Data Processing Agreement

This addendum describes how we handle the data you entrust us.

Last updated: January 26, 2019

This Data Processing Agreement (“DPA”) exists to satisfy the requirements of the European Data Protection Regulation (“GDPR”). It is an addendum to and is to be considered an indivisible part of our SummitFold Terms of service and Privacy Policy (in combined form known as the “Agreement”) as found on our website.

It is an agreement between Nordic FreeFold ApS (“Nordic FreeFold” or “The Company”) and the Customer. All capitalized terms are defined as set forth in the main Agreement. Customers enter into this DPA on behalf of themselves and the organizations they represent.

1. Purpose and duration

1.1 SummitFold exists to facilitate easier web-based planning of conferences and events. All data-processing takes place to further this goal. SummitFold defines some core data concepts about users and conferences as defined in the Privacy Policy. On top of these core concepts The Customer may customize the information requested and/or required of The Participants.

1.2 The Company processes data for the duration of the contracts with Customers, and any additional archival time periods as agreed upon with Customers, or as required by law or regulations.

1.3 The Agreement will have effect either a) from the time both The Customer and The Company have signed a contract, or b) from the time The Customer pays any part of an invoice sent by The Company to cover any products or services provided by The Company to The Customer. It will expire at the end of the contractual subscription or three months after the end of an event or conference unless otherwise agreed upon between the parties.

1.4 Material breach of the obligations set forth in this agreement will constitute material breach of the full Agreement as set forth in the main terms of service.

1.5 The Customer shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. Obligations

2.1 Both The Company and The Customer promise to adhere to The Agreement, and relevant Data Protection Laws. Each party will faithfully within reason help the other party comply with these laws and regulations.

2.2 The Customer will provide The Company with the types of Personal Information that they will collect from Participants through their use of SummitFold.

2.3 The Customer will document the legal basis according to EU Data Protection Law for the Personal Information they wish to store in SummitFold.

2.4 The Company acts as data controller and processor respectively as defined in the Privacy Policy. The Customer is mindful of his obligations in relation to Data Protection Laws in the cases where he acts as data controller.

2.5 The Company promises to maintain appropriate and reasonable security measures to safeguard Customer and Participant Personal Information.

2.6 The Customer promises to only use Participant Personal Information in good faith for the purposes reported to The Company as defined in item 2.2.

2.7 The Company promises to maintain the confidentiality of the Personal Information it learns in the course of the technical management and maintenance of the system. It further promises to make sure any and all employees of The Company are aware of the obligations outlined in the combined Agreement, and receive instructions on security and data protection.

2.8 In the unlikely event of a data breach, The Company will notify affected Customers and Participants without undue delay, and in any case within the time limits defined by the relevant Data Protection Laws. The Company shall attempt to assist affected Customers and Participants as thoroughly as reasonably possible.

2.9 In the event that a Participant or Customer asks The Company to delete information, we will process the request to do so – taking special note of additional data subject protections offered for data considered by user consent. The Participant acknowledges that special GDPR provisions exist for the protection and preservation of information related to scientific research. For data marked for deletion based on a Participant request, The Participant acknowledges that based on The Company’s rolling backup procedure, there will be a time period from the removal of information from our production systems, to the last rolling backup has completely expired.

3. Data sub-processors

3.1 The Customer accepts that The Company may contract with sub-processors to handle Customer and Participant Personal Information.

3.2 The Company enters into agreements with sub-processors based on valid DPAs that protect Customer and Participant Personal Information. Sub-processors currently in use are listed on The Company’s website.

3.3 The Company shall provide Customers with reasonable opportunity to give input or object to the appointment of new sub-processors. Customers shall have 7 calendar days after receiving notice by email, Company blog post or similar method of communication of planned changes to the sub-processor list, to object in writing to new sub-processors on reasonable grounds relating to data privacy or security. The Company will strive to reply to any such objections within 30 days of receipt of said complaint. The Company may choose to appoint the new sub-processor in spite of Customer complaints, which will allow The Customer to give regular notice in accordance with their contractual terms that they wish to cease the use of SummitFold.

4. Liability

4.1 The Customer shall always hold The Company to be without liability, and confer full indemnity for any and all losses, costs, expenses, legal fees, and claims either a) incurred by The Customer due to the use of SummitFold or any of The Company’s other Products or Services, or b) incurred by The Company as a result of The Customer’s breach of obligations as outlined in this combined Agreement and/or supplementary contracts or agreements oral or written. This indemnity extends to loss of goodwill and loss of business or sales opportunities.

5. Final considerations

5.1 In the event of disagreements between the main terms of service and this DPA, this DPA will supercede the main terms for the specific diverging terms.

5.2 We will update this DPA as needed. For material changes we will take appropriate measure to contact you, consistent with the severity of the planned changes. We will obtain your consent to specific material changes as required by law. Any changes to the DPA will apply to all current and past Customers and Participants.