Terms and conditions

Last updated: 14 December 2023

Teamtailor AB, 556936-6668 (“Teamtailor”, “us”, “our” or “we”) welcomes the company registering for use (“you”) of Aboard HR, our web-based HR platform (“Services”), available through www.aboardhr.com. These terms and conditions (“Terms”), including its referred appendices, (together all referred to as “Agreement”)  govern the use of the Services, unless you and Teamtailor enter into a separate agreement in writing. Any terms and conditions of any other document issued by you in connection with this Agreement which are in addition to, inconsistent with or different from the terms and conditions of this Agreement are of no force or effect, unless set out in the order form (“Order Form”). 


In the event of any conflict or ambiguity between any terms and conditions in these Terms or any of its appendices, these Terms shall prevail, unless relating to the processing of personal data, when the data processing agreement shall prevail.


By creating a company account (“Company Account”), you agree to be bound by this Agreement, which constitutes a legally binding agreement between you and Teamtailor. You warrant that you have the legal authority to enter into this Agreement on behalf of the company you are creating an account for.


Please read this Agreement carefully, before starting to use the Services.  



Use of the Services and User Content 


Our Services are intended to be used by employers and their legal representatives, employees and consultants (“Users”), for managing HR related matters, such as onboarding, offboarding, absence tracking, employee meetings and other HR related administrative tasks (all together referred to as the Services). 


Users may not use the Services for any illegal purpose, or in any way that violates this Agreement. You are responsible for all activities, actions, omissions and content provided by any Users when using the Services. 

When using the Services, please ensure that all Users respect the rights of others, including any intellectual property, privacy or other rights of third parties who may have an interest in or right in connection with the content being uploaded.

We expect Users not to: 

  • publish, post or - in any other way express - any material or information that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, indecent or unlawful;

  • copy, reproduce, alter, modify, create derivative works, publicly display, republish, upload, post, transmit, resell or distribute the Services, any part thereof or any material or information that you receive, or are granted access to, from us,

  • monitor the Services’ availability, performance or functionality for any competitive purpose or purpose beyond the intended purpose of the Services. For example,you agree not to access the Services for the purpose of developing or operating a competitive product or service or copying the Services’ features or user interface, or

  • violate the restrictions on the Services, work around, bypass or circumvent any of the technical limitations of the Services, use any tool to enable features or functionalities that are otherwise disabled in the Services, or decompile, disassemble or otherwise reverse engineer the Services.



User Accounts


Users may access the Services by creating a User-specific account (“User Account”) by filling in the required information upon sign up. You, as the company registering for the Services as well as any User, are responsible for providing us with complete and accurate information when creating a User Account or Company Account. We have the right to restrict access to the Services if we identify that you or any User provide us with inaccurate, incomplete or untrue information.


You are responsible for ensuring that the information provided to us is up to date and you need to follow standard security procedures for keeping your password information safe and secure. 



Fees and Payment


You will be offered to try our Services during an initial trial period, as detailed on our website (“Trial Period”) free of charge. When you sign up via an Order Form, the Service is provided on an annual basis for an amount as outlined in the Order Form (“Subscription Fee”).


Invoices will be sent yearly in advance to the details as referred to in the Order Form, and in accordance with the payment details as provided in the Order Form. 


In addition to invoicing, we offer credit card payments.


For credit card payments, it's important to provide accurate and valid credit card information. Please note that these payments are processed through a third-party payment provider and are subject to their respective terms and conditions.


Each party is responsible for the fees and other charges their bank or other electronic transfer system may add to the payment of the Subscription Fee.

The Subscription Fee in the Order Form do not include Value Added Tax (VAT) or any other applicable taxes. The Customer is responsible for making payments without withholding or deducting any taxes, unless required by mandatory law. If such withholding or deduction is required, the Customer must pay Teamtailor an additional amount to ensure that Teamtailor received the full payment it would have received without any withholding or deduction. 


Regardless of the payment method you choose, we require payments to be made within the specified timeframe.

Please note that overdue credit card payments as well as overdue invoice payments may both incur these late payment charges and interest, any late payment interest shall be based on the National Bank of Sweden’s reference rate with an addition of eight (8) percentage points. 


We reserve the right to change the Fees at any time if you increase in number of Users, and/or in connection with a Renewal Period. If we change the Fees we will provide you with prior notice in accordance with the section Changes to the Service relating to material changes. 


If the Customer does not agree with the adjustment, either party may choose not to renew the Agreement.



Customer Service


We offer customer support services during normal business hours, and are happy to help you and Users if you have any questions or complaints relating to our Service. Contact us here: https://help.aboardhr.com/en/



Personal data & data privacy 


We take your and your Users’ privacy and security seriously, and are committed to protect your personal data in accordance with applicable laws and regulations. 

When you sign up for and use the Services, we collect and use a limited amount of personal data about you and about your Users as so-called data controllers under the GDPR, meaning that we decide the purposes and means of the processing.


Our Privacy Notice contains information about the different purposes for which we use this personal data, the personal data that is collected for each purpose, what rights the affected individuals have in relation to our use of their personal data, etc. 


By entering into this Agreement you agree to inform your representatives of the fact that this processing of their personal data will take place, and to refer each User to our Privacy Notice before their respective use of the Services begins. 


All other processing of Customer Personal Data (as defined in Appendix 1 of the data processing agreement (“DPA”)) will be performed as described in the DPA, which forms an integral part of this Agreement.



Intellectual Property


All copyrights, trademarks, trade names, logos and other intellectual property rights held and used by us, as part of the Services (including graphics, icons, scrips, source codes etc), are our property or our third party licensors’ property. It may not be reproduced, distributed, sold, used, modified, copied, limited or used (in whole or in part) without our consent, other than to the extent that is necessary for you to be able to use the Services as described in this Agreement. 

The Services and other information, including associated intellectual property rights, provided and made available by us, remain our exclusive property. You or your Users may not use the property for commercial purposes or any other purpose without our prior written consent. 

For any content added by you or your Users to the Service, you warrant that you own or have the right to use  such property.



Licence

 

We hereby grant you a non-exclusive right and licence to use the Service for the sole purpose of us providing you the Services. Upon expiry or termination of these Terms, all rights and licences will end.



Service Levels 


We will use all commercially reasonable efforts to provide you the Services continuously. However, we cannot guarantee that the Services will be free from interruptions, delays or errors caused by our systems or other third party service providers, general internet disruptions or force majeure events. 

From time to time, we may perform maintenance and upgrades to the Services, which may result in interruptions, delays or errors in the Services. We will use commercially reasonable efforts to notify you in advance of any planned maintenance, but we cannot guarantee that such notifications will always be provided. We will also try to ensure that such maintenance is scheduled outside of normal business hours. We recommend you to subscribe to https://status.aboardhr.com/ for any service level updates.



Disclaimer and warranties


​​Except as expressly provided for in these Terms, the Services and all related components and information are provided on an "as is" and "as available" basis without any warranties of any kind, and we expressly disclaim any and all warranties, whether express or implied, including the implied warranties of merchantability, title, fitness for a particular purpose and non-infringement. You acknowledge that we do not warrant the Services will be uninterrupted, timely, secure or error-free.



Limitation of liability


In no event will we, our subsidiaries, affiliates or any respective officers, employees, directors, agents or partners be liable for:


  • Loss of contracts; 

  • Loss of goodwill or reputation; 

  • Loss of profit, loss of revenue or loss of anticipated business or earnings; or 

  • Any other indirect, consequential or special losses, damages or liabilities, arising out of or in connection with your or Users use of our Services, or obligation under these Terms. 


Our total liability to you for all other losses arising under or in connection with these Terms, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, will be limited to the total sums paid by you for the Services during the period of 12 months preceding the claim. We have no liability if you use the Services during a trial period or otherwise free of charge.


Nothing in these Terms will limit our liability resulting from our fraud or fraudulent misrepresentation, gross negligence, wilful misconduct, for death or personal injury resulting from our negligence or to the extent such limitations or exclusions are not permitted by applicable law.



Indemnification 


You agree to defend, indemnify, and hold us and our respective directors, agents, affiliates and representatives harmless from and against any claim (including all third-party claims), and expense (including without limitation reasonable attorneys’ fees) arising out of or relating to: (a) any actual or alleged breach by you of any provision of this Agreement, (b) your or Users wrongful or improper use of the Services, (c) your or Users violation of any third party right, including without limitation any right of privacy, publicity rights or intellectual property rights, (d) third party indemnity obligations we incur as a direct or indirect result of your acts or omissions, (e) your or Users’ violation of any applicable law, rule or regulation of your specific jurisdiction, and (f) errors made by you or Users in providing information or instructions to us, whether through your Account or any other means of communication.



Confidentiality 


We understand the importance of confidentiality in business matters. 


As used in this Agreement, “Confidential Information” means any information that is proprietary or confidential to the disclosing party or that the disclosing party needs to keep confidential, e.g under an obligation towards a third party. Confidential Information may be of a technical, business or other nature. However, Confidential Information does not include any information that: (i) was known to the receiving party before receiving the same from the disclosing party in connection with this Agreement; (ii) is independently developed by the receiving party; (iii) is acquired by the receiving party from another source without restriction as to use or disclosure; or (iv) is or becomes part of the public domain through no fault or action of the receiving party. 


Any Confidential Information that you provide to us  or that we provide to you, including but not limited to trade secrets, proprietary information will be treated as confidential. The recipient will not disclose, share or otherwise make available Confidential Information to any third party, without the express written consent of the disclosing party, except for when required by law. You hereby consent to our disclosure of your Confidential Information to the sub processors used in the provision of the Services, as described in the DPA.  Both parties shall take all reasonable measures to protect the confidential information from unauthorised access or disclosure.  

The confidentiality undertaking as described above will remain in force three (3) years after the termination of the Agreement.



Third Party Services 


Our Services may be integrated with other third-party technologies and services (“Third-Party Services”). In case you integrate towards such Third-Party Services, as available from time to time, you expressly instruct us to share data with and give access to such third-party. You are responsible  for any access or use of the Third-Party Services and any use of such Third-Party Service is subject to the terms and conditions between you and such third party. 

We are not responsible or liable to you or any third party service provider with respect to the functionality or availability of any Third-Party Service or any data obtained through the use of any Third-Party Services. We make no representation or warranty with respect to any integration with a Third-Party Service or any data obtained through a Third-Part Service. 



Modifications to these Terms or the Service


Changes to the Service 


We have the right to change, add or discontinue any feature related to the Services at any time. For changes that, in our reasonable opinion,  may affect you negatively, or changes that we otherwise consider material, we will give you notice of the change, with the change taking effect fourteen (14) calendar days after the notice (“Change Date”) 

For all other changes, the change will be made without providing you with prior notice and will be effective immediately. 


Changes to the Agreement


We reserve the right to modify these Terms at any time, without notice. Your continued use of the Services after such changes will constitute your acceptance of the modified Terms. 


For any material changes to Agreement, we will provide you with fourteen (14) days prior notice by providing information about the changes on the Terms Update Page. Similar to changes to the Service, the Change Date will be taking effect fourteen (14) days after the notice.


For all other changes, the change will be made without providing you with prior notice and will be effective immediately.


Objections to changes to the Agreement or Service


You can object to the material change by sending an email to legal@teamtailor.com, stating that you object, and the reason(s) for objecting. Teamtailor will assess whether we can reasonably satisfy the objection, for example by taking any steps that you request. If we aren’t able to solve the issue, the change will take effect, and either Party can, for a period of fourteen (14) calendar days after the Change Date, terminate the Agreement without any cost, penalty or liability. 


Term and termination 


This Agreement shall be effective as of the date when you enter into this Agreement for a Trial Period and/or when you sign an Order Form governed by these terms and conditions. 


This Agreement shall be valid as long as you are using the Services for trial or for the period as detailed in the Order Form (“Initial Contract Period”). The Agreement will be automatically renewed for successive periods of twelve (12) months each, known as “Renewal Period”, unless either party notifies the other party in writing of their intention not to renew the Agreement.


Each party has the right to choose not to renew the Agreement by providing written notice to the other party no less than one (1) month prior to the expiration of the current contract period. If neither party terminates the Agreement, it will continue to be valid for the upcoming Renewal Period. 

If you terminate this Agreement prior to the end of the subscription term, you will not be entitled to any refund of any fees paid.


We reserve the right to immediately terminate these Terms or limit access to the Services if you or any User:


  • breach or otherwise violate any provision of these Terms; 

  • use the Service in violation of applicable laws; 

  • do not pay in accordance with the Fees and Payment section;

If any of the above scenarios occur, we may contact you and request that you remedy your breach of this Agreement before terminating or limiting the Services.


Termination under this section shall be made in writing, to you by sending an email to the contact details provided when creating a Company Account.


Upon termination, your and Users' right to access the Services will be revoked. Regarding returning or erasure of Customer Personal Data, see more details in the DPA.



Force Majeure 


We are not responsible for delays and defects outside our control. If we or our suppliers are delayed by an event outside our control,  we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided that we do this we will not be liable for defects and delays caused by the event.



Governing Law


These Terms will be governed by and construed in accordance with the laws of Sweden, without giving effect to any choice of law or conflict of law provisions. Any dispute, controversy or claim arising out of or in connection with these Terms shall be settled by public courts in Sweden.



Assignment 


You may not assign, transfer or delegate any rights or obligations under this Agreement without our written consent.

 


Entire Agreement 


This Agreement constitutes the entire agreement between the parties, and supersedes all prior or contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, relating to the subject matter of this Agreement. Any modifications or amendments to this Agreement must be in writing. 



Data Processing Agreement 


About and summary


This DPA is part of and subject to the terms of the Agreement. It describes what responsibilities you and Teamtailor have when it comes to processing of Customer Personal Data under the Agreement. In sum, it states that:


  • We can only use Customer Personal Data to provide the Service to you, as described in the Agreement.

  • You are responsible for your own compliance with Applicable Data Protection Law when using the Service, and Teamtailor for complying with the parts of Applicable Data Protection Law that apply to a processor / service provider. 

  • We will help you comply with many aspects of Applicable Data Protection Law. You have assessed how Teamtailor will be doing this, and are satisfied with the measures Teamtailor will take. 

  • Specific processes will be used if either party thinks that different aspects of the processing should be updated or changed. 



Definitions


These definitions are used: 


Applicable Data Protection Law means any law about protecting information about physical persons, which applies to a party’s processing of Customer Personal Data under the Agreement. This can for example include: EU Regulation 2016/679 (GDPR); the UK General Data Protection Regulation (UK GDPR); the UK Data Protection Act of 2018; and/or the California Consumer Privacy Act (CCPA). 

Customer Personal Data means data that is (i) subject to Applicable Data Protection Law; (ii) added to the Service by or on behalf of you under the Agreement; and (iii) which Teamtailor is only allowed to process on your behalf. Appendix 1 contains a more detailed description of Customer Personal Data and how it will be processed under the Agreement.  


Data Subject Requests means requests from individuals whom Customer Personal Data refers to, to exercise their rights under Applicable Data Protection Law. 

EU SCCs means the sets of standard contractual clauses published by the EU Commission on June 4, 2021. 


Subprocessor means any processor that Teamtailor uses to process Customer Personal Data.  


Supervisory Authority means a public authority that investigates and enforces compliance with an Applicable Data Protection Law.

Third Country Transfer means (i) where the GDPR applies, a transfer of Customer Personal Data to a country, territory or international organization outside of the EU/EEA that is not subject to an adequacy decision by the European Commission; (iii) where the UK GDPR applies, a transfer of Customer Personal Data from the UK to a country, territory or international organization that is not the subject of adequacy regulations under section 17A of the UK Data Protection Act of 2018.

TOMS means the technical and organizational measures that we maintain to make sure that Customer Personal Data is secure when processed in the Service. The TOMS are described in Appendix 2. 


UK Transfer Addendum means the International Data Transfer Addendum to the EU SCC, published by the UK Information Commissioner’s Office on March 21, 2022.

Other terms have the meaning given to them in Applicable Data Protection Law. For example, the terms controller, processor, processing, data subject, and personal data breach have the meaning given to them in the GDPR. The terms sell, share, and service provider have the meaning given to them in the CCPA. 



Your responsibilities


You decide and control which type of Customer Personal Data is processed in the Service, which features and functionalities will be used, for which purposes and for how long. For this reason, you are the sole controller of the Customer Personal Data. As the sole controller, you are responsible for:


  • Making all contractual arrangements necessary for you to be able to act as the sole controller, for example with other entities in your company group. 

  • Ensuring that there is a legal basis for all processing of the Customer Personal Data. 

  • Ensuring that the data subjects get all information they are entitled to under Applicable Data Protection Law, for example through appropriate privacy notices. 

  • Ensuring that the processing of Customer Personal Data otherwise fulfills the requirements in Applicable Data Protection Law.  

  • Providing us with documented instructions on how to process the Customer Personal Data. You have done so by way of this DPA, and the rest of the Agreement. 


You can change or update your instructions to us on how to process Customer Personal Data. You do so by sending an email to legal@teamtailor.com, stating what change you want to make to the instructions and why, at least thirty (30) calendar days ahead of the Change Date. We will assess whether we can reasonably fulfill the new instruction and let you know whether that’s the case. If we are not able to solve the issue by the Change Date, the change will not take effect and either Party can, for a period of fourteen (14) calendar days after the Change Date, terminate the Agreement without any cost, penalty or liability. 



Our responsibilities 

We will act as your processor / service provider, and will not process, sell, retain, use, or disclose any Customer Personal Data for any other purpose than providing the Service in accordance with the Agreement. The parties acknowledge and agree that our access to Customer Personal Data is not part of the payment exchanged by the Parties under the Agreement.

In processing the Customer Personal Data, we will comply with your instructions, as described in this DPA and in the rest of the Agreement.


Security and confidentiality


You have assessed the risks involved with the processing of the Customer Personal Data in the Service, and concluded that the TOMS ensure a level of security that is appropriate to the risks involved. 

We will make sure that all our employees (and similar representatives) who have access to Customer Personal Data need to keep it confidential. 



Personal data breaches


We will notify you about any personal data breach affecting Customer Personal Data. The notice will be sent without undue delay, and at least within 48 hours of Teamtailor becoming aware of the personal data breach. The notice will be sent to the email address that you have provided for your “Privacy Manager” in the Service. 


If this information is available to us when sending the notice, the notice will include a description of: 

  • The nature of the breach, i.e. what has happened to the Customer Personal Data. 

  • What parts/type of Customer Personal Data is affected by the breach. 

  • Which categories of data subjects, and approximate number of data subjects, are affected by  the breach. 

  • Our assessment of the likely consequences of the breach. 

  • The measures that we have already taken and, if applicable, still plan to take to investigate and address the breach.


If we don’t have all of this information when first notifying you, we will execute the notification in phases - as relevant information becomes available. 

If you decide to notify a personal data breach affecting Customer Personal Data to  a Supervisory Authority, to the data subjects or the public, you will make reasonable efforts to provide us with advance copies of the notice(s), and give us an opportunity to provide any clarifications or corrections to them.



Subprocessors

We use subprocessors when providing the Service. A continuously up to date overview of the subprocessors we use, the function they perform in the Service, etc. is available in our List of Subprocessors for Aboard. 


You are aware of and instruct us to use the current subprocessors. You generally authorize us to use subprocessors when providing the Service, provided that we notify you before starting to use a new subprocessor or replacing an existing one, so that you can object to the change. 

We will notify you about a new / replaced subprocessor, and you can object to the change, using the process for material changes, as described in the Section “Changes to the Services” in the Terms. 


In case of extraordinary circumstances, for example a subprocessor’s bankruptcy or irreparable material breach of contract, we reserve the right to replace the relevant subprocessor with a shorter notice period than described above, or without any prior notice to you - but without undue delay. In that case, you can object to the use of the new subprocessor within fourteen (14) calendar days of receiving our notice, as described above. If we aren’t able to solve the issue within fourteen (14) calendar days of your objection, either Party can terminate the Agreement without any cost, penalty or liability. 


When engaging a subprocessor, we will make sure that the data protection obligations in this DPA are imposed on the subprocessor. If the subprocessor fails to fulfill these obligations, we will be liable towards you, in accordance with and subject to the limitations in this DPA.


Third Country Transfers


We are only allowed to make Third Country Transfers of Customer Personal Data when:

  • The Third Country Transfer is based on your written instruction and takes place in accordance with Applicable Data Protection Law, for example since the data exporter or the country in which it is based is subject to an adequacy decision, or by entering into the EU SCC or UK Transfer Addendum with the data importer; or when

  • We are obliged to do so by Union or Member State law, and have informed you of that legal requirement before the transfer starts, unless the relevant law prohibits us from doing so on important grounds of public interest.


Additional assistance 


Provided that we are able to do so, considering the information about and access to Customer Personal Data that we have in providing the Service, we will assist you in:


  • Providing information relevant for your data protection impact assessment and consultation with a Supervisory Authority.

  • Keeping a record of the processing activities that we do on your behalf.

  • Responding to Data Subject Requests. 

If we receive a Data Subject Request from the data subject him/herself, we will not act on it ourselves. Instead, we will encourage the data subject to contact you directly.


If you need our assistance with a Data Subject Request or any other process mentioned above, please contact our Customer Support and provide all information we need to understand the scope of the request, and assess what possibilities we have to assist in responding to it. 



Audits


We will allow you to audit our compliance with our obligations as your data processor / service provider under the Agreement. This will, as a first option, be done by providing the information and documentation that you reasonably ask for. If you think it’s necessary, we will also allow you (or another party assigned by you, provided that the other party is accepted by us and keeps the information it accesses confidential) to inspect our processing of the Customer Personal Data. 

You can request an audit once per year, for which each Party will cover its own costs. Additional audits (exceeding one per year) can also be requested, at your sole cost. 

Unless an audit is requested by a Supervisory Authority (in which case the circumstances will be adjusted to the Supervisory Authority’s request), you need to provide written notice thirty (30) days in advance of the audit. The audit will be conducted during our normal business hours. It will not involve physical access to the servers on which the Service is hosted; not involve disclosure of commercially sensitive parts of the agreements with our subprocessors; and must be performed so that it doesn’t compromise the security of our systems or premises.


All audits need to be performed in a way that complies with Applicable Data Protection law. We will immediately inform you if we believe that your instruction in connection with an audit doesn’t fulfill this requirement.  



Liability

To the extent permitted under Applicable Data Protection Law and other applicable laws, our liability towards you under this DPA is limited to what is described in the Section “Limitation of Liability” in the terms and conditions of the Agreement . 



Erasure and return of Customer Personal Data 


When the Agreement is terminated, you should - within thirty (30) days of the termination of the Agreement -  instruct us to return and/or destroy all Customer Personal Data from the Service. We will comply with this instruction as soon as reasonably practicable, and at least sixty (60) days after the termination of the Agreement. 


If you have not requested erasure or return of the Customer Personal Data within those thirty (30) days, we will delete all Customer Personal Data as soon as reasonably practicable, and at least sixty (60) days after the termination of the Agreement.



Appendix 1  - Description of the processing


What processing will happen, and for which purposes?


Our Services are intended to be used by employers and employees for managing HR-related matters. Depending on which features and functionalities your Users decide to use from time to time, more granular purposes of processing personal data (such as employee onboarding, offboarding, absence tracking, documenting meetings, and other HR-related administrative tasks) will be relevant for your use of the Service. 


We will also process the Customer Personal Data for purposes that are necessary to enable and support your use of the Service, such as logging, troubleshooting, investigating and managing incidents, and responding to your questions and requests. 



Who are the data subjects?


The Service is designed to process the personal data of Users, as defined in the Terms. However, you fully decide and control whose personal data is actually processed in the Service. 



What type of personal data will be processed?

The Service is designed to process personal data relevant for your management of your HR-related matters. This generally includes:

  • User account information - such as email address and password. 

  • Contact information - such as name, phone number, address, birthday, social security number, photo, employee ID, gender. 

  • Information about individuals’ emergency contacts 

  • Information related to individuals’ position in the organization - such as title, start- and end date, salary, manager, department and location. 

  • Financial information - such as individuals’ salary and benefits. 

  • Information related to individuals’ availability at work, health and family situation - such as planning and documentation of vacation, sick leave and parental leave. 

  • Information related to individuals’ performance and challenges at work - such as notes and evaluations created by the individual’s manager. 

  • Information created through interaction between employees - such as invitations to events, pictures and messages. 

However, you fully decide and control what personal data is actually processed in the Service. 


For how long will Customer Personal Data be processed?


In the Service, you can exempt certain Customer Personal Data from being processed for any other purpose than storage, using the archived mode. All our processing of Customer Personal Data will stop after the termination  of the Agreement, as described under “Erasure and return of Customer Personal Data” in the main text of this DPA. 


Where will Customer Personal Data be processed?


Customer Personal Data will be stored in the countries reflected in the List of Subprocessors for Aboard.



Appendix 2  - TOMS

The following document contains TOMs as implemented by the Supplier.


Measures to Ensure Confidentiality (Art. 32 para. 1 lit. b of the GDPR)


Physical access control

Personal Data is stored in physical data centers certified according to ISO 27001. Physical access to the data center facilities is strictly controlled and limited to selected staff at the hosting provider. Protection against environmental hazards such as heat, fire and water damage is in place. There is no unauthorized physical access to data centers.


Logical access control

There is no unauthorized access to data processing systems. Logical access controls are designed to manage access to information and system functionality based on authority levels and job functions (granting access on a need-to-know and least privilege basis). All users have unique IDs and passwords, MFA is used where possible, granted system access is reviewed regularly and access is revoked/changed when employment terminates or changes in job functions occur. The Supplier’s staff do not access or interact with customer data as part of normal operations. Access is restricted to selected staff. All endpoint devices use strong passwords, local firewalls, automatic time based locking and encrypted storage.

 

Separation of control

Personal Data is processed in dedicated systems that are not shared with other services, applications, or corporate entities. Production and test environments are separated and do not share any data. Within individual databases, data is segregated with logical access control. Personal Data is not used for purposes other than what it has been collected for.


Human resource security

All employees and contractors are bound by confidentiality, non-disclosure provisions and undergo continuous security awareness training. Onboarding, offboarding procedures are in place. Segregation of duties is applied where it is practically possible.



Measures to Ensure integrity (Art. 32 para. 1 lit. b of the GDPR)


Transfer control

All communication, over the internet and on internal networks, are encrypted with at least TLS version 1.2. Data stored in the Supplier application is encrypted at rest with at least file-system level encryption.


Change management

Change management procedures and tracking mechanisms are in place to test, approve and track all material changes to the Supplier’s platform. All changes are peer reviewed.


System monitoring

Application and infrastructure events are logged, monitored and automatically analysed to record and detect divergent user access and system activity. Logs are protected from loss and manipulation.



Measures to Ensure Availability and Resilience (Art. 32 para. 1 lit. b of the GDPR)


Resilience

The Supplier’s infrastructure and components are designed to withstand intermittent and as well as high constant loads. Vulnerability screening, patch management and anti-malware protection are implemented to prevent, identify and mitigate against identified security threats, viruses and other malicious code.



Measures to Quickly Restore the Availability of Personal Data after a Physical or Technical Incident (Art. 32 para. 1 lit. c of the GDPR)


Disaster recovery plan

Disaster recovery plans are designed to maintain service and/or recovery from foreseeable emergencies or disasters. Backups are stored off-site, immutable and encrypted. Restore tests are done at least every 6 month.


Incident management

Incident management procedures are in place to ensure a systematic approach to identify, mitigate, learn and report incidents related to our technology and information assets.



Procedures for periodical review, assessment, and evaluation (Art. 32 para. 1 lit. d of the GDPR; Art. 25 para. 1 of the GDPR)


The Supplier runs an information security program with dedicated staff responsible for the development, implementation and maintenance of the program. 


Information risk assessments are used to systematically evaluate threats and vulnerabilities in terms of the impact they could imply and the probability to occur. Such assessments are performed at least annually or at major business changes.