Date: May 15th, 2024
by and between
Vanderbilt International AB
Englundavägen 7
Box 1275
17124 Solna
Sweden
and
You, the End-User or Service Provider, subscribing to and/or using the acre Intrusion Connect Software Service
Subscription Agreement
§ 1 Scope of Application
- The following Subscription Agreement is valid for the acre Intrusion Connect Software Service and accompanying services provided by Vanderbilt International (SWE) AB (hereinafter referred to as “Vanderbilt”) to End-Users and/or Service-Providers.
- For the purposes of this Subscription Agreement
a. the “acre Intrusion Connect Software Service” shall mean the cloud-based solution designed for monitoring, managing and maintaining acre Intrusion Panels remotely; at present, the acre Intrusion Connect Software Service comprises a web-application (via internet-browser) as well as mobile apps for the android and the apple platform;
b. an “acre Intrusion Panel” shall comprise of at least one piece of acre Intrusion panel hardware manufactured or distributed by the Acre-Group of companies (see https://acresecurity.com/);
c. “End-Users” shall mean individuals or entities, who use the acre Intrusion Connect Software Service to monitor, manage and maintain an acre Intrusion Panel on their own behalf;
d. “Service-Providers” shall mean individuals or entities, who use the acre Intrusion Connect Software Service to monitor, manage and maintain acre Intrusion Panels on behalf of End-Users or in assisting End-Users in doing so; and
e. “Customers” shall mean either End-Users or Service-Providers respectively.
- This Subscription Agreement shall overrule any offer, order, acknowledgement or other similar document or agreement which contain deviating terms and conditions or refers to other terms and conditions than this Subscription Agreement, including the Customer’s general terms and conditions.
§ 2 Scope of Services
- Vanderbilt shall provide the acre Intrusion Connect Software Service according to Vanderbilt’s service specifications, unless otherwise agreed. Notwithstanding the foregoing, Vanderbilt may continuously develop the acre Intrusion Connect Software Service, without being obliged to do so. This shall be done, among other things, to take into account technical progress, to improve the security, functionality and operability of the acre Intrusion Connect Software Service or to ensure compliance with applicable law ("Continuous Innovation"). Such changes shall be permissible without the consent of the Customer if the subject and performance of the acre Intrusion Connect Software Service are at least maintained, and the interests of the Customer are not unreasonably impaired. Vanderbilt shall regularly inform about the Continuous Innovation, e.g. by e-mail, by release notes or within the acre Intrusion Connect Software Service itself.
- According to applicable service specifications, the system availability of the acre Intrusion Connect Software Service includes regularly scheduled maintenance periods during which there is no obligation to perform.
- The place of performance and transfer of risk for the acre Intrusion Connect Software Service is at the transfer point of the Internet connection of the respective server used by Vanderbilt to provide the acre Intrusion Connect Software Service.
§ 3 Right of Use
- The End-User and/or the End-User’s employees, if any, shall be granted a non-exclusive right to use the acre Intrusion Connect Software Service to monitor, manage and maintain an acre Intrusion Panel on his own behalf, provided he and/or his employees as well as the respective acre Intrusion Panel are registered in the acre Intrusion Connect Software Service.
- The Service-Provider and/or the Service-Provider’s employees, if any, shall be granted a non-exclusive right to use the acre Intrusion Connect Software Service to monitor, manage and maintain acre Intrusion Panels on behalf of third parties or to assist third parties in doing so, provided he and/or his employees as well as the respective acre Intrusion Panels and third parties are registered in the acre Intrusion Connect Software Service. For the avoidance of doubt, the Service-Provider may or may not charge these third parties for his services.
- With respect to the acre Intrusion Connect Software Service mobile apps the right to use shall include downloading, installing and running these apps for the purposes mentioned in paragraphs 1. and 2. above.
- The right to use the acre Intrusion Connect Software Service is not transferable and does not entitle the End-User or Service-Provider to grant rights thereto to third parties.
- Use of the acre Intrusion Connect Software Service for purposes other than the ones described above is prohibited. In particular, the Customer must not copy, use, distribute or otherwise make available any and all content of the acre Intrusion Connect Software Service, including but not limited to software, pictures, graphs, texts and/or trademarks.
§ 4 Remuneration
- For End-Users the acre Intrusion Connect Software Service shall be free of charge, unless otherwise agreed upon.
- For Service-Providers the acre Intrusion Connect Software Service shall be charged according to the applicable subscription plan or other price agreed upon.
- Recurring subscription fees shall be payable in advance during the first two weeks of each subscription period.
- All prices are exclusive of VAT, other taxes and/or official duties, which shall be paid in addition to the prices, if applicable.
- If the Customer is in default with payment of due remuneration, Vanderbilt shall be entitled to interest from the day on which payment was due. The rate of interest shall be 8 percentage points above the rate of the main refinancing facility of the European Central Bank in force on the due date of payment. In case of late payment Vanderbilt may, after having notified the Customer, suspend its performance of the contract until receipt of payment or terminate the contract and claim compensation for the loss Vanderbilt has incurred.
- The Customer may not, based on a claim that it has against Vanderbilt, retain all or a portion of the amount due, nor offset any of that payment, without Vanderbilt’s prior approval.
§ 5 Data Protection and Data Processing
The provisions of the Agreement on processing of data on behalf contained in Addendum A shall be an integral part of this Agreement and shall apply to the processing of personal data.
§ 6 Obligations of the Customer
- The Customer undertakes to use the acre Intrusion Connect Software Service for legal purposes or services only. In doing so, he shall observe the laws of Sweden as well as the laws of those countries, in which the Customer is located, as well as the laws of those countries, in which the respective acre Intrusion Panel(s) and/or serviced third parties are located.
- The Customer shall indemnify Vanderbilt, its affiliated companies as well as its suppliers from claims asserted by third parties due to the infringement of rights, in particular copyrights, industrial property rights or personal data rights, insofar as the infringement was caused by the Customer or its employees.
§ 7 Warranty
- The Customer shall without undue delay notify Vanderbilt of any errors which appears in the acre Intrusion Connect Software Service. Such notice shall under no circumstance be given later than two (2) weeks after the occurrence of the error. If the Customer fails to notify Vanderbilt within the aforementioned time limit, the Customer loses its rights under the warranty.
- Vanderbilt shall handle any errors within reasonable time. Error handling within the meaning of this Agreement includes the delimitation of the cause of the error, the error diagnosis as well as the elimination of the error or the avoidance of its effects impairing the functionality of the acre Intrusion Connect Software Service. Error handling may, in particular, be provided in the form of patches, updates or upgrades, instructions on how to circumvent the error or, after consultation with the Customer, also by providing a more recent major version of the acre Intrusion Connect Software Service. Vanderbilt shall decide at its own discretion, on the basis of a professional assessment, on the type and scope of the error handling to be provided, whereby Vanderbilt shall take into account the Customer's interest in the functionality of the acre Intrusion Connect Software Service.
- The Customer shall immediately inform Vanderbilt of any claim asserting that Vanderbilt's acre Intrusion Connect Software Service infringe the copyrights or industrial and intellectual property rights of a third party. In such case and provided that Vanderbilt has had a reasonable opportunity to present its case, Vanderbilt shall in its sole discretion obtain for the customer the right to use the acre Intrusion Connect Software Service, modify the acre Intrusion Connect Software Service in such a way that the infringement is eliminated, replace the acre Intrusion Connect Software Service with another service of corresponding quality and efficiency or terminate the acre Intrusion Connect Software Service and refund its remuneration minus a reasonable deduction for the interim use.
- Customer claims for errors and defects in general become time-barred one year after occurrence of the error or defect. The one-year period of limitation shall not apply to liability for damage caused culpably to injury to life, body or health, or to the liability for other damage in the event of intentional breach of obligation, or in as much as Vanderbilt has maliciously failed to disclose the error or defect or given a guarantee for the quality of the object, or within the scope of a liability under product liability law.
§ 8 Limitation of Liability, Statute of Limitations
- Vanderbilt shall be liable without restriction for culpably caused damage caused by injury to life, body or health. Vanderbilt shall also be liable without restriction in the event of intentional breach of duty, and in as much as Vanderbilt maliciously failed to disclose the defect, and to the extent of the liability under the applicable product liability law. In as much as Vanderbilt has assumed a guarantee for the quality or durability of the acre Intrusion Connect Software Service, if any, Vanderbilt shall also be liable without restriction, but only to the extend covered by the guarantee.
- The following shall apply for other damage: Vanderbilt shall not be liable for any indirect and consequential damage, loss of profit, loss of production, interruption of operations, contractual claims of third parties, loss of use or financing expenditure. Vanderbilt’s overall liability for damage, liquidated damages/ penalties, claims for compensation and indemnities, regardless of the legal basis of the claims and with reference to all incidents of damage in the contract shall in no case exceed 25.000,- EUR (in words: twentyfivethousand euros) per occurrence and in the aggregate. In any event Vanderbilt’s overall liability under the contract (as set out in this clause) shall expire at the end of the applicable statute of limitations for the acre Intrusion Connect Software Service.
- The objection of contributory negligence (e.g. violation of the Customer's obligations) remains open.
- With regard to the liability for errors and defects in general, the period of limitations as provided for by § 7 item 4 of this Subscription Agreement shall apply.
§ 9 Confidentiality
- "Confidential Information" within the meaning of this Subscription Agreement shall be understood to mean all information which Vanderbilt or the Customer protect against unrestricted disclosure to third parties by means of appropriate measures, which is marked as such or which is to be regarded as confidential according to the circumstances of the disclosure or its content.
- The Parties undertake to protect all Confidential Information of the other party obtained prior to and in the course of the performance or execution of the contract for an unlimited period of time in the same way as they protect their own comparable Confidential Information by appropriate measures and to treat it confidentially. Disclosure by the receiving party to third parties shall only be permissible to the extent necessary for the exercise of the rights of the receiving party or for the performance of the contract, and such persons are subject to confidentiality obligations substantially comparable to those set forth herein. Duplicates of Confidential Information of the respective other party shall - as far as technically possible - contain all notices and annotations regarding its confidential or secret character which are contained in the original.
- The obligation to maintain confidentiality shall not apply to information which (a) has been independently developed by the receiving party, (b) has been lawfully provided to the receiving party by a third party without breach of this Agreement or any other agreement, (c) was known to the receiving party without restriction at the time of disclosure, or (d) was publicly available at the time of disclosure or subsequently becomes publicly available without breach of duty by the receiving party.
§ 10 Term, Termination
- Unless otherwise agreed, the contract shall run for twelve months from its commencement (contractual year), unless agreed otherwise. The contract shall be automatically extended by a further year in each case if it is not terminated by one of the contracting Parties at least three months before the end of the respective contractual year.
- Termination without notice for good cause shall remain unaffected.
- The Customer shall ensure that within three months after the expiration of the contract all content and data (including personal data) stored by him or his clients on Vanderbilt's servers have been downloaded by him and otherwise secured by him. Three months after expiration of the contract, Vanderbilt's obligation to store such content and data shall end and Vanderbilt may delete all content and data (including personal data). Prior to the deletion, however, Vanderbilt shall inform the Customer of the impending deletion in writing or text form with a notice period of two weeks or more.
§ 11 Anti-Bribery and Anti-Corruption
The Customer shall (i) comply with all applicable laws, regulations, codes and sanctions relating to anti-bribery and anti-corruption including but not limited to the UK Bribery Act and the US Foreign and Corrupt Practice Act ("Relevant Requirements"), (ii) have in place and maintain its own policies and procedures relating to anti-bribery and anti-corruption, (iii) promptly report to Vanderbilt any request or demand for any undue financial or other advantage of any kind received by Customer in connection with this contract, (iv) immediately notify Vanderbilt if a foreign public official becomes an officer or employee of the Customer or acquires a direct or indirect interest in the Customer (and the Customer warrants that it has no foreign public officials as officers, employees or direct or indirect owners) and (v) not engage in any activity, practice or conduct which would constitute an offence under the Relevant Requirements. The Customer shall provide such supporting evidence of compliance as Vanderbilt may reasonably request. Breach of this clause shall be deemed a material breach which entitles Vanderbilt to immediately terminate the contract and claim compensation for any loss Vanderbilt has incurred.
§ 12 Force Majeure
Vanderbilt shall be entitled to forthwith suspend performance of its obligations under the contract to the extent that such performance is impeded or made unreasonably onerous by any of the following circumstances: industrial disputes and any other circumstance beyond the control of Vanderbilt such as fire, war, extensive military mobilization, insurrection, requisition, seizure, embargo, restrictions in the use of power and defects or delays in deliveries by sub-contractors caused by any such circumstance referred to in this clause.
§ 13 Disputes and Applicable Law
- The contract is governed by Swedish law, without regard to its conflict of law provisions. The United Nations Convention on Contracts for the International Sale of Goods shall not apply.
- Any dispute, controversy or claim arising out of or in connection with the contract, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall be composed of three arbitrators. The seat of arbitration shall be Stockholm. The language to be used in the arbitral proceedings shall be English.
- The parties undertake, indefinitely, not to disclose the existence or contents of any judgment or decision related to or in connection with the contract or any information regarding negotiations, arbitral proceedings or mediation in connection therewith. This confidentiality undertaking shall not apply in relation to information which a party is required to disclose by law, pursuant to an order of a governmental authority, pursuant to applicable stock exchange rules, or which may be required for the enforcement of a judgment or an award. Notwithstanding the above, Vanderbilt shall be entitled to turn to the district court of Stockholm as first instance as regards claims for due payment.
Addendum A
Agreement on processing of data on behalf
for acre Intrusion Connect
between
You, the End-User or Service Provider, using the acre Intrusion Connect Software Service
- hereinafter "Controller “ –
and
Vanderbilt International AB
Englundavägen 7
Box 1275
17124 Solna
Sweden
- hereinafter “Processor” -.
Clause 1
Subject matter of the agreement
- The Processor will provide the acre Intrusion Connect Software Service, a cloud-based solution designed for monitoring, managing and maintaining acre Intrusion Panels remotely; at present, the acre Intrusion Connect Software Service comprises a web-application (via internet-browser) as well as mobile apps for the android and the apple platforms (hereinafter referred to as “acre Intrusion Connect Software Service”). In doing so, the Processor processes Personal Data exclusively on behalf of and according to the instructions of the Controller within the meaning of Art. 4 No. 8 and Art. 28 GDPR (processing on behalf).
- This Agreement govern the rights and obligations of the Parties in connection with the Processing of Personal Data and in this respect takes precedence over all other agreements of the parties. The attached Standard Contractual Clauses are an integral part of this Agreement. In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
- For the purposes of this Agreement, “End-Users” shall mean individuals or entities, who use the acre Intrusion Connect Software Service to monitor, manage and maintain an acre Intrusion Panel on their own behalf. “Service-Providers” shall mean individuals or entities, who use the acre Intrusion Connect Software Service to monitor, manage and maintain acre Intrusion Panels on behalf of End-Users or in assisting End-Users in doing so; and “Controller” shall mean either an End-User or Service-Provider respectively. The Controller and the Processor may be referred to as a "Party" or together as the "Parties" for the purposes of this Agreement.
- The Parties understand "GDPR" to mean Regulation (EU) 2016/679 - also known as the General Data Protection Regulation.
- This Agreement is based on the definitions according to Art. 4 GDPR, in particular with regard to the terms "Data Processing" or "Processing" (of data) according to Art. 4 No. 2 GDPR.
- By "Personal Data" within the meaning of this Agreement, the Parties understand those personal data which the Processor processes on behalf of the Controller, whereby it is irrelevant whether the Processor has received these from the Controller, from the data subjects or from third parties and whether the processing takes place within the scope of the Processor's performance obligations or in any other way, insofar as they originate from the sphere of the Controller.
Clause 2
Duration
- The Processor's services for the Controller shall result from the contract concluded separately between the Parties hereinafter the "Main Contract".
- The duration of the Processing shall correspond to the term of the Main Agreement. This Agreement shall remain valid beyond the end of the Main Contract for as long as the Processor holds Personal Data on behalf of the Controller.
- The Processor shall not acquire any rights to the Personal Data and shall be obligated to surrender the Personal Data in a form that can be read and further processed by the Controller at any time upon first request. The Processor's rights of retention with respect to the Personal Data and the associated data carriers are excluded.
- After three months after the expiration of the Main Contract or upon the Controller 's request the Processor shall delete all Personal Data and data carriers provided to it by or processed on behalf of the Controller. The Processor shall document the deletion of any Personal Data still in existence and provide such documentation on request of Controller. Prior to the deletion, however, the Processor shall inform the Controller of the impending deletion in writing or text form with a notice period of two weeks or more.
Clause 3
Miscellaneous
- Amendments and supplements to this Agreement must be made in writing or text form. This shall also apply to any waiver of this formal requirement.
- If individual provisions of this Agreement are or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions. The parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and best meets the requirements of Article 28 GDPR.
- This Agreement is governed by Swedish law, without regard to its conflict of law provisions.
- Any dispute, controversy or claim arising out of or in connection with the contract, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall be composed of three arbitrators. The seat of arbitration shall be Stockholm. The language to be used in the arbitral proceedings shall be English.
- The parties undertake, indefinitely, not to disclose the existence or contents of any judgment or decision related to or in connection with the contract or any information regarding negotiations, arbitral proceedings or mediation in connection therewith. This confidentiality undertaking shall not apply in relation to information which a party is required to disclose by law, pursuant to an order of a governmental authority, pursuant to applicable stock exchange rules, or which may be required for the enforcement of a judgment or an award.
***
Standard Contractual Clauses
SECTION I
Clause 1
Purpose and scope
- The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29 (3) and (4) Regulation (EU) 2018/1725.
- These Clauses apply to the processing of personal data as specified in Annex II.
- Annexes I to IV are an integral part of the Clauses.
- These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
- These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
Clause 2
Invariability of the Clauses
- The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
- This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.
Clause 3
Interpretation
- Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
- These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.
Clause 4
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 5
Docking clause
- Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
- Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
- The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 6
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.
Clause 7
Obligations of the Parties
7.1. Instructions
- The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
- The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
7.2. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.
7.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex II.
7.4. Security of processing
- The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
- The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
7.6 Documentation and compliance
- The Parties shall be able to demonstrate compliance with these Clauses.
- The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
- The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
- The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
7.7. Use of sub processors
- The processor shall not subcontract any of its processing operations performed on behalf of the controller in accordance with these Clauses to a sub-processor, without the controller’s prior specific written authorisation. The processor shall submit the request for specific authorisation at least three months prior to the engagement of the sub processor in question, together with the information necessary to enable the controller to decide on the authorisation. The list of sub-processors authorised by the controller can be found in Annex IV. The Parties shall keep Annex IV up to date.
- Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
- At the controller’s request, the processor shall provide a copy of such a sub processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
- The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
- The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub processor contract and to instruct the sub-processor to erase or return the personal data.
7.8. International transfers
- Any transfer of data to a third country or an international organization by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
- The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
Clause 8
Assistance to the controller
- The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
- The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
- In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
3. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
4. the obligations in Article 32 Regulation (EU) 2016/679.
- The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.
Clause 9
Notification of personal data breach
In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.
9.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
- in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
- in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
1. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. the likely consequences of the personal data breach;
3. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2 Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
- a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
- the details of a contact point where more information concerning the personal data breach can be obtained;
- its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
SECTION III – FINAL PROVISIONS
Clause 10
Non-compliance with the Clauses and termination
- Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
- The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
1. the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
2. the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
3. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
- The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
- Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.
***
ANNEX I LIST OF PARTIES
Controller:
You, the End-User or Service Provider, subscribing to and/or using the acre Intrusion Connect Software Service
Processor:
Vanderbilt International AB
Englundavägen 7
Box 1275
17124 Solna
Sweden
ANNEX II: DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is processed
Controllers or Controllers’ employees, End-users or End-users’ employees.
Categories of personal data processed
General Data:
- First and Last Name
- Other names
- Address
- Post Code
- Phone Number(s)
- Username
- Password
- Email-address(es)
- Language
- Security Question information
- Payment information, including credit card number and/or bank account details, if applicable
- Mobile Phone Identifiers (for Push Notification)
- Installation company information
- Access control information (User Image, card information, PIN, user rights)
- Alarm verification data, including audio and /or video footage (if alarm was triggered; no biometric detection; no continuous storage;)
- Security notifications of acre Intrusion-Panels
- Audit Information
Subscription Data:
- First and Last Name
- Address
- Post Code
- Phone Number(s)
- Username
- Password
- Email-address(es)
- Language
- Security Question information
- Payment information, including credit card number and/or bank account details, if applicable
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
None.
Description and nature of the processing
- Complete remote programming of acre Intrusion Panels
- “Always on” communication allowing for instant access
- Organization structure to support business workflow
- Definable roles and responsibilities for Service Providers support services
- Monitoring communications
- Maintenance reports
- Configuration file maintenance
- Automated back-up services
- Access remotely from any PC, phone or tablet
Purpose(s) for which the personal data is processed on behalf of the controller
Provision and use of the acre Intrusion Connect Software Service, a cloud-based solution designed for monitoring, managing and maintaining acre Intrusion Panels remotely provided by Vanderbilt.
Duration of the processing
For the term of the registration of the Controller
For processing by (sub-) processors, subject matter and nature of the processing
Processor:
Vanderbilt International AB processes General Data and Subscription Data according to Annex II to provide the acre Intrusion Connect Software Service.
Sub-processors:
1.
Vanderbilt International (IRL) Ltd.
Clonshaugh Business and Technology Park
Dublin D17 KV 84
Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
The sub processor technically runs and manages the Vanderbilt’s acre Intrusion-Services on the cloud services provided by sub processor no. 2. It processes General and Subscription Data according to Annex II.
2.
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown,
Dublin 18, D18 P521
Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
The sub processor provides hosts the cloud-services used by processor and sub processor no.1 to run and manage Vanderbilt’s acre Intrusion-Services. It processes General and Subscription Data according to Annex II.
3.
Grey Matter Ltd.
The Old Maltings
Prigg Meadow, Ashburton, Devon, TQ13 7DF
United Kingdom
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
The sub processor provides technical support to sub processor no. 1. It processes General and Subscription Data according to Annex II.
4.
Chargebee Inc.
340 S Lemon Avenue, #1537
Walnut, California 91789, USA
privacy@chargebee.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Subscription, account and billing management is provided by this sub processor. It processes Subscription Data according to Annex II.
5.
Ayden
PO Box 10095
1001 EB
Amsterdam
The Netherlands
Their Privacy Policy can be viewed at https://www.adyen.com/policies-and-disclaimer/applicant-privacy-notice
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Payment management is provided by this sub processor. It processes Payment Data according to Annex II.
6.
Stripe, Inc.
354 Oyster Point Boulevard
South San Francisco, California, 94080, USA
Attention: Stripe Legal
Stripe Payments Europe Limited
1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
Their Privacy Policy can be viewed at https://stripe.com/us/privacy
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Payment management is provided by this sub processor. It processes Payment Data according to Annex II.
ANNEX III TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Vanderbilt has implemented and will maintain for Controller Data in the acre Intrusion Connect Software Service the following security measures, which in conjunction with the security commitments in this Agreement (including the GDPR Terms), are Vanderbilt’s only responsibility with respect to the security of that data.
I. Organization of Information Security practices
Security Ownership. Vanderbilt has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.
Security Roles and Responsibilities. Vanderbilt personnel with access to Controller Data are subject to confidentiality obligations.
Risk Management Program. Vanderbilt performed a risk assessment before processing the Controller Data or launching the acre Intrusion Connect Software Service.
Vanderbilt retains its security documents pursuant to its retention requirements after they are no longer in effect.
II. Asset Management practices
Asset Inventory. Vanderbilt maintains an inventory of all media on which Controller Data is stored, if any. Access to the inventories of such media is restricted to Vanderbilt personnel authorized in writing to have such access. Mostly if not exclusively though, Controller Data is stored at Vanderbilt’s sub-processor, who is hosting the acre Intrusion Connect Software Service (see details in Annex IV).
Asset Handling
- Vanderbilt classifies Controller Data to help identify it and to allow for access to it to be appropriately restricted.
- Vanderbilt imposes restrictions on printing Controller Data and has procedures for disposing of printed materials that contain such data.
- Vanderbilt personnel must obtain Vanderbilt authorization prior to storing Controller Data on portable devices, remotely accessing such data, or processing such data outside Vanderbilt’s facilities.
III. Human Resources Security practices
Security Training. Vanderbilt informs its personnel about relevant security procedures and their respective roles. Vanderbilt also informs its personnel of possible consequences of breaching the security rules and procedures.
IV. Physical and Environmental Security practices
Physical Access to Facilities. Vanderbilt limits access to facilities where information systems that process Controller Data is accessed or located to identified authorized individuals.
Physical Access to Components. Vanderbilt maintains records of the incoming and outgoing media containing Controller Data, if any, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of such data they contain.
Protection from Disruptions. Vanderbilt and/or its sub-processor(s) use a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. Vanderbilt and/or its sub-processor(s) use industry standard processes to delete Controller Data when it is no longer needed.
V. Communications and Operations Management practices
Operational Policy. Vanderbilt maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Controller Data.
Data Recovery Procedures
- On an ongoing basis, but in no case less frequently than once a week (unless no updates have occurred during that period), Vanderbilt and/or its sub-processor(s) maintain multiple copies of Controller Datafrom which such data can be recovered.
- Vanderbilt and/or its sub-processor(s) store copies of Controller Data and data recovery procedures in a different place from where the primary computer equipment processing the Controller Data are located.
- Vanderbilt and/or its sub-processor(s) have specific procedures in place governing access to copies of Controller Data.
- Vanderbilt and/or its sub-processor(s) review data recovery procedures at least every 12 months.
- Vanderbilt and/or its sub-processor(s) log data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
Malicious Software. Vanderbilt and/or its sub-processor(s) have anti-malware controls to help avoid malicious software gaining unauthorized access to Controller Data, including malicious software originating from public networks.
Data Beyond Boundaries
- Vanderbilt and/or its sub-processor(s) encrypt, or enable Controller to encrypt, Controller Data that is transmitted over public networks.
- Vanderbilt and/or its sub-processor(s) restrict access to Controller Data in media leaving its facilities.
Event Logging. Vanderbilt and/or its sub-processor(s) log, or enable Controller to log, access and use of information systems containing Controller Data, registering the access ID, time, authorization granted or denied, and relevant activity.
VI. Access Control practices
Access Policy. Vanderbilt and/or its sub-processor(s) maintain a record of security privileges of individuals having access to Controller Data.
Access Authorization
- Vanderbilt and/or its sub-processor(s) maintain and update a record of personnel authorized to access Vanderbilt and/or its sub-processor(s) systems that contain Controller Data.
- Vanderbilt and/or its sub-processor(s) deactivate authentication credentials that have not been used for a period of time not to exceed six months.
- Vanderbilt and/or its sub-processor(s) identifie those personnel who may grant, alter or cancel authorized access to data and resources.
- Vanderbilt and/or its sub-processor(s) ensure that where more than one individual has access to systems containing Controller Data, the individuals have separate identifiers/log-ins.
Least Privilege
- Technical support personnel are only permitted to have access to Controller Data and Professional Services Data when needed.
- Vanderbilt and/or its sub-processor(s) restrict access to Controller Data to only those individuals who require such access to perform their job function.
Integrity and Confidentiality
- Vanderbilt instructs Vanderbilt personnel to disable administrative sessions when leaving premises Vanderbilt controls or when computers are otherwise left unattended.
- Vanderbilt stores passwords in a way that makes them unintelligible while they are in force.
Authentication
- Vanderbilt and/or its sub-processor(s) use industry standard practices to identify and authenticate users who attempt to access information systems.
- Where authentication mechanisms are based on passwords, Vanderbilt requires that the passwords are renewed regularly.
- Where authentication mechanisms are based on passwords, Vanderbilt requires the password to be at least eight characters long.
- Vanderbilt ensures that de-activated or expired identifiers are not granted to other individuals.
- Vanderbilt and/or its sub-processor(s) monitor, or enable Controller to monitor, repeated attempts to gain access to the information system using an invalid password.
- Vanderbilt and/or its sub-processor(s) maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Vanderbilt and/or its sub-processor(s) use industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Network Design. Vanderbilt and/or its sub-processor(s) have controls to avoid individuals assuming access rights they have not been assigned to gain access to Controller Data they are not authorized to access.
VII. Information Security Incident Management practices
Incident Response Process
- Vanderbilt maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
- For each security breach that is a Security Incident, notification by Vanderbilt (as described in the “Security Incident Notification” section above) will be made without undue delay and, in any event, within 72 hours.
- Vanderbilt tracks, or enables Controller to track, disclosures of Controller Data, including what data has been disclosed, to whom, and at what time.
Service Monitoring. Vanderbilt and/or its sub-processor(s) security personnel verify logs at least every 12 months to propose remediation efforts if necessary.
VIII. Business Continuity Management practices
- Vanderbilt maintains emergency and contingency plans for the facilities in which Vanderbilt information systems that process Controller Data are accessed or located.
- Vanderbilt’s and/or its sub-processor’s(s’) redundant storage and its procedures for recovering data are designed to attempt to reconstruct Controller Data in its original or last-replicated state from before the time it was lost or destroyed.
ANNEX IV: LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
1.
Vanderbilt International (IRL) Ltd.
Clonshaugh Business and Technology Park
Dublin D17 KV 84
Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
The sub processor technically runs and manages the Vanderbilt’s acre Intrusion-Services on the cloud services provided by sub processor no. 2. It processes General and Subscription Data according to Annex II.
2.
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown,
Dublin 18, D18 P521
Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
The sub processor provides hosts the cloud-services used by processor and sub processor no.1 to run and manage Vanderbilt’s acre Intrusion-Services. It processes General and Subscription Data according to Annex II.
3.
Grey Matter Ltd.
The Old Maltings
Prigg Meadow, Ashburton, Devon, TQ13 7DF
United Kingdom
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
The sub processor provides technical support to sub processor no. 1. It processes General and Subscription Data according to Annex II.
4.
Chargebee Inc.
340 S Lemon Avenue, #1537
Walnut, California 91789, USA
privacy@chargebee.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Subscription, account and billing management is provided by this sub processor. It processes Subscription Data according to Annex II.
ANNEX V: Third Countries
Apart from processing Personal Data in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area, the Customer consents to the processing of Personal Data by sub-processors in the following country/region:
United Kingdom, with respect to General and Subscription Data according to Annex II.
The adequate level of protection there is established (i) COMMISSION IMPLEMENTING DECISION of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom; and/or (ii) by standard data protection clauses (Art. 46 para. 2 litt. c and d GDPR).
United States of America (US) with respect to Subscription Data according to Annex II.
The adequate level of protection there is established by standard data protection clauses (Art. 46 para. 2 litt. c and d GDPR).