Central Business Register (CVR) no. 35633766
Enghavevej 40, 4th floor
DK-1674 Copenhagen V
(hereinafter referred to as “Penneo”)
(hereinafter referred to as the “Customer”)
The Standard Terms and Data Protection Agreement is drawn up in English and Danish. In case of discrepancies between the two versions, the Danish version shall prevail. Penneo and the Customer (individually referred to as a “party” and jointly as the “parties”) have entered into these standard terms and this data processing Agreement (hereinafter referred to as the “Agreement”).
1.1. This Agreement gives the Customer access to Penneo’s Platform(s) where the Customer can access the agreed services. With the Platform(s), the Customer has the possibility to process its own documents and/or data for signing/approval under the type of subscription chosen.
1.2. The Agreement applies to delivery of the Platform(s) and supplementary services from Penneo to the Customer, unless the Agreement has otherwise expressly been deviated from or modified through another written Agreement and it can be established with certainty that it was the intention to deviate from this Agreement.
1.3. The parties want to start collaboration where Penneo is to deliver the Platform(s) to the Customer. The purpose of the Agreement is to set out the terms of the delivery of the Platform(s) to the Customer.
2.1. The Platform(s) is offered to the Customer as a Software as a Service (“SaaS”) to the effect that the Customer, via the internet and either the web application, the desktop application or Penneo’s API can connect to Penneo’s server or a server with one of Penneo’s partners and get access to the Platform(s).
2.2.It is a precondition for the use of Penneo Sign that the Customer uploads the documents in a standard PDF format. The documents that are returned by Penneo after the signing process has been completed, will be in the format PadES-PDF. The returned files that contain all signature proofs, are locked from editing and, at the time of return to the Customer and a third party, are activated for long-time storage (LTV).
3.1. The Agreement enters into force on the date when the Customer accepts Penneo’s order confirmation or otherwise accepts the Agreement (the “Commencement Date”).
3.2. A 12-month period of commitment will apply to access to the Platform(s) (subscription) from the Commencement Date.
3.3. Either Party may terminate the Agreement at written notice of three months, to the end of the subscription commitment period. If the Agreement is not terminated no later than three months before the expiry of the period of commitment, a new 12-month period of commitment is triggered.
3.4. Upon expiry of the document retention period (Data retention – depends on the subscription plan), Penneo undertakes to retain all the Customer’s data which Penneo is in possession of for another period of 90 days.
3.5.During the period stated in clause 3.4, the Customer has at all times access to extract its data or delete its data in whole or in part from its account with Penneo. The Customer’s data is handed over or extracted in the format used in Penneo’s or its sub-supplier’s system(s), and thus no processing/conversion of data is made unless otherwise expressly agreed between the Customer and Penneo.
3.6. Delivery of the Customer’s data in a processed or converted form can be specifically agreed against payment.
3.7. All the Customer’s documents are stored in Penneo’s Platform(s) under the document retention period of the selected subscription, unless the Agreement is terminated in the meantime. In such case, the provisions in clauses 3.4-3.6 apply. The Customer’s documents are only stored in addition to the document retention period if a special Agreement has been concluded between the Customer and Penneo about such storage.
4.1. The prices of the Customer’s use of the Platform(s) and any onboarding and other services from Penneo are specified in the most recent order confirmation or invoice sent by Penneo to the Customer and accepted by the Customer either through a signature on the order confirmation or payment of the invoice.
4.2. Any discounts in the order confirmation or the invoice only apply to the first-year subscription period unless otherwise specifically agreed.
4.3. Consultancy services may be agreed on specifically against payment and are paid at Penneo’s hourly rate applicable at the date of the Agreement on the consultancy service.
4.4. The prices are included in the applicable charges, except for VAT, at the time of commencement of the Agreement.
4.5. Consumption in addition to the maximum number of created active clients/employees/completed case files (depending on the subscription package and the Platform), is invoiced according to clause 4.12 of the Agreement under the Customer’s use of the Platform(s) must correspond to the subscriptions and additional services agreed in clause 4.1. Misuse of the Platform(s) is considered a material breach under clause 18.1.
4.6. A client/Customer relation is considered to have been established in the Penneo KYC Platform when a draft Customer Due Diligence/onboarding process of the said client/Customer relation has been created. Ongoing client/Customer relationships are hereinafter referred to as “active client/Customer relationships”, whereas expired client/Customer relationships are hereinafter referred to as “filed client/Customer relationships”. This is registered when the Customer specifically chooses in the application that the said client/Customer must be filed/closed.
4.7. If the number of active clients/employees/completed case files (depending on subscription package and Platform) exceeds the number of active client/Customer relationships in the licence fee, the licence payment is automatically upgraded to the effect that it matches the Customer’s need, see clauses 4.9-4.11.
4.8. Payment terms are net cash + 14 days from the invoice date at the payment place designated by Penneo. Payment must be made without fees or costs to Penneo. On payment after the due date, the Customer must pay interest at 0.65% per commenced month on the due balance from the latest timely payment date and until payment is made. The Customer cannot set off the remuneration for the service originating from specified claims from other legal matters.
4.9. An invoice is sent electronically to the email address or the EAN number which the Customer has informed Penneo of.
4.10. The Customer may always use the Platform(s) in addition to the number of clients/employees/completed case files contained in the subscription (depending on subscription package). This may take place either without any prior Agreement (“additional consumption”) or by an agreement extending the Platform(s) through payment of an additional Platform fee.
4.11. Payment of the additional Platform fee provides the Customer with an extension of the Platform(s) to connect a certain number of extra clients/employees/completed case files (depending on subscription package) in addition to the number of clients/employees/completed case files for the Platform(s) contained in the subscription. Invoicing of the Platform fee is made simultaneously with the purchase, irrespective of when during the subscription period the purchase is agreed. On conclusion of the Agreement, the price of such extension corresponds to the agreed price for a client/employee/completed case file plus 10% of the price specified in clause 4.1. Invoicing is made for a full period of subscription irrespective of when during the subscription period the Platform fee is purchased. On renewal, the purchased clients/employees/completed case files of the subscription are included in the subscription at the standard price without addition of 10%.
4.12. Additional consumption on the Platform(s) without prior Agreement is invoiced at the end of the subscription period at the price agreed for a client/employee/completed case file (depending on the subscription package) plus 25% of the price specified in clause 4.1. Invoicing is made for a full period of subscription irrespective of when during the subscription period the additional consumption has started. On renewal, the purchased clients/employees/completed case files of the subscription are included in the subscription without addition of 25%.
4.13. The above prices for extension of the Platform(s) – both the Platform fee and additional consumption – cover the total use of the system and supplementary services under the Customer’s subscription type.
4.14. Penneo adjusts all prices in accordance with the Danish net consumer price index published by Statistics Denmark. The prices of Penneo’s services are adjusted on renewal of the Agreement. The adjustment is calculated as the difference between the index from October to October each year. The adjustment has an effect on the Customer’s next period of commitment without further notice.
4.15. Penneo may give notice of other price adjustments at four months’ notice before the start of a new period of commitment.
5.1. Penneo ensures stable operations, but is not liable for disturbances caused by factors outside Penneo’s control. Disturbances outside Penneo’s control is i.a., but not limited to, disturbances with national electronic ID providers, certificate providers, internet providers etc. Penneo restores normal operations as soon as possible.
5.2. Penneo complies with accessibility to the Platform(s) during the term of the Agreement as stated below:
5.2.1. Uptime at 99.00%;
5.2.2.The uptime is measured and calculated per calendar month based on uptime 24/7. On calculation of the uptime, downtime is not included which has been lawfully notified under the Agreement or otherwise expressly accepted by the Customer.
5.2.3. The Customer can see the status of Penneo’s uptime at status.penneo.com.
6.1. All documents are stored in an encrypted form, and all communication to and from Penneo’s server(s) is encrypted, and firewalls etc. have been established to secure the data in the Platform(s). However, Penneo cannot make guarantees against hacker attacks that cause system breakdown and/or loss of data.
6.2. If a system failure – irrespective of the reason – entails losses or damage to the Customer’s data, after the failure/damage has been ascertained, Penneo will either at its own initiative or following contact from the Customer, start restoring the Customer’s data from the relevant backup location(s). For this period, the Customer’s data may be unavailable, but maximum for 24 hours.
7.1. To be able to provide the best possible service, it is necessary periodically to extend/replace technical equipment and to make software updates etc. Therefore, Penneo performs maintenance and updating of the Platform(s).
7.2. The Customer is notified of maintenance and/or updates via Penneo’s website and status page.
7.3. Penneo’s API is offered in different versions. When a new version is released, Penneo endeavours that the new version has no impact on previous versions. However, Penneo cannot guarantee that new versions of APIs do not require new development with the Customer. In cases where Penneo no longer supports an API version, Penneo must give at least six months’ notice before the said API version is deactivated.
7.4. In connection with maintenance, it may be necessary to interrupt access to the Platform(s). Such interruptions will mainly be scheduled in the period from 21:00 to 06:00 CET. If it becomes necessary to interrupt the access to the Platform(s), outside the stated hours, this will be given prior notice of, unless technical or safety reasons necessitate changing the system at immediate notice.
8.1. If the Customer ascertains errors, failure or irregularities, the Customer may check if the matter has been registered at status.penneo.com.
8.2. If the matter has not already been registered, the Customer must contact Penneo without undue delay, see clause 8.3.
8.3. In case of an error report, the Customer must describe the error in writing by using Penneo’s online error reporting procedure to the effect that Penneo receives the required information to immediately localise the error.
9.1. Software updates are included in the subscription price. Penneo makes available a number of support options. Access thereto depends on the selected type of subscription. Particular support inquiries or individual system adaptations are invoiced separately. This applies to both telephone and written support.
10.1. Each party is liable for damages according to the general rules of Danish law with the limitations below, however to the effect that the limitations only apply, if the loss cannot be attributed to gross negligence or intent with the damage-inducing party.
10.2. Penneo disclaims liability for damages for any indirect loss or consequential loss, including, but not limited to, operating loss, lost profit, loss of the Customer’s data and goodwill with the Customer.
10.3. Except for product liability, see clause 10.4, the total compensation amount that the Customer can claim from Penneo under the Agreement is limited to the smallest amount of the following:
10.4. Penneo is liable for product liability according to the general compensation rules of Danish law. However, in each case, Penneo’s liability for damages is limited to the amount paid under Penneo’s product liability insurance applicable.
10.5. Penneo is obliged to maintain a customary and sound insurance level, including a minimum product liability insurance and general liability insurance to cover Penneo’s liability in accordance with the Agreement.
11.1. For the purpose of using the Penneo Sign Platform, the Customer opens an account with Penneo. The account contains the Customer’s contact information and user information. The Customer then uploads documents and other data on an ongoing basis, including personal data, to its Penneo account for the purpose of the signing of the Customer’s documents (hereinafter jointly referred to as the “Customer’s data”).
11.2. The third parties that are going to sign the Customer’s document via the Penneo Sign Platform (hereinafter referred to as the “third party”), is granted a specific account with Penneo as part of the signing process. The third party uploads its data, including personal data, to its account with Penneo by signing the Customer’s document(s) (hereinafter jointly referred to as “third-party data”).
11.3. The Customer and all third parties receive a copy of the signed documents, and the documents are stored and kept in the Penneo Sign Platform. Both the Customer and all third parties have, via their respective accounts with Penneo, independent access to the signed documents with Penneo.
11.4. For the purpose of using the Penneo KYC Platform, the Customer opens an account for its organisation. There may be more users with the Customer with access to this account. When a Customer is to onboard its clients, they create a client relationship in the Penneo KYC Platform in which the Customer specifies which type of information should be obtained from the client. The information that the Customer specifies and obtains is termed third-party data.
11.5. When the Customer has chosen which type of information should be obtained, the client gets an email with a link to the Penneo KYC Platform in which the client can upload and/or fill in the specified data. When the information has been collected, it will be stored in the Customer’s organisation’s account under the specific client relationship.
11.6. Information about the client and the client relationship can also be imported to Penneo KYC from public data sources or from the Customer’s own internal systems if the Customer initiates this.
11.7. In the relationship between the Customer and Penneo, Penneo is the Data Processor, and the Customer is the Data Controller. Penneo and the Customer have entered into the data processing Agreement below with related appendices (hereinafter referred to as the “Data Processing Agreement”), which regulates Penneo’s processing of the Customer’s data that comprises personal data.
12.1. If Penneo cannot perform its services under this Agreement as a result of force majeure, Penneo cannot be held liable as a result of losses in that context, and the Customer cannot cancel the Agreement, but see clause 12.3.
12.2. Penneo must inform the Customer without undue delay if a force majeure situation arises. Force majeure is a matter on which Penneo has no influence, and which Penneo cannot circumvent within reasonable financial and practical measures. Force majeure may be war, mobilization, terrorist attack, failure/breakdown of public electricity supply, strike, fire, flooding etc.
12.3. If the accessibility of the Platform(s) is materially impossible as a result of force majeure, and this lasts for more than 30 days, each party may terminate the Agreement in writing with immediate effect, but in that connection cannot make any claim against Penneo.
13.1. The Customer has been made aware that the Platform is protected by copyright, and that the Customer only acquires a non-exclusive, conditional right of use to the Platform(s). The right of use is conditioned on the Customer’s payment and compliance with the Agreement, and the Customer has expressly been informed that the right of use is time-limited, so that it automatically lapses on expiry of the Agreement, irrespective of the reason. The right of use cannot be transferred.
13.2. The Customer is only entitled to use the Platform(s) for the use of the Customer’s own business.
13.3. The Customer accepts to respect the intellectual property rights. The Customer is liable for the Customer’s employees as well as external advisers’ compliance with the rights to the use of the Platform(s), and the Customer is obliged to ensure that the Customer’s employees and external advisers are expressly made aware that the Platform(s) are protected by copyright and may only be used in accordance with the terms of this Agreement.
14.1. During the term of the Agreement and after its expiry, the parties undertake, vis-a-vis third parties to keep secret all information received from and about the other party to which a party becomes aware of in connection with the Agreement and delivery of the Platform(s) to the Customer. The parties may only use such information in compliance with the Agreement and may not disclose the information unless disclosure is required under law, a court order or an order of a public authority. However, the above does not apply to information that is generally known or publicly accessible, and which is not subject to such restrictions under the law.
15.1. Penneo is entitled to use the Customer as a reference unless the Customer has objected expressly and in writing.
15.2. By its signature to the Agreement, the Customer gives Penneo the right to send service and informative notifications to the Customer via email. The emails may contain newsletters and other marketing and information about the Platform(s) and Penneo’s other products and services from time to time.
15.3. The Customer may always unsubscribe to news mails and other marketing.
15.4. Emails that contain operational information are mandatory as they may be of importance to the Customer’s use of the Platform(s).
15.5. The Parties may use emails to send reminders and other written messages in relation to the Agreement.
15.6. An email has been received once it has been received in the recipient’s email system and under normal circumstances, will be available to the recipient. The fact that an email, due to problems in the recipient’s email system is actually not available, is thus at the recipient’s risk. It is the parties’ liability to give notification about changes to the above contact information.
16.1. In case of one of the parties’ material breach of the Agreement, the party not in breach may terminate the Agreement without further notice if the circumstance has not been remedied within 10 business days calculated from a written claim to the party in breach.
16.2. In the event of bankruptcy, restructuring, liquidation, compulsory dissolution, the entering into a compulsory arrangement with creditors etc., the other party is entitled to terminate the Agreement at immediate notice.
16.3. If the Customer does not pay for the Platform(s) in compliance with clause 4 of the Agreement, Penneo is entitled to deactivate access to the Platform(s) giving 20 days’ prior notice. The Customer’s access is not re-established until the amount due has been received by Penneo.
16.4. If Penneo terminates the Agreement due to the Customer’s breach, including non-payment, Penneo is entitled to keep the prepayment already paid. If the Customer terminates the Agreement due to Penneo’s breach, the termination is made for the future only, and the Customer may demand that the payment be repaid from and including the month in which the breach took place. Deletion of data on termination of the Agreement as a result of breaches takes place in compliance with the Data Processing Agreement.
17.1. The parties agree that the Agreement has been concluded under Danish law, and that any dispute between the parties must be determined according to Danish law.
17.2. Disputes must be sought to be settled amicably through negotiations between the parties. Where a dispute cannot be settled amicably, both parties are entitled to bring the matter before the City Court of Copenhagen as the court of first instance.
18.1. If a provision of the Agreement is declared illegal, invalid or without enforceability, the provision must notwithstanding be enforced to the largest extent possible according to applicable law, so that the parties’ initial intention is reflected. Such provision does not affect the legality and validity of other provisions.
18.2. Any provision of the Agreement which in its nature extends beyond the time when the Agreement expires in whole or in part, must still be valid and binding on the parties.
19.1. The Agreement and the attached Data Processing Agreement with related appendices, are hereby confirmed by the two parties by using digital signature. Signers of the Agreement also declare to be authorised to bind the company under the Parties’ respective powers to bind the company and their authority. The printable and readable proof of the signature will appear from the last page of the completed document, which is sent to all parties once all parties have signed the Agreement.
a. The Data Controller and the Data Processor have entered into an Agreement on Penneo’s standard terms for the delivery of digital services in the form of Penneo Sign and/or Penneo KYC.
b. Under the Agreement, the Data Processor must process personal data on behalf of the Data Controller in connection with the delivery of the Platform(s).
c. This Data Processing Agreement (hereinafter referred to as the “Data Processing Agreement”) lays down terms and conditions for the Data Processor’s processing of the personal data (as defined in the Legislation, see clause A.d.) which the Data Controller, under the Agreement, transfers to the Data Processor when using the Platform(s) (hereinafter referred to as the “personal data”). In the event of discrepancies between the Agreement and the Data Processing Agreement, the Data Processing Agreement prevails. Unless otherwise expressly stated in the Data Processing Agreement, the provisions of the Agreement apply.
d. The purpose of the Data Processing Agreement is to ensure compliance of the personal data legislation in force from time to time, including the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), which entered into force on 25 May 2018 (hereinafter jointly referred to as the “Legislation”).
e. There are three appendices to this Agreement .The appendices are an integral part of the Data Processing Agreement.
f. Appendix A of the Data Processing Agreement contains detailed information about the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing based on which Platform is used.
g. Appendix B to the Data Processing Agreement contains the Data Controller’s conditions for the Data Processor’s use of sub-processors, and a list of any sub-processors that the Data Controller has approved, depending on which Platform is used.
h. Appendix C to the Data Processing Agreement contains further instructions as to which processing the Data Processor shall perform on behalf of the Data Controller, which security measures which must be observed as a minimum and how the Data Processor and any sub-processors used are supervised, based on which Platform is used.
i. The Data Processing Agreement with attached appendices are stored in writing, including electronically by both parties.
j. This Data Processing Agreement does not release the Data Processor or the Data Controller for obligations under the General Data Protection Regulation or any other legislation directly imposed on the Data Processor and/or the Data Controller.
a. The types of personal data and categories of data subjects that the Data Processor must process for the Data Controller as part of the performance of the Agreement and the Data Processing Agreement are specified in Appendix A.
b. It is only the Data Controller that makes the decision which personal data will be processed by the Data Processor, and for which purposes this personal data may be processed. The Data Controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.
c. The Data Processor only processes the personal data according to documented instructions from the Data Controller. If, contrary to the Data Controller’s instructions, the Data Processor is obliged to perform processing of personal data under the Legislation to which the Data Processor is subject, the Data Processor must inform the Data Controller of this demand before processing, unless the said regulation prohibits such information on important grounds of public interest.
d. The Data Processor must process the personal data in compliance with applicable Legislation. The Data Controller must ensure that all personal data which the Data Controller transfers to the Data Processor, is made via functions in the Platform(s) and is not sent via an unsafe email or in other ways contrary to the Legislation.
e. In case the Danish Data Protection Authority makes inquiries regarding the processing of the personal data, the Data Controller and the Data Processor must cooperate on the reply to questions, disclosure of information or performance of any requests.
a. The Data Processor must keep a list of all categories of processing made by the Data Processor on behalf of the Data Controller. The list, which is kept electronically, e.g. as log files, must contain:
i. name and contact information of the Data Processor, sub-processor, (see Appendix B), the Data Controller and any Data Protection Officer,
ii. the categories of the processing that the Data Processor or the sub-processors perform for the Data Controller (Appendix A), and,
iii. a general description of technical and organisational security measures, see Appendix C.
b. The list must be in writing, including electronically. On request from the Data Controller or the Danish Data Protection Authority, the Data Processor must make available the list to the Data Controller and/or the Danish Data Protection Authority.
a. The Data Controller hereby gives general consent that the Data Processor may use processors (“sub-processors”) to perform the Data Processor’s services under the Agreement. It is the Data Processor’s responsibility that any sub-processors comply with their data protection obligations under the Legislation.
b. The full list of sub-processors used in the use of the Platform(s) and the specific type of data that is processed and in which way is attached to this Data Processing Agreement as Appendix B.
c. The Data Processor informs the Data Controller of any planned changes in the use of sub-processors, including addition or replacement of sub-processors and use of new sub-processors not listed in Appendix B. Such notification must be given to the Data Controller as soon as possible. The Data Controller has the option of objecting to such changes within 14 days of the notification.
d. If the Data Controller cannot accept changes included in appendix B, the Data Controller may terminate the Data Processing Agreement at 14 days’ written notice. Notwithstanding the provision in clause 3.3 of the Agreement, the Agreement automatically ceases with the termination of the Data Processing Agreement. The provisions in clause 3 of the Agreement otherwise apply without changes. Payments made by the Customer are not refunded.
e. Any transfer of personal data to third countries or international organisations may only be made by the Data Processor on the basis of documented instructions from the Data Controller, and must always be made in compliance with chapter V of the General Data Protection Regulation. The current permitted sub-processors can be seen in Appendix B.
f. The Data Processor ensures that the necessary measures which regulate the transfer of personal data to unsafe third countries exist, including the implementation of the European Commission’s Standard Contractual Clauses in force from time to time, or a sub-processor Agreement with implemented Binding Corporate Rules.
g. If a sub-processor is established in a third country outside the EU/EEA, it rests with the Data Processor to ensure that the personal data is kept inside the EU/EEA and is not transferred to the said third country unless transfer is necessary to comply with applicable legislation applying to the Data Processor or its sub-processors, or as a result of requirements from a competent public authority that are binding on the Data Processor or its sub-processors. The Data Processor will always make an effort to object to such demands or requests if it will entail that transfer of personal data kept in the Platform(s) to unsafe third countries takes place. The Data Processor must give the Data Controller reasonable notice if such demands are made to the Data Processor or its sub-processors, and must strive to give the Data Controller the possibility to object or use relevant remedies unless the Data Processor or its sub-processors are prevented from this under applicable legislation.
h. The Data Processor makes a qualified effort that personal data is not transferred to third countries by the Data Controller’s use of the Data Processor’s Platform, whether or not such transfer is made for technical or commercial reasons.
i. When the Data Processor has obtained the Data Controller’s approval to use a sub-processor, the Data Processor ensures to impose on the sub-processor the same data protection obligations as those determined in this Data Processing Agreement, through an Agreement or other legal document under EU law or the national law of the member states, whereby in particular the required guarantees are made that the sub-processor will implement appropriate technical and organisational measures in such a way that the processing complies with the requirements of the General Data Processing Regulation.
j. Thus, the Data Processor is responsible – via the entering into a sub-processing Agreement – for imposing on any sub-processor at least the obligations to which the Data Processor is subject according to the data protection rules.
a. The personal data is retained until deleted by the Data Controller, or until the Customer relationship ceases, after which the Data Processor will delete the data within 90 days after the Data Controller requests the Data Processor to delete the information, unless national or EU regulations impose on the Data Processor a longer retention period.
b. On cessation of the Data Processing Agreement, irrespective of the reason, the provisions in clauses 3.4 to 3.6. apply.
c. On cessation of the Data processing Agreement, the Data Processor must delete all existing personal data in the Platform(s) unless EU law or national law prescribes retention of the personal data.
d. The Customer’s documents and data are kept in the Platform(s) until either the Customer itself deletes it or requests Penneo to delete. Storage of the Customer’s documents is included in the subscription price for the Platform(s) for five years.
e. After the expiry of the data retention period of five years, Penneo is entitled to request payment of the Customer’s storage of documents etc. in the Platform(s). On conclusion of the Agreement, the price for data retention is EUR 1.00 per client per year/EUR 1.00 per employee per year/EUR 1.00 per started, completed 100 case files.
a. The Data Processor must make the required technical and organisational security measures against the personal data being accidentally or unlawfully destroyed, lost or impaired and against it becoming known to third parties, is abused or otherwise is processed contrary to the Legislation.
a. The Data Processor must establish and implement procedures for the handling of personal data breaches, see the General Data Protection Regulation, article 4(12) and article 33(2).
b. The Data Processor must without undue delay, after having become aware thereof, inform the Data Controller in writing of a personal data breach, including information on who has processed the Data Controller’s information and when for the purpose that the Data Controller has the option to make police investigation into the breach.
c. In the event of a personal data breach, the Data Processor must, without undue delay, but no later than 36 hours after the Data Processor has become aware of the personal data breach, inform the Data Controller thereof in writing to the effect that the Data Controller has the option to comply with its potential obligation to report the breach to the supervisory authority within 72 hours and as a minimum state the following:
i. a description of the nature of the personal data breach, including – where possible – the categories and the approximate number of affected data subjects, and the categories and the approximate number of affected registrations of personal data
ii. a description of the likely consequences of the personal data breach
iii. a description of the measures that the Data Processor has made or suggests be made to handle the personal data breach, including measures to mitigate potential adverse effects
iv. name and contact information of the Data Protection Officer, if such has been appointed by the Data Processor, or other contact point where further information can be obtained.
d. When, and if it is not possible to provide the information in one process, the information may be given in steps without further undue delay.
e. The Data Processor’s notifications to the Data Controller about a personal data breach under clause G does not entail that the Data Processor has accepted being in breach of the Agreement or being liable for damages to the Data Controller for the said personal data breach.
a. The Data Processor must, taking into consideration the nature of the processing and the personal data which is processed by the Data Processor, assist the Data Controller with ensuring compliance with the legislative provisions on the right of the data subject as regards personal data. The Data Processor must also, by means of appropriate technical and organisational measures, assist the Data Controller with the handling of inquiries from a data subject, including, but not limited to, request for access, rectification, blocking or erasure of personal data. To the extent that the Data Controller can itself handle inquiries from a data subject via functions in the Platform(s), the Data Controller must use these.
b. The Penneo Sign Platform is designed so that a data subject always has access to the documents that they have signed, if they have saved these documents in their archives. Thus, a data subject can always exercise a number of their GDPR, Chapter III rights without assistance from the Data Processor or Data Controller. The contents of this clause H.b is included in the Agreement, to reduce the administrative burden for the Data Controller and Data Processor when communicating with the data subject, given that many of these exercise options of the GDPR Chapter III rights, already exist in the Penneo Sign Platform.
c. Further, taking into account the nature of the processing and the personal data that is processed by the Data Processor, the Data Processor must assist the Data Controller to comply with other obligations resting with the Data Controller under the legislation where this is assumed or necessary for the Data Controller being able to comply with its obligations. As part thereof, the Data Processor must assist the Data Controller with securing compliance of i.a. the obligations under articles 32-36 of the GDPR.
a. At the request of the Data Controller, the Data Processor must give the Data Processor such information necessary for that party to ensure that the Data Processor and its sub-processors comply with the requirements as determined in the Data Processing Agreement, including that they have taken the required technical and organisational security measures and that the measures are complied with.
b. At the Data Controller’s written request, the Data Processor must obtain documentation that security measures have been implemented with the Data Processor.
c. The Data Controller may, through an auditor or other trusted party that has been approved by the Data Controller and the Data Processor, control (within usual business hours) that the Data Processor complies with its obligations.
d. Once a year, the Data Processor gives the Data Controller access to the audit opinion ISAE 3000. The opinion will be provided upon request, after expiry of each calendar year to the effect that the opinion is available to the Data Controller no later than 31 March.
e. The Data Controller is also entitled, at its own expense, to have an independent third party approved by both the Data Processor and the Data Controller, make an annual audit of the Data Processor’s processing of personal data. This annual audit must be made within usual business hours and may not disturb the daily workflow with the Data Processor.
f. The Data Processor is obliged to give authorities which according to the legislation applicable from time to time have access to the facilities of the Data Controller and the Data Processor, or representatives who act on behalf of the authority, access to the physical facilities of the Data Processor against prior signing of a non-disclosure Agreement.
a. It is the responsibility of the Data Controller to ensure that the required basis under the legislation for processing of personal data exists, and in the processing of the personal data, the Data Controller must comply with and meet the Legislation.
b. The Data Controller must comply with the security measures applicable from time to time that the Data Processor may inform the Data Controller of regarding access to and use of the Platform(s).
c. The Data Controller must indemnify the Data Processor for the institution of legal proceedings, claims, costs (including reasonable expenses for lawyer assistance), losses, liability, expenses or damage as a result of the Data Controller’s non-compliance with the legislation or the security measures stated by the Data Processor concerning access to or use of the Platform, or other misuse of this Data Processing Agreement.
a. The Data Processor is only entitled to request payment for services delivered by the Data Processor to the Data Controller under this Data processing Agreement if it has been agreed between the parties in advance.
a. Each party may always, at reasonable prior written and justified notice, request that the Data Processing Agreement is changed if the change is necessary to comply with the Legislation in force from time to time.
b. The Data Processing Agreement may also always be adjusted by giving written notice of 30 calendar days if the Data Controller wants to adjust the types of personal data or categories of data subjects specified in appendix A.
c. If a material change or adjustment of the Data Processing Agreement is made under clause L.a. or L.b. to the detriment of the Data Processor, the Data Processor may terminate the Data Processing Agreement at three months’ notice to the end of a month, notwithstanding clause 3.3. of the Agreement. Payments made by the Customer are not refunded.
a. If the Data Processor receives notification from the Data Controller or the Data Processor becomes aware of non-compliance with requests according to the legislation or the Data Controller’s instructions for processing personal data, the Data Processor must without undue delay remedy the non-compliance.
b. The provisions of clause 18 of the Agreement apply in the event of a party’s breach of the Data Processing Agreement.
c. Neither Party is liable for financial or non-financial claims, including, but not limited to; fines, claims for damages from third parties, etc., which are directed against the other party, in addition to the limitations of clause 10.2-10.3 of the Agreement.
a. The Data Processor ensures that its employees who are given access to information from the Data Controller have signed a non-disclosure Agreement to the effect that they have a duty of non-disclosure to third parties as regards their access to the Data Controller’s data. The duty of non-disclosure applies both during employment and after cessation of employment.
b. The Data Processor must ensure that sub-processors, employees and others assisting the Data Processor in connection with the performance of the Agreement and the data processing Agreement are subject to obligations that correspond to the obligations therein.
Types of personal data and documents
A.1 The processing includes the following types of personal data about the data subjects:
May include all types of personal data so that the Platform(s) can function under clause 2 of the Agreement. This personal data may include all types of personal data that can be processed by the Data Controller under the parties’ Agreement on the Data Processor’s delivery of the Platform(s), to the Data Controller. This information may include, but is not limited to:
a. For Penneo KYC:
b. For Penneo Sign:
A.2 The purpose of the Data Processor’s processing of personal data on behalf of the data controller is: that the Data Controller can use the Platform(s) owned and administered by the Data Processor.
a. The purpose of the processing in the Penneo KYC Platform is to collect, process, store etc. information about the Data Processor’s clients and thus to perform the Agreement between the data controller and the Data Processor.
b. The purpose of the processing in the Penneo Sign Platform is to make available a digital signature service to the Data Controller, and thus to perform the Agreement between the Data Controller and the Data Processor.
A.3 The Data Processor’s processing of personal data on behalf of the Data Controller is primarily about (the nature of the processing):
that the Data Processor makes available the standard SaaS software system, the application, to the Data Controller and thus retains personal data about the data controller’s clients on the Data Processor’s servers:
A.4 The processing includes the following categories of data subjects:
Persons that are or have been clients with the Data Controller.
Persons that may be considered third parties, see clause 11 of the Agreement, and the Data Controller’s employees who sign documents by means of the Platform(s).
A.5 The Data Processor’s processing of personal data on behalf of the Data Controller can be commenced once the Agreement has entered into force. The processing is of the following duration:
The processing is not time-limited and lasts until the main Agreement is terminated or cancelled by one of the parties.
B.1 Conditions for the Data Processor’s use of any sub-processors
The Data Processor has the Data Controller’s general approval to use sub-processors. On commencement of the Data Processing Agreement, the Data Controller has specifically approved the use of the above sub-processors for the processing described next to the party. The Data Processor cannot – without the Data Controller’s specific and written approval – use the individual sub-processor for “other” processing than agreed or let another sub-processor perform the described processing.
B.2 Notification of planned changes of sub-processors
The Data Processor must inform the Data Controller of any planned changes concerning addition or replacement of other sub-processors and thus give the Data Controller a possibility of objecting to such changes.If the Data Controller has any objections against the changes, the Data Controller must inform the Data Processor within 14 days after receipt of the notification. The data controller may only object if the data controller has reasonable, concrete reasons to do so.
B.3 Approved sub-processors
On commencement of the Data Processing Agreement, the Data Controller has approved the use of the following sub-processors. See the list of approved sub-processors here: https://penneo.com/subprocessors/.
On commencement of the Data Processing Agreement, the Data Controller has specifically approved the use of the above sub-processors for the processing described next to the party. The Data Processor cannot – without the Data Controller’s specific and written approval – use the individual sub-processor for “other” processing than agreed or let another sub-processor perform the described processing.
C.1 The subject of the processing/instructions
The Data Processor’s processing of personal data on behalf of the Data Controller takes place by the Data Processor’s performance of the following:
C.2 Security of processing
The security level must reflect the fact that it is processing a large quantity of personal data, covered by the General Data Processing Regulation, for which reason a “high” security level must be established.
Accordingly, the Data Processor is entitled and obliged to make decisions on which technical and organisational security measures should be used to create the necessary (and agreed) security level as regards the information.
The technical and organisational security measures must ensure confidentiality, integrity and accessibility to the data controller’s data and compliance with the principles of the General Data Processing Regulation.
In any event, and as a minimum, the Data Processor ensures that the following security measures have been implemented:
The Data Processor has ensured that personal data which is processed in the Data Processor’s standard SaaS software system, is encrypted to the extent possible, so that it can only be accessed by use of the Data Controller’s passwords which are unknown to the Data Processor. Contact information is further processed in an unencrypted way to the extent necessary for the Data Processor to get in contact with persons. Names, relations to companies and other persons and information about persons’ use of parts of the SaaS software system are stored in a way in which both the Data Controller and the Data Processor may access them. All personal data is transmitted in encrypted form from the Data Processor’s systems to the end user. The Data Processor ensures that personal data that is processed in the Data Processor’s standard SaaS software system, to the extent possible is encrypted both “in transit” and “at rest”.
The Data Processor has implemented an official security policy that has been approved by the management and is updated at least once a year. The Data Processor has established a risk management procedure, and a risk assessment of the Data Controller’s central internal and external risks is made at least once a year. The Data Processor has implemented a procedure for annual security training for all employees.
Access rights and confidentiality
The Data Processor ensures that the employees’ access rights follow the principles “least privilege” and “need to know”. The Data Processor ensures that access rights to the production environment of the Platforms are evaluated at least once a year. The employees who have access to the production environment and who can thereby get random access to personal data at the data controller, are subject to non-disclosure Agreements. The Data Processor ensures that the employees’ access to the production environment requires multi-factor authentication and that all users in the production environment have unique user accounts through which all administrator access is logged.
The Data Processor ensures that Customer data processed in the Platforms is only stored in data centres within the EU. A formal change management procedure has been implemented by the Data Processor, and this procedure takes place at least once a year. The Data Processor ensures that logically separated environments are used for development, test and production and that change procedures include roll-back strategies. In addition, the Data Processor has implemented network segmentation.
The Data Processor ensures that backup copies of the data of the Customers of the data controller are stored so that lost data can be restored to the extent possible. All personal data is, however, only stored in accordance with the Data Processor’s retention and erasure procedure as prescribed in the data processing Agreement and clause C3. The Data Controller’s data, including personal data, is however encrypted and protected by passwords, and if an employee of the Data Controller loses their passwords, this can entail loss of data.
Handling of suppliers
The Data Processor ensures that there is a formal supplier policy and procedure, and that sub-processors processing the Data Controller’s Customer/client personal data is supervised, at least once a year.
Handling of vulnerability
The Data Processor ensures that a penetration test is performed for the purpose of testing the security with the Data Processor, at least once a year, and that it is performed by an independent third party.
Contingency plan and restoration of data
The Data Processor ensures that there is a formal Business Continuity and Disaster Recovery Plan, which is evaluated at least once a year. The Data Processor ensures that this Business Continuity and Disaster Recovery Plan is also tested at least once a year.
C.3 Retention period/deletion routines
The personal data is stored with the Data Processor until the Data Controller requests to have the information deleted or returned. On termination of the Agreement relationship, information that is kept in the Platform(s) in the form of PDF documents, will be deleted within 90 days unless otherwise agreed with the data controller.
In the use of Penneo Sign, the Data Controller’s data is stored in a number of separate physical locations. Signed documents are versionised for the purpose of being able to roll back changes. Deletion of signed documents, including versions, can only be made by at least two persons jointly, as third-party signers have their own signed documents stored in their private archives.
C.4 Location of processing
Processing of the personal data included in the Agreement is made i.a. at the following locations:
C.5 Instructions or approval concerning transfer of personal data to third countries
The Data Controller has given general consent that the Data Processor and its sub-processors may transfer personal data to third countries to the extent that the European Commission has determined that the said third country, area of a third country, a sector in a third country or an international organisation located in a third country is secure, and thus has a level of protection that materially corresponds to the protection level applicable to the EU. It further means that the Data Controller has also approved that the Data Processor or its sub-processors may transfer personal data to organisations in third countries that are subject to EU’s Standard Contractual Clauses (SCC).
If in this section or by subsequent written notification, the Data Controller has not given instructions or approval concerning the transfer of personal data to a third country, the Data Processor may not make such transfer within the framework of the Data Processing Agreement.
C.6 Further procedures for the Data Controller’s supervision of the processing being made with the Data Processor
The Data Controller may, once a year through an auditor or other trusted party that has been approved by the data controller and the Data Processor, control (within usual business hours) that the Data Processor complies with its obligations.
In addition to this potential annual inspection, supervision can be made of the Data Processor when in the Data Controller’s reasonable assessment a need for this arises.
Any costs of the Data Controller in connection with a physical inspection are paid by the data controller. However, the Data Processor is obliged to allocate the resources (mainly time) required in order that the Data Controller may carry out its supervision.
C.7 Further procedures for the Data Controller’s supervision of the processing being made with any sub-processors
The Data Processor or any representative of the Data Processor may once a year carry out physical inspection concerning the compliance with this Data Processing Agreement with the sub-processor.
In addition to this annual inspection, supervision can be made of the sub-processor when in the Data Processor’s (or the Data Controller’s) reasonable assessment a need for this arises. Documentation of the inspections made is sent for information to the Data Controller as soon as possible.
The Data Controller may – if it is found necessary – choose to initiate and participate in a physical inspection with the sub-processor. However, this may only become an issue if the Data Controller documents that the Data Processor’s supervision of the sub-processor has not provided sufficient security for the Data Controller that the processing with the Data Processor is made in compliance with this Data Processing Agreement.
Any costs of the Data Processor and the sub-processor in connection with the performance of a physical supervision/inspection with the sub-processor, shall not concern the Data Controller.
Version 5 – Updated July 15th, 2022