 1, the mutual total and aggregate liability under these Terms is, for each calendar year and regardless of the number of damages, limited to the fees paid by you during the 12 months period prior to the time when the damage(s) occurred.

10.5 If you use the Service under a trial or otherwise free subscription, our aggregate liability, regardless of the number of damages, is limited to EUR 100. Our liability for Third Party Applications will never exceed such amount as we are entitled to reclaim from the provider(s) of such Third-Party Application.

10.6 We are not liable for damages unless you notify us in writing thereof no later than 90 days after you noticed or should have noticed, the actual damage or loss, however no later than six (6) months from when the damage occurred.

10.7 For the avoidance of doubt, you acknowledge and agree that any and all agreements between you and any other party is made on your own risk and that we are not responsible for any of your loss or damage in relation to such agreements. Neither the templates provided by us, nor any Content, are intended as legal advice and we recommend third party supervision before using the documents for any purpose. We undertake no responsibility with concern to the legal outcome when using the Platform or Content.

11. Third Party Applications

11.1 You acknowledge that we may allow providers of Third Party Applications to access Content as required for the interoperation of those Third Party Applications with the Service, without prejudice to Appendix 1, Data Processing Agreement.

12. Personal data

12.1 You acknowledge that you are the data controller for any personal data processed by us on behalf of you in relation to the Service and that we are considered to be your data processor. We and you have therefore agreed to enter into the Data Processing Agreement (Appendix 1), which shall remain effective independently of the Terms otherwise for as long as we process personal data on behalf of you.

The requirements of the processing of personal data outside of the European Union based on the CJEU 16.07.2020 C‑311/18 decision will be met by the parties.

13. Indemnification

13.1 Precisely shall defend You against any claim, demand, suit, or proceeding made or brought against You by a third party alleging that the use of the Services as permitted hereunder infringes or misappropriate the intellectual property rights of a third party (a “Claim Against You”), and shall indemnify You for any damages, attorneys’ fees and other costs finally awarded against You as a result of, and for amounts paid by You under a court approved settlement of, a Claim Against You; provided that You:

  • promptly give Precisely written notice of the Claim Against You;
  • give Precisely sole control of the defense or settlement of the Claim Against You( provided that You may not settle any Claim Against You unless the settlement unconditionally releases You of all liability); and
  • provide to Precisely reasonable assistance, at Precisely’s expense. If Precisely receives information regarding an infringement, misappropriation, or other claim, Precisely may at Precisely’s discretion, and at no cost to You:

i) modify the Services, so that they no longer infringe, misappropriate, or give rise to any other claim;

ii) obtain a license for Your continued use of the subject Services in accordance with these Terms ; or

iii) terminate Your Subscription for such Services upon 30 days’ written notice and refund to You any prepaid fees covering the remainder of the term of the terminated Subscription.

13.2 Precisely shall have no obligation to indemnify You to the extent any Claim Against You arises from Your breach of these Terms.

13.3 You shall defend Precisely against any claim, demand, suit or proceeding made or brought against Precisely by a third party alleging that the User Data, or the use of the Services by You are in breach of these Terms, infringe or misappropriate the property rights of a third party or violates Applicable Law, and shall indemnify Precisely for any damages, attorneys’ fees and other costs finally awarded against Precisely as a result of, or for any amounts paid by Precisely under a court-approved settlement of a claim against Precisely, provided that Precisely:

  • promptly gives You written notice of the claim against Precisely;
  • give You sole control of the defense or settlement of the claim against Precisely (provided that You may not settle any claim against Precisely unless the settlement unconditionally releases Precisely of all liability); and
  • provides You with all reasonable assistance, at Your expense.

14. Confidentiality

14.1 “Confidential Information” means (a) any technical and business information relating to proprietary ideas, patentable ideas and/or trade secrets, existing and/or contemplated products and services, research and development, production, costs, profit and margin information, finances and financial projections, clients, marketing, and current or future business plans and models, regardless of whether such information is designated as “Confidential Information” at the time of its disclosure; (b) any product information of Precisely’s Services as well as data transferred via the Services; (c) in addition to the above, Confidential Information shall also include, and the Parties shall have a duty to protect other confidential and/or sensitive information which is (I) disclosed as such in writing and marked as confidential (or with other similar designation) at the time of disclosure; and/or (II) disclosed in any other manner and identified as confidential at the time of disclosure and which is summarized and designated as confidential in a written memorandum delivered within 30 days after the disclosure; and (d) excludes any information that is (I) is in possession of a Party prior to its receipt from the other Party; (II) is or becomes publicly known without a breach of this section 12.; (III) is developed independently by the other Party; or (IV) is received from another source who can disclose it lawfully and without an obligation to keep it confidential.

14.2 The Parties shall only use the Confidential Information for the Purpose and shall not disclose the Confidential Information to third parties. Either Party may disclose the other Party’s Confidential Information if required by law as long as the other Party will be informed promptly by written notice (to the extent permitted by law) of the requirement prior to the disclosure and assistance will be provided to the other Party in obtaining an order protecting the information from public disclosure. Neither Party shall reverse engineer, disassemble, or decompile any prototypes, software, samples, or other tangible objects that embody the Confidential Information.

14.3 The Parties acknowledge that the Confidential Information is a valuable, special, and unique asset for each Party which shall be protected with the highest standard of care. Therefore, the Parties agree that they shall not disclose, utilize, employ, exploit or in any other manner use the Confidential Information disclosed by the other Party for any other reason than the Purpose. The Parties shall limit disclosure of Confidential Information within their own organization to those directors, officers, partners, contractors and/or employees having a need to know and shall not disclose Confidential Information to any third party without prior written consent of the other Party. Before disclosure, each Party must ensure that the recipients are required to protect the Confidential Information on terms as protective as this section 12. and accept responsibility for each recipient’s use of Confidential Information. Upon request, the Parties shall provide each other with a complete and updated list of all such recipients. The Parties shall take reasonable measures to protect the secrecy of and avoid disclosure and/or unauthorized use of the Confidential Information. A Party shall promptly notify the other Party of any actual or suspected unauthorized use or disclosure of the Confidential Information.

14.4 In the event that a Party discloses Confidential Information in violation of this section 12., the Party in breach shall notify the other Party in writing of such disclosure immediately upon discovery of the violation and no later than 5 business days after such disclosure.

14.5 Neither Party shall be obliged to disclose or provide any Confidential Information to the other Party. Nothing in this section 12. shall obligate the Parties to purchase any service, goods, or intangibles from the other Party or to proceed with any transaction between them or contemplated by this section 12.

14.6 ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS.” THE PARTIES MAKE NO WARRANTIES, EXPRESS, IMPLIED, OR OTHERWISE, REGARDING THE ACCURACY, COMPLETENESS, OR PERFORMANCE OF ITS CONFIDENTIAL INFORMATION. EACH PARTY REPRESENTS AND WARRANTS THAT IT HAS THE RIGHT TO DISCLOSE ALL CONFIDENTIAL INFORMATION PROVIDED TO THE OTHER PARTY. THE PARTIES SHALL INDEMNIFY AND DEFEND EACH OTHER FROM ALL THIRD-PARTY CLAIMS RESULTING FROM THE NEGLIGENT OR WRONGFUL DISCLOSURE OF THIRD PARTY’S CONFIDENTIAL INFORMATION.

14.7 All documents and other tangible objects containing or representing Confidential Information and all copies of them shall be and remain the property of the disclosing Party and shall be promptly returned to this Party or destroyed (with proof of such destruction), each within 14 days of the written request or upon the termination of the Parties’ business relationship.

14.8 Nothing in this section 12. is intended to grant any rights in or to the Confidential Information, including without limitation, under any patent, copyright, or other intellectual property right of the other Party.

14.9 Each Party acknowledges that any violation or threatened violation of this section 12. may cause irreparable injury to the other Party, entitling the other Party to seek injunctive relief in addition to all legal remedies.

15. Duration And Termination

15.1 These Terms are considered to be in effect from the day you accept them, i.e. when you first access or use the Platform and cease to be in effect when you terminate your Account(s). Upon termination, your right to use the Platform will immediately cease. Precisely may assist you in exporting all your data, however this may be subject to an additional cost.

16. Severability

16.1 If any provision of these Terms between us and you is held to be invalid or unenforceable, such provision shall be limited, modified or severed to the minimum extent necessary to eliminate its invalidation or unenforceability so that these Terms otherwise remain in full force, effect and enforceable.

17. Dispute resolution

17.1 Any dispute, controversy or claim arising out of or in connection with this contract, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce for expedited arbitration procedure.

The seat of arbitration shall be Stockholm, Sweden.

The language to be used in the arbitral proceedings shall be English.

This contract shall be governed by the substantive law of Sweden.

Latest updated: October 17, 2023.

Appendix 1 – Data Processing Addendum

Welcome to Precisely’s Data Processing Addendum (which we’ll refer to below as the or this “DPA”) – an appendix to our general terms of service. We’ll process personal data for which you are the data controller under applicable data protection law. Since you determine the purposes and means of the processing of personal data within and through the Platform, we’ll refer to you as the “Controller” in this DPA. Furthermore, Precisely and the Controller will individually be referred to as a “Party” and jointly the “Parties”.

Introduction

A. This DPA provides for the Controller and our respective obligations in relation to Personal Data processing. This DPA applies to all activities where we get in contact with Personal Data of the Controller including, but not limited to the Personal Data regarding the Controller’s Users and other affected natural persons, in connection with the Platform, or other services provided to the Controller by us.

B. We are only allowed to process Personal Data in accordance with the Controller’s documented instructions and in the Controller’s interest.

C. Any reference made to “data protection laws” or similar in this DPA shall be understood to include, but not be limited to, the EU General Data Protection Regulation (2016/679) (the “GDPR”).D.If we’re also providing services and/or products under this DPA to the Controller’s Affiliates, or otherwise gain access to the Affiliate’s data relating to identified or identifiable natural person(s) for the purposes of fulfilling the Main Agreement, such data shall be regarded as Personal Data and this DPA shall be applicable to our processing of such Personal Data. Such Affiliates have the same rights and obligations as the Controller under this DPA.

E. This DPA is an integral part of the Terms and/or any similar agreement executed between us and the Controller (“Main Agreement”). In the event of any conflict between the terms of the Main Agreement and the terms of this DPA, this DPA shall prevail with respect to the subject matter of this DPA.

1. Definitions

1.1 Affiliate
Affiliate shall mean, in this DPA, companies:
(a) directly or indirectly owning or controlling the Controller;
(b) under the same direct or indirect ownership or control as the Controller; or
(c) directly or indirectly controlled by the Controller.

Control or ownership shall be understood to exist through direct or indirect ownership of fifty percent (50%) or more of the nominal value of the issued equity share capital or of fifty percent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions or the minimum share entitling to control prescribed in applicable legislations in such jurisdictions where the ownership of fifty percent (50%) or more would not be possible.

1.2 Commissioned Processing of Personal Data
Commissioned Processing of Personal Data is the access to Personal Data by us as well as collection, modification, transfer, blocking, deletion, storing, hosting or any other type of processing of Personal Data by us on behalf of the Controller in connection with the Main Agreement and as further specified under this DPA.

1.3 Data Subject
A Data Subject is a natural person whose Personal Data is being processed by us on behalf of the Controller under this DPA and the Main Agreement.

1.4 Instruction
We shall process Personal Data in accordance with the Controller’s written instructions. The initial instructions are set forth in Sub-Appendix A to this DPA. Subject to the terms of this DPA, the Controller can change, amend or replace these initial instructions by single instructions in writing (of course, including in electronic form) at any time.

1.5 Personal Data
Personal Data is any data relating to an identified or identifiable natural person(s) as defined in the applicable data protection laws, and that is subject to Commissioned Processing of Personal Data.

1.6 Personal Data Breach
Personal Data Breach is an accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of or access to the Personal Data as well as any events endangering the security, confidentiality or integrity of the Personal Data.

2. Scope of the Commissioned Processing

2.1 We shall process or otherwise use Personal Data solely on behalf of the Controller and according to the Controller’s Instructions as set out in this Section 2 and Sub-Appendix A (Instructions on processing Personal Data) and the requirements of the applicable data protection laws.

2.2 In addition to the Instructions set forth in Sub-Appendix A to this DPA, the Main Agreement and our performance thereof shall be the Controller’s documented Instructions to us in respect of processing of Personal Data. The Parties may modify or supplement Sub-Appendix A during the term of the Main Agreement and this DPA by concluding an amendment to Sub-Appendix A, which shall be made in writing and which shall incorporate all of the substantive terms as set forth in Sub-Appendix A in an unchanged form. The Controller shall pay us reasonable compensation for all work and costs for us to accommodate such documented instructions by the Controller that are (1) not commercially reasonable to accommodate (for instance. instructions that would require the Platform – or the technology setup required to uphold the Controller’s instructions – to be specially adapted for the Controller) and (2) are not generally expected and appropriate for the scope of services we offer. We may suggest new or amended instructions as reasonably required in the opinion of us (for instance, due to changes in the Platform or the Terms) and while it is the Controller’s right to approve or reject such instructions, in case the Controller should not approve the instructions as suggested by us, section 11.4 shall apply.

3. Our obligations

3.1 As stated in section 2 above, we shall only collect, process or utilize Personal Data in accordance with the Instructions of the Controller and applicable laws and not for other own purposes or purposes of third parties. The Controller shall confirm any oral instructions in writing or via email. Where we believe that compliance with any Instructions by the Controller would result in a violation of applicable law on data protection, we shall immediately notify the Controller thereof.

3.2 Taking into account the costs of implementation, the state of the art, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall ensure, within our area of responsibility, the implementation and compliance with the agreed and appropriate technical and organizational measures as defined in Sub-Appendix C. In particular, we shall take such technical and organizational measures to protect the Personal Data against accidental, unlawful or unauthorized destruction, loss, alteration, disclosure and access as well as against other events that endanger the security, confidentiality or integrity of the Personal Data, including inter alia as appropriate:

(a) the pseudonymisation and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

For the avoidance of doubt, we may take other or additional measures as required due to new or amended legislation, or as a result of decisions by public authorities.

3.3 We shall upon the Controller’s request, provide to the Controller the information necessary to fulfill its obligation to register the outsourced personal data processing, such as persons being instructed with data processing, statutory periods for the deletion of data and purposes for the data processing.

3.4 We shall inform the Controller in the event of (i) substantial disruptions of the Service, (ii) possible infringements of applicable data protection laws or of this DPA by us, our employees or third parties, and (iii) any other irregularity in relation to the processing of Personal Data.

3.5 We shall inform the Controller if the Personal Data will be at risk on the site of us by distrainment, seizures, insolvency or bankruptcy measures or by any other activities or measures of third parties. We shall inform all people responsible in this context that the Personal Data is in the sovereignty of the Controller.

3.6 All data storage media, if any, and all copies or reproductions thereof shall remain the property of the Controller. We shall at any time give information to the Controller relating to its Personal Data and materials. According to the Controller’s individual orders, we shall be responsible for the erasure of test or excess data and materials in compliance with data protection requirements, except in certain cases, to be defined by the Controller, where storage and/or disclosure of the test or excess data shall be performed.

3.7 The data in rest is stored in servers within the European Union. We may not transfer Personal Data to countries outside the EEA without prior written approval and will subject to applicable legal requirements in respect of the protection of Personal Data in relation to such transfers being observed. In other words, will only make such transfers in a compliant and lawful manner, in accordance with applicable data protection law.

3.8 Finally, if a Data Subject, public authority or third party requests information from us relating to the processing of Personal Data, we shall refer such request to the Controller and await the Controller’s instructions.

4. Notification obligation

4.1 In case of a Personal Data Breach, we shall, without undue delay and, if possible, no later than 24 hours after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing. The notification shall, to the extent such information is available to us, contain all necessary information required for the Controller to be able to fulfill its reporting and disclosure obligations to the relevant public authority and Data Subjects.

4.2 We shall, without undue delay after becoming aware of any further details surrounding the Personal Data Breach, supplement the notification described above in Section 4.1 as well as provide the Controller with and any other information relating to the respective Data Breach as reasonably requested by the Controller and available to us.

4.3 We will document any Personal Data Breaches, comprising the facts surrounding the breach, its effects and the remedial actions taken. This documentation must enable the supervisory authority to verify compliance with this Section 4. The documentation will only include information necessary for such purpose.

5. Confidentiality

5.1 Each Party shall keep confidential all material and information, including but not limited to Personal Data, marked as confidential or that should be understood to be confidential, regardless of whether personal, technical, financial or commercial and received in whatever form from the other Party (‘Confidential Information’). A Party shall have the right to:

(i) use Confidential Information only for the purposes of this DPA and the Main Agreement;

(ii) copy Confidential Information only to the extent necessary for the purposes of this DPA and the Main Agreement; and

(iii) disclose Confidential Information only to those of its employees, subcontractors or advisors that need the Confidential Information for the purposes of this DPA and the Main Agreement. The disclosing Party is responsible for ensuring that the parties that receive Confidential Information comply with the terms relating to confidentiality agreed in this DPA.

5.2 The confidentiality obligation set out in this section 5 shall not, however, be applied to any material or information

(i) that was in the possession of the receiving Party prior to receipt of the same from the other Party without any obligation of confidentiality related thereto;

(ii) that is generally available or otherwise public, other than if it is public through a breach of this DPA or the Main Agreement on the part of the receiving Party;

(iii) that a Party has received from a third party without any obligation of confidentiality;

(iv) that a Party has independently developed without using any material or information received from the other Party;

(v) that a Party is obliged to disclose pursuant to Law or other order issued by a supervisory authority.

5.3 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Main Agreement or when the respective Party no longer needs the Confidential Information in question for the purposes of this DPA and/or the Main Agreement and shall return or destroy the material in question (including all copies thereof). Each Party shall, however, be entitled to retain copies as and to the extent required by the applicable law.

5.4 Each Party guarantees the observance and proper performance of this DPA by its personnel and advisors to whom Confidential Information may be disclosed pursuant to this Clause 5.

5.5 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Main Agreement.

5.6 The confidentiality obligations set out in this section 5 shall survive any termination or cancellation of this DPA or the Main Agreement.

6. Obligations of the Controller

6.1 The Controller warrants that all data used in the Service are collected, processed and utilized fairly and lawfully with respect to one or several of the legal grounds stipulated in the GDPR and other applicable law. Such requirements include, but are not limited to, the provision of information about processing of Personal Data to Data Subjects concerned.

6.2 Furthermore, the Controller shall inform us of the content and significance of applicable data protection law to the extent relevant for the processing of Personal Data carried out under this DPA as well as supervisory authorities’ actions and decisions in respect of such processing of Personal Data. For the avoidance of doubt, and without prejudice to your right to instruct us on how to process Personal Data, we are not obligated to comply or take any measures due to such information as referred to in this section unless required by applicable data protection law.

7. Obligation to Assist

7.1 If the Controller, on the basis of applicable data protection laws, is obliged to answer to inquiries from Data Subjects on the collection, processing or utilization of Personal Data relating to such Data Subject, upon request of the Controller, we shall support the Controller in order to provide such information. We shall pass on such inquiries of affected Data Subjects to the Controller for answering these inquiries. We shall adequately support the Controller in this respect. Unless otherwise agreed in writing, the Controller shall adequately reimburse us for any reasonable incurring costs in connection with the fulfillment of the duties of this Section 7.

7.2 If the Controller, on the basis of applicable data protection laws, is obliged to erase or rectify Personal Data, we shall erase or rectify that Personal Data also from our data registers, upon the request of the Controller. Unless otherwise agreed in writing, the Controller shall adequately reimburse us for any reasonable incurring costs in connection with the fulfillment of the duties of this Section 7.

7.3 We shall assist the Controller also in the fulfillment of the Controller’s other obligations under the applicable data protection laws.

8. Audits

8.1 The Controller may itself or if required by his own customers by them– or, if required by us, by a third party being subject to statutory professional confidentiality obligations – upon reasonable notice carry out an audit at our office(s), during our usual business hours and without disturbing our business processes, to convince itself of our compliance with the technical and organizational measures, this DPA and data protection laws. We shall tolerate such audit and shall support the Controller in such audit. Furthermore, we shall provide to the Controller, upon written request, within a reasonable period all information, which is necessary to carry out a comprehensive review of the Commissioned Processing of Personal Data and release those persons from their confidentiality obligations vis-à-vis the Controller for the purpose of the audit. However, we are not under any circumstances obliged to disclose business and trade secrets, operational know-how and other data being protected by law, such as data of other controllers, within such an audit. Controls and audits if not based on a clear suspicion on any data related violation shall be announced at least thirty (30) days in advance and shall be coordinated with us. Any costs of such controls and audits, including possible costs of us in relation to the audit, shall be fully borne by the Controller.

8.2 In the event an audit or an information request from a regulatory authority supervising the Controller’s or the Controllers Customers business, we shall assist the Controller in answering the request and organizing the audit. We shall always allow any such regulatory authority to conduct audits of our operations. Each Party shall bear its own costs in connection with audits initiated by such regulatory authority.

9. Subprocessors

9.1 Controller agrees that we may use sub-processors to fulfill our contractual obligations under this DPA and to provide certain services on our behalf. We shall inform Controller of the names of the sub-processors that are used and what kind of service the sub-processors performs, as well as the geographical location where their processing activities in respect of the Personal Data are performed. The current list of sub-processors are attached as Sub-Appendix B hereto. We will restrict the sub-processors’ access to Personal Data only to what is necessary to maintain the Service (or other products/services provided by Precisely to the Controller) and we will prohibit the sub-processors from accessing Personal Data for any other purpose. The Controller may object to the addition of new sub-processors.

9.2 We differentiate between Essential Sub-processors to Non-essential Sub-processors.

  • Essential Sub-processors are third-party sub-processors that provide critical infrastructure, functionality, or services without which the primary processing services would be significantly impaired or rendered inoperable. The use of Essential Sub-processors is mandatory and the Controller does not have the option to opt out from the utilization of these sub-processors for the delivery of the primary processing services.
  • Non-essential Sub-processors: are third-party sub-processors that provide supplementary or optional services, functionalities, or enhancements to the primary processing services. The use of Non-Essential Sub-processors is not mandatory for the basic operation and delivery of the primary processing services. Controllers have the option to opt out from the utilisation of these sub-processors upon request, without compromising the core functions of the primary services.

9.3 We are liable for each sub-processor’s obligations regarding the processing of Personal Data.

9.4 We shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors that process Personal Data. Accordingly, we are giving the Controller the opportunity to object to such changes if there are objectively valid reasons for such objection and the Controller informs us of the objection within a reasonable time after being informed about the new sub-processors. We shall remain fully liable to the Controller for the performance of that other processor’s obligations if a sub-processors fails to fulfill its data protection obligations.

10. Liability

10.1 The Parties agree that the general principle of division of responsibility between the Parties under this DPA relating to fines and/or damages to the Data Subjects imposed by any relevant supervisory authority and/or competent court authorized to impose such fines or damages is based on the respective Party’s need to fulfill its obligations under the applicable data protection laws and that any fines and/or damages to the Data Subjects imposed by a supervisory authority and/or competent court shall be paid by the Party that has failed in its performance of its legal obligations under the applicable data protection laws.

10.2 Precisely shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data Subjects in particular) make claims against Preicselyr on the grounds of an infringement of their personal rights or of data protection law where such infringement is caused by actions of Precisely in intentional or gross negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or in relation to personal injuries or death – capped with the amount of fees paid by the Controller in the 12 months immediately before the infringing incidence.

11. Term and Termination

11.1 This DPA shall be concluded for an indefinite period of time, and shall automatically be terminated in case of termination of the Main Agreement for any reason. Either Party’s right to terminate this DPA for cause shall remain unaffected.

11.2 If we materially breach our obligations under this DPA and fail to remedy such breach within thirty (30) days from the Controller’s written notification of the breach to us, the Controller shall have the right to terminate the Main Agreement with immediate effect.

11.3 Upon termination of this Agreement for whatsoever reason, we shall give the Controller access to all data storage media and copies thereof as well as all Personal Data being in its possession to the Controller (by e.g. enabling the Controller to download documents including Personal Data) and shall thereafter delete any Personal Data stored with us. Upon request of the Controller, we shall confirm compliance with such obligations in >writing within four (4) weeks from such request.

11.4 If the Controller objects to our appointment of a subcontractor, or to our changes to the Service, and such objection prevents or significantly obstructs our ability to provide the Service, we have the right to terminate the Main Agreement with immediate effect. This also applies if the Controller’s objection would entail costs to us that are unreasonably high in light of the compensation that the Controller will pay us under the Main Agreement. In case of termination under this clause 11.4, the Controller shall not be entitled to any refund of fees paid for the Service and we are relieved of any and all liability for any damages caused by our termination.

12. General Provisions

12.1 Amendments and additions to this DPA must be in writing. This also applies to a waiver of the requirement for this DPA.

12.2 Should one or more clauses of this DPA and or the Main Agreement be or become invalid and/or unenforceable, the validity of the other clauses of this DPA and the Main Agreement shall remain unaffected thereby. In such case, the Parties shall amend this agreement and amicably replace the invalid clauses.

12.3 Swedish law shall govern this DPA.

12.4 Any dispute, controversy or claim arising out of or in connection with this contract, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce for expedited arbitration procedure. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English. This contract shall be governed by the substantive law of Sweden.

 

Sub-Appendix A – Instructions on Processing Personal Data

In addition to what is set forth in the DPA and the Main Agreement, the Controller instructs us to process Personal Data in accordance with the instructions below:

 

PURPOSES OF THE PROCESSING   

Precisely provides a contract automation platform to manage the complete contract lifecycle, allowing Users to, inter alia, i) author contracts and set up automated contract templates to be shared and used by your entire organization ii) collaborate with internal and external parties in relation to contracts, and to review, edit and comment on contracts iii) sign contracts electronically iv) upload and store contracts in a digital archive, and v) analyze and monitor contracts.

Personal Data relates to Users, your contract counterparties and/or advisers, and is processed in order to a) set up User accounts, b) manage, simplify and streamline your contract process, c)  maintain your relationship with us, d) manage your subscription to the Platform and/or other services provided to you by us, e) provide customer support, f) ensure that your Users have proper instructions on how to use the Platform and to g) improve the platform.

 

TYPES OF PERSONAL DATA            

Name, work place, email address, phone number (if provided), activity on contracts and IP address are processed by default in order to set up User accounts and allow usage of the Platform.

As to contracts stored in the Platform, Personal Data included therein (and thereby processed by us) may vary depending on which type of document you upload. For example, name, email address and other information about your counterparties.

Please inform us about the types of Personal Data that you intend to upload to the platform, especially if you intend to enter any special categories of Personal Data, or Personal Data relating to criminal offences, as defined in Article 9 or 10 GDPR.

 

CATEGORIES OF DATA SUBJECTS 

Your employees, who have User accounts, will per default be affected by the processing activities. Depending on the document your contracts you upload to the Platform, other categories might be: other employees advisors and consultants, your counterparties and their representatives that are mentioned in relation to your contracts, and other persons you mention in your contracts, which are processed through the Platform.

 

DURATION OF THE PROCESSING.   

Personal Data that we process on your behalf will be processed until deleted through the Platform, or as per your instructions.

 

 

Sub-Appendix B – Sub-processors 

Essential sub-processors

Sub-processors that the Controller is not able to opt out of.

ServiceCompany NameType of processingMeans of the transferLocation
Amazon S3 Amazon Web Services EMEA SARL, Luxemburg, 352 2789 0057, 38 Avenue John F. Kennedy, L-1855, LuxembourgFile storage provider, storing uploaded documents that may include personal information.SCCDublin, Ireland
Google GCPGoogle Ireland Limited, , registered number: 368047, Gordon House, Barrow Street, Dublin 4, IrelandServer/database provider. File storage for uploaded documents that may include personal information. Also stores all information provided to the service. Names, email addresses, and, if provided to us, telephone numbers and other personal information.SCCFrankfurt, Germany

 

Non-essential sub-processors

Sub-processors that the Controller can opt out of if requested.

ServiceCompany NameType of ProcessingMeans of the transferLocation
Dropbox Sign (former Hellosign) EsignJN Projects, Inc. dba HelloSign, 333 Brannan St, San Francisco, CA, 94107-1810 United StatesElectronic PDF signature provider. Stores email addresses, names, and other personal information supplied in the signed documentSCCSan Fransisco, United States
Azure OpenAI (default)Microsoft Central and Eastern Europe Headquarters, Konrad-Zuse-Str.1, 85716 Unterschleißheim, GermanyHosting of LLM Provider. Processing of documents uploaded to the platform in order to provide assist the users with metadata tagging and contract summary.EUFrance
OpenAI (alternative option)OpenAI L.L.C., 3180 18th Street, San Francisco, CA 94110LLM Provider. Processing of documents uploaded to the platform in order to provide assist the users with metadata tagging and contract summary.SCCSan Francisco, United States

 

Sub-Appendix C –  Technical and Organizational Measures (“ToMS”)

Our technical and organizational measures can be provided upon request. Please send your request to legal@precisely.se.

 

Last Updated: October 17, 2023.