HeadQ Terms of Service

Last updated: March 21, 2024

Visit regularly the webpage headq.io for any updates to these terms and conditions.

1. Applicability

1.1 These terms of use are applied for sale, use and provision of any software, content or information MVP Digital Oy (“HeadQ”) offers through the internet or as a mobile application (“service”) to a customer who concludes an agreement with HeadQ for the use of the service. In these terms, “customer” can refer either to the company or legal entity concluding the agreement, or to any of its users who have a right to use the service based on the agreement concluded by the company or legal entity. The service is targeted to businesses or other legal entities or organizations, not to consumers. By using the service the customer concludes a user agreement with HeadQ that is governed by these terms and conditions and the HeadQ data processing agreement, which the customer undertakes to comply with. The details of the subscription term, plan, features and fees valid at any given time can be found from the service by logging into the user account.

1.2 These terms may be updated by HeadQ from time to time. Updated terms are published on this page and customers with an active subscription or account are informed of the changed terms and conditions by in-app notification or by email.

2. Service provider and contact details

MVP Digital Oy
Business ID: 3267191-7
VAT ID: FI32671917
Malmin raitti 17 C
00700 Helsinki

3. Description of the service

3.1 The service is an online ecommerce platform for sale of products and services. For detailed applicable services descriptions, contact HeadQ or visit HeadQ’s website.

4. Contracts concluded through the service

4.1 Any contract concluded through the service is concluded directly between the customer and the party who purchases products or services through the service. HeadQ is not a party to such a contract even if it provides a platform for the sale. The customer is the seller of record for products and services sold through the service and solely responsible to its clients for fulfilling all seller’s contractual obligations.

5. Changes to service and these terms

5.1 HeadQ develops the service continuously, so HeadQ retains the right to make changes to these terms and to the service. HeadQ notifies customers of significant changes to the terms or to service by informing users by email, by publishing the terms on its website or via the service or in some other manner, as HeadQ considers suitable. Changes become effective on the notified date, unless otherwise provided. If the change concerns pricing or significant changes in the features of the service, HeadQ aims to notify at least one month prior to the change. Unless a specific effective date has been given for the change, the change becomes effective when it has been made. By continuing to use the service after the change the customer accepts it. If the customer does not accept the changes, it must terminate the agreement by written notice prior to the changes becoming effective and stop the use of the service.

6. Use of service and limited license

6.1 HeadQ grants the customer, subject to these terms, a limited, non-exclusive, personal and non-transferable license to use the service for the customer’s internal business purposes. The customer (including its users) agrees to use the service according to these terms and applicable laws. If HeadQ has reason to believe that the customer or a user has not followed these terms or the applicable laws, HeadQ may delete or limit the user rights or conduct other means it considers necessary.

6.2 The use of the service may be subject to technical and other restrictions set by HeadQ, such as the maximum number of orders that the service is able process per month. The essential restrictions for a specific customer are defined in the agreement or within the service by logging into the user account. Use of the service may also be restricted by HeadQ’s acceptable use policy in force from time to time, which is incorporated herein by reference and which may, for instance, provide restrictions to the type of business and activities for which the service can be used.

7. General obligations of the customer

7.1 The customer agrees to

  • be solely responsible for the store, marketplace or application it has created within the service for selling its products and services, the products and services it sells as well as the business and contractual relationships with its customers;
  • comply with these terms and conditions, good business practice and the applicable laws when using the service for selling its products and services to its own customers;
  • not to use the service for fraudulent, criminal or illegal activities;
  • comply with applicable data protection laws when processing the personal data of its own customers;
  • include adequate, correct and truthful information of the products and services it promotes and sells through the service;
  • not to use the service for storing, collecting or processing sensitive data (including without limitation personal and social security numbers), as the service is not designed for such purposes;
  • keep, maintain and have easily accessible to its own customers appropriate sales terms and conditions as well as a privacy policy as required by applicable laws;
  • fulfill its contractual obligations insofar as it concludes contracts with customers through the service;
  • keep and maintain accurate records of transactions as required by applicable accounting and tax laws and regulations; and
  • to be responsible for the administration and payment of employer, tax and other applicable public law obligations related to its activities.

7.2 A customer and a user cannot (a) use or try to use another user’s account without his/her and HeadQ’s permission; (b) copy, modify or create derivative works of the service, it’s content or technology relating to it; (c) reverse engineer, decompile, disassemble or otherwise try to derive the source code of the service or its technology; (d) remove any intellectual property right notices from the service; (e) create a user account by using another person’s personal data or otherwise incorrect or fake data; (f) transfer his/her account to another user without HeadQ’s prior written consent; (g) sell, resell or otherwise provide the license to use the service to a third party without HeadQ’s prior written consent.

8. Registration and user accounts

8.1 A customer receives a right to use the service throughout the term when concluding an agreement for the use of the service and registering a user account. The use of the service requires that a customer (e.g. a company or other legal entity) concludes an agreement with HeadQ relating to the use of the service and the account is registered and user names created for the service. The number of the users and the features included in the service may depend on the agreement and subscription level. During the registration HeadQ must be provided with required details of the user(s) and the customer organization. The customer is responsible for giving accurate and truthful information and updating the information when necessary for creating and maintaining a user account in the service. Login and password details are always personal.

8.2 The customer must make sure that its users maintain the login and password details in a secure manner. Login and password should never be provided to anyone else and a person should never use another person’s or another customer’s login and password. If the customer or a user believes or knows that the confidentiality of his/her login and password has been compromised, he/she should inform HeadQ without delay. HeadQ has the right to delete or limit user access, if HeadQ justifiably believes that the confidentiality of the user account has been compromised or the user does not follow these terms or otherwise acts in bad faith.

9. Confidentiality

9.1 A party shall not disclose to anyone any confidential information received from the other party and may not use such information for any other purpose than for furthering its obligations under an agreement. A party shall limit access to the confidential information received from the other party to such of its employees or subcontractors as may be directly involved in the subject matter of an agreement and to no other employees. These confidentiality obligations shall remain valid for five (5) years after termination or expiration of an agreement.

10. Data security, personal data and privacy

10.1 HeadQ aims to ensure that the data security of the service is on an industry standard level.

10.2 Protecting the privacy of customers, users and other personal data processed in the service is important to HeadQ. As a data controller, HeadQ collects and uses personal data in accordance with its privacy principles. HeadQ’s privacy policies are available at: www.HeadQ.io, visit the pages regularly for any updates.

10.3 If HeadQ is considered in its performance of contractual obligations a data processor in relation to its customer, the data controller (as defined in the EU General Data Protection Regulation), then HeadQ Data Processing Agreement is also applied and considered an integral part of an agreement between HeadQ and the customer.

11. Content entered or created by the customer

11.1 If a customer or any of its users enter or create content in the service while using it, the intellectual property rights relating to such content are owned by the customer or applicable user. However, HeadQ has a right to use the content for providing the service to the customer, for developing the service or for any other reasonable business purpose of HeadQ. HeadQ has also a right to use and publish aggregate, statistical and anonymous data from content entered by a customer or otherwise relating to customer’s use of the service, provided that a person cannot be identified from the material created and published by HeadQ.

11.2 The customer undertakes that the information provided and entered by it to the service is true, accurate, up-to-date, adequate and in accordance with applicable laws and that it does not violate any third party rights. The customer also undertakes to update the information as necessary or at the request of HeadQ, if HeadQ finds any deficiencies in it. For a justified reason, HeadQ has a right to delete, modify or restrict the content entered by the user into the service.

12. Intellectual property rights

12.1 The service (including any customer-specific modifications, updates and bug fixes) and content relating to it are protected by copyright and other intellectual property right laws and are and shall remain the sole and exclusive property of HeadQ or its licensors, as the case may be. Other intellectual property rights, such as trademarks, patents, designs or trade secrets, may as well relate to the service, which also belong to HeadQ or its licensors. No intellectual property rights are transferred from HeadQ to the customer, the customer is only granted a limited license to use the intellectual property relating to the service in its internal operations in accordance with these terms.

12.2 HeadQ shall defend the customer against claims presented against the customer that the service (or its use) infringes a valid third-party patent or copyright in HeadQ’s domicile, and indemnify for any final judgment awarded against the customer by a court of competent jurisdiction as a result from such claim or settle such claim at no cost to the customer provided that (a) the customer notifies HeadQ promptly as it is apprised of the third-party claim; (b) the customer permits HeadQ to handle defendant’s case or settlement; and (c) the customer gives HeadQ all reasonable assistance and information available as well as all necessary authorizations. Because HeadQ has exclusive control of resolving infringement claims hereunder, in no event will HeadQ be liable for the customer’s attorney fees or costs. Notwithstanding the foregoing, HeadQ shall have no obligation or liability for any claim or proceeding against the customer based upon (i) data, content or material provided or entered by the customer or (ii) the combination, operation or use of the service with any products, programs or data not supplied by HeadQ, if such infringement would have been avoided but for such combination, operation or use. If a claim is made or HeadQ believes that such is likely, HeadQ may, at its option, obtain for the customer the right to continue to use the service; or (b) replace or modify the service so that it becomes non-infringing. If none of the above-mentioned alternatives is reasonably available, the customer shall stop the use of the service, in which case HeadQ shall provide a reasonable refund for the fees already paid by the customer for the infringing service, less a reasonable depreciation for use prior to the infringement claim. This section states the parties’ sole and exclusive obligations and their exclusive remedies with respect to third party intellectual property infringements or claims thereof.

13. Using the service

13.1 Use of the service requires a browser and an internet connection as well as a suitable device, such as a computer. Even if the service has been tested on different devices, browsers and operating environments, HeadQ cannot provide any warranties that the service will function error-free on all possible devices, browsers and operating environments.

13.2 The customer is responsible at its own cost to acquire and maintain necessary devices, software and internet connections required for the use of the service. HeadQ does not guarantee that the application can be used specifically with the customer’s device, software and internet connection. HeadQ is not responsible for the possible outages or disconnections of the service for instance due to updates, technical issues or problems or other similar reasons. HeadQ is not responsible for any damages caused by or relating to use or inability to use the service.

14. Warranties; Information in the service; Limitation of HeadQ’s liability

14.1 Even if HeadQ has used great care in developing and maintaining the service, HeadQ cannot provide any warranties that the service would operate error-free. The service is provided to the customer on an “AS IS” and “AS AVAILABLE” basis. Furthermore, HeadQ does not represent or warrant that the service is fit for customer’s specific purposes. The customer uses the service at its own risk and it should evaluate prior to use of the service whether the service is fit for the customer’s intended purpose or not.

14.2 HeadQ’s aggregate, cumulative maximum liability arising out of or relating to breaches of contract, tort, warranty or otherwise shall in no event exceed the total sum paid by customer for use of the service within the three (3) month period prior to making first claim for damages or monetary compensation.

14.3 Any damages or monetary compensation must be claimed by the customer no later than three (3) months after the customer became aware of the cause for the claim, with the risk of otherwise losing its right to claim any damages or monetary compensation based on breaches of agreement.

14.4 HeadQ is not liable to the customer for any indirect, special, consequential or punitive damages or administrative fines (including loss of revenue or profit, business losses, business interruptions and loss of data) caused by violation of an agreement or these terms, or by use of or inability to use the service. Furthermore, HeadQ is not responsible for any claims made by or damages suffered by third parties.

14.5 These limitations of HeadQ’s liability are applied to the fullest extent permitted by mandatory provisions of applicable laws.

15. Maintenance

15.1 HeadQ performs normal development and maintenance work for the service. Due to this, HeadQ is entitled to temporarily restrict or limit the use of or access to the service. HeadQ aims to schedule the maintenance updates in a manner that causes as little harm to the customer as reasonably possible. HeadQ is not responsible for any damages or harm caused by interruptions in the use of the service. HeadQ notifies the customer of planned changes or interruptions in the service in a manner as it considers appropriate. All maintenance and support work are by default performed remotely from HeadQ’s location on weekdays during normal business hours. HeadQ makes backup copies and deletes data contained in the service in accordance with its normal IT and data retention policies.

16. Fees payable for using the service

16.1 HeadQ may offer unpaid trials, or certain features or versions of the service free of charge. With the exception of free services, the customer’s use of the service is subject to payment of applicable fees to HeadQ. Customers with a valid subscription can find the applicable payable fee within the service by logging into the user account. The fees and other charges for the use of the service may also be described on HeadQ’s website. If HeadQ has not agreed with the customer on fees and charges for the use of the service or for other services HeadQ provides to the customer, HeadQ’s prices and fees valid at any given time shall apply. The payable prices and fees for the service may depend on the amount of users and features or functions included in the service.

16.2 HeadQ is entitled to update its fees by providing at least one (1) month’s advance notice to the customer. If the customer does not accept the new fee, it may terminate the user agreement. The customer’s continued use of the service after the fee has changed indicates acceptance of the new fee.

16.3 Unless otherwise notified, value added taxes are not included in HeadQ’s prices and fees, which shall be added and payable by the customer in accordance with applicable laws.

16.4 All payments for the services shall be made in euros to an account specified by HeadQ, unless the parties agree otherwise. HeadQ may offer different payment methods to its customers for the payment of subscription fees, such as payment by invoice or payment by credit card. If HeadQ offers credit card as a payment method, the payment is processed by a secure third party payment gateway (e.g. Stripe).

16.5 The service fees are invoiced on a monthly, quarterly or annual level, as decided by HeadQ. All purchased services and plans are non-transferable and non-refundable. The customer will not receive any repayment for any service or plan it does not use even when it terminates or stops its use of the service during an already paid billing period. Unless otherwise provided by HeadQ, the payment term is fourteen (14) days from the date of HeadQ’s invoice. The interest rate for delayed payments is 11 % per annum.

17. Payments to the customer

17.1 HeadQ may offer a variety of methods and third-party applications, such as Stripe for credit card payments, which the customer may offer to its end-customers as a method for paying the products and services purchased via the service. To the extent third-party services are used as a payment gateway, it is the customer’s responsibility to activate and maintain these accounts. If the customer does not want to keep such accounts active, it is the customer’s responsibility to deactivate the account. Third-party payment gateways are considered third-party services as defined in Section 21 of these terms and such gateways are used under their own terms of service, which the customer agrees to comply with in addition to these terms and conditions.

18. Term and termination

18.1 Unless otherwise agreed, an agreement regarding the use of the service is in force and valid until terminated by a party by providing at least one (1) month’s written notice to the other party. For free services and unpaid trials the subscription period shall be the period during which HeadQ provides the customer an access to the service.

18.2 HeadQ may also terminate the agreement with immediate effect, if (1) the customer does not pay the applicable service fees, (2) the customer becomes insolvent or goes bankrupt, (3) the customer uses the service in violation with these provisions, the applicable laws or good business practice, (4) the customer’s account has remained inactive for a substantial period of time, or (5) the customer uses free version of the service, which HeadQ wants to stop offering. A party is also entitled to terminate an agreement in whole or in part in the event that the other party fails to comply with any material term of an agreement or these terms, provided that such failure is not cured, to the extent the failure is curable, within fourteen (14) days after the notice of the breach was provided.

18.3 When the agreement relating to the use of the service is terminated or expires, terminates or expires also the right to use the service. The terms and conditions of an agreement which by their nature and purpose are intended to survive termination, shall survive any termination or expiration of an agreement.

19. Applicable law and dispute resolution

19.2 The agreement, these terms and the use of the service are governed by the laws of Finland, without regard to its conflict of laws rules and principles.

19.3 Any dispute arising between the parties will be settled by amicable settlement. Failing amicable settlement within thirty (30) days of the dispute being referred to the settlement, the dispute will be finally settled by arbitration in accordance with the Arbitration Rules of the Finnish Central Chamber of Commerce by one (1) sole arbitrator appointed in accordance with those Rules. The arbitration shall be held in Helsinki, Finland and the arbitration proceedings shall be conducted in English. The Parties agree to keep confidential all information, documents and material relating to the arbitral proceedings as well as the arbitration award. HeadQ shall, however, have the right to bring up any claim, related to an Agreement and based on a due receivable from the customer, in the district court where the customer is domiciled or in any other district court in customer’s jurisdiction.

20. Other terms

20.1 HeadQ is entitled to employ subcontractors to fulfill its obligations under an agreement and it is liable to the customer for all acts of its subcontractors as for its own acts.

20.2 HeadQ shall not be deemed to be in breach of an agreement, or otherwise be liable to customer, for any failure to perform, or any delay in performance, caused by a reason beyond HeadQ’s control (force majeure events).

20.3 Unless otherwise agreed, a party does not have the right to transfer an agreement or rights and obligations related to it, entirely or partly, to a third party without the other party’s prior written acceptance. However, a party may assign an agreement or rights and obligations related to it without the other party’s acceptance in connection with any merger, sale of business or similar transaction.

20.4 These terms and the additional agreed upon terms in an agreement contain the entire agreement between the parties and supersede all prior communication, discussions and agreements relating to the subject matter.

21. Third party services

21.1 Third party services or applications may be included or integrated in HeadQ’s service or resold by HeadQ. These are provided to the customer under the applicable third party terms of use and fees. HeadQ is not responsible and does not give any warranties regarding third party services or applications or their use, function or defects in them. If the third party services provider makes changes to its pricing, HeadQ is entitled to update its resale prices accordingly. Upon a party’s termination of an agreement HeadQ is entitled to invoice for such reasonable third party costs that could not be canceled or prevented prior to termination (e.g. third party services have different termination notice period compared to HeadQ’s service).

Data Processing Agreement

Last updated: May 10, 2023

1. Introduction, purpose and application

This Data Processing Agreement (“DPA”) is applied as part of the commercial agreement (“Agreement”) to the processing of personal data carried out by MVP Digital Oy, Business ID: 3267191-7 (“Processor”) in connection with providing services (“Services”) to its customer named as the other contracting party in the Agreement (“Controller”), which Services are described in more detail in the Agreement concluded by and between the Processor and the Controller.

This DPA is an integral and inseparable part of the Agreement between the parties. All terms used in this DPA, but not defined, have the same meaning as they have in the Agreement. If there is a conflict between the Agreement and this DPA, the terms of the DPA take precedence.

2. Definitions

“Controller” means the natural person or legal entity, authority, agency or other body mentioned in this DPA, which alone or jointly with others defines the purposes and means of personal data processing.

“Data Protection Law(s)” means the Data Protection Act (1050/2018) and the EU General Data Protection Regulation (2016/679) with amendments and replacement regulations as well as other valid and applicable data protection legislation and instructions and binding regulations of data protection authorities.

“Data Subject” means an identified or identifiable natural person whose Personal Data is Processed on the basis of this DPA.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is considered to be a natural person who can be directly or indirectly identified especially on the basis of identification information such as name, social security number, location information, online identification information or one or more physical, physiological, genetic, psychological, economic, cultural or social factors characteristic of him or her.

“Personal Data Breach” means a data security breach event resulting in the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data transferred, stored or otherwise processed.

“Processing” means the function or functions that are applied to Personal Data or data sets containing Personal Data in connection with the provision of Services, either using automatic data processing or manually, such as collecting, storing, organizing, structuring, storing, modifying or changing, searching, querying, using, transferring data , distributing or otherwise making them available, matching or combining, limiting, deleting or destroying the information.

“Processor” means the natural person or legal entity, authority, agency or other body mentioned in this DPA that Processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the Standard Contractual Clauses (EU) 2021/914 as of 4 June 2021. Any reference made to the Standard Contractual Clauses shall refer to the Standard Contractual Clauses, which includes the parties’ selection on certain Modules and optional clauses as well as Appendix I to III in this DPA. In addition, the parties agree that the use of Subprocessors shall be governed by Clause 9, Option 1 of the Standard Contractual Clauses.

“Subprocessor” means a natural person or legal entity in a contractual relationship with the Processor, who processes Personal Data as a subcontractor of the Processor as part of performing Services for the Controller.

3. Scope of processing and processing activities

Pursuant to this DPA such Personal Data is processed, for which the Controller acts as the sole data controller.

The Processor Processes Personal Data (i) in accordance with Data Protections Laws and the terms of this DPA to fulfill the obligations described in the Agreement; and (ii) in compliance with the written instructions given by the Controller from time to time, unless otherwise required by the Data Protection Laws applicable to the Processor. The Processor may not process Personal Data for any of its own purposes or hand it over to third parties, unless this DPA allows it. The Processor must notify the Controller if it considers or suspects that the Controller’s written instructions violate the Data Protection Laws. Unless otherwise stipulated in this DPA or its appendices, the Processor may Process Personal Data only for the duration of the Agreement.

The Controller (i) undertakes to comply with the obligations in accordance with the Data Protection Laws applicable to it in the Processing of Personal Data; and (ii) is responsible for the fact that it, as the sole data controller, has the right to Process Personal Data and that it has fulfilled its obligation to inform the Data Subjects and/or received (or will receive) all the consents required by the applicable Data Protection Laws from the Data Subjects for the Processor to Process Personal Data on behalf of the Controller in accordance with this DPA.

More detailed information about the Processing, such as the nature of the processing, types of Personal Data and groups of Data Subjects, are described in Appendix 1. The appendix can be updated if changes occur in the Processing.

However, the Controller acknowledges and accepts that as part of providing the Services to the Controller, the Processor has the right to use information related to the operation, support or use of the Service or obtained in connection with it for its legal and legitimate internal business purposes, such as (i) invoicing the Service based on usage or number of users, (ii) delivery of the Service and for managing the provision thereof, (iii) for the functional and technical development of the Service, (iv) for compliance with applicable laws (including responding to official requests), (v) for ensuring the security of the Service, and (vi) for preventing fraud and abuse or reducing risks. To the extent that such information is Personal Data, the undertakes that: (a) it will process such Personal Data in accordance with the applicable Data Protection Laws and only for purposes that are compatible with the objectives described in this section; and (b) it does not use such Personal Data for any other purpose or disclose it to third parties, unless it has first anonymized the data so that the Controller or no other person or entity can be identified from the data.

4. Subcontractors and subprocessors

The Processor has the right to use Subprocessors in the Processing. Upon request, the Processor must provide the Controller with more information about the Subprocessors it uses. If the Processor plans to make essential changes, additions or removals to its Subprocessors, it agrees to notify the Controller of it in a manner it considers appropriate. The Controller has the right to prohibit the use of a specific Subprocessor for a justified reason. If the Controller prohibits the use of a particular Subprocessor and it is not reasonably possible to transfer the tasks of that Subprocessor to anyone else, including to the Processor, the Processor has the right to terminate the DPA and end the Processing. The Controller is not entitled to any compensation solely on the basis that the Processing ends and the DPA has been terminated due to the Controller prohibiting the use of a specific Subprocessor.

The Processor must enter into a written agreement with each Subprocessor, which contains the terms and conditions required by the Data Protection Laws and essentially similar types of obligations as the Processor has under this DPA. The Processor is responsible for the Subprocessors it uses, just as it is for its own actions.

5. Data security

The Processor must implement appropriate technical, physical and organizational measures to ensure a high level of security in the Processing of Personal Data by the Processor and to protect Personal Data from unauthorized or illegal processing and from unintentional loss, destruction, damage, change or transfer. When evaluating the necessary measures to guarantee the level of security, the instructions of the Controller, the latest technology and implementation costs, the nature, scope, context and purposes of the Processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, must be taken into account.

Applicable measures may be, for example: (i) pseudonymization and encryption of personal data; (ii) the ability to guarantee the continuous confidentiality, integrity, availability and fault tolerance of the systems and services; (iii) the ability to quickly restore the availability of Personal Data and access to Personal Data in the event of a physical or technical failure; and (iv) the procedure for regularly testing, examining and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing. The Processor must take measures to ensure that every natural person working under the Processor who has access to Personal Data processes it only in accordance with the instructions of the Controller, unless otherwise required by applicable Data Protection legislation. The Processor is responsible, in accordance with its own policies, for taking backups of the data and files of the Controller in its possession and for checking their functionality.

Without limiting the requirements and obligations described above, the Processor must always implement at least the technical and organizational information security measures which essentially correspond to the measures described in Appendix 2.

6. Confidentiality

The Processor must ensure, to the extent reasonably possible, that only those persons acting on its behalf who have a need to access the information in order to fulfill the purpose of this DPA have access to the Personal Data, and that the persons who have the right to process the Personal Data are committed to complying with the obligation of confidentiality or are subject to the appropriate statutory obligation of confidentiality.

7. International data transfers

7.1 Transfers allowed

The processor may transfer to a country outside the European Union or the European Economic Area. The processor must always comply with the conditions and requirements of the Data Protection Laws when transferring data to countries outside the European Union or the European Economic Area, such as using standard contract clauses published by the EU Commission applicable to data transfer.

7.2 Processors in the EEA and the Controller outside the EEA

If the Processor is located inside the EEA and the Controller outside the EEA in a country that is not included in the EU Commission’s decision on an adequate level of data protection and the Controller is not covered by the EU-U.S. Data Privacy Framework, the transfer of Personal Data shall be governed by Module 4 of the Standard Contractual Clauses which are incorporated herein by reference and form an integral part of the DPA. The Controller enters into the Standard Contractual Clauses as “data importer” and Processor as “data exporter”.

For the purposes of the Standard Contractual Clauses:

  • the module four shall apply;
  • the optional docking clause, Clause 7, shall apply;
  • in Clause 11, the optional language is to be deleted;
  • in Clause 17, the substantive laws of Finland shall apply;
  • in Clause 18, disputes shall be resolved before the district court of Helsinki, Finland; and
  • the Annexes of the Standard Contractual Clauses shall be populated with the information set out in the DPA, including its appendices.
  • If and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement or the DPA regarding the transfer of Personal Data from Controller to Processor, the Standard Contractual Clauses shall prevail to the extent of such conflict.

If the Processor is located within the EEA and commissions a Subprocessor located outside the EEA, the Processor shall enter into the Standard Contractual Clauses (Module 3) with such Subprocessor. Any further onward transfer of Personal Data must comply with the applicable Module of the Standard Contractual Clauses.

8. Personal data breaches and reporting obligations

The Processor must notify the Controller of all real or suspected Personal Data breaches without undue delay after becoming aware of the breach.

The Processor must provide the Controller with all available information about the Personal Data Breach, which the Controller may need to fulfill its own investigation and reporting obligations. The Processor can later supplement the information if it does not have comprehensive information about the violation immediately available. The Processor must otherwise assist and cooperate with the Controller in the investigation of the Personal Data Breach and in possible matters related to notifications to authorities and interested parties. The Processor must also take the necessary reasonable follow-up measures to mitigate the adverse effects of the Personal Data Breach, repair the violation or breach that has occurred, and prevent future violations. The Processor may not comment on the Personal Data Breach to third parties, especially media representatives, without express written consent and instructions from the Controller, unless otherwise required by Data Protection Laws.

Unless otherwise required by the Data Protection Laws or the order of the competent authority, the Controller makes the final decision at its own discretion on whether the Personal Data Breach must be notified to the authorities or other parties involved, and on the possible way to make such notifications. If the Processor reports a Personal Data Breach to the authorities or other interested parties, they must be approved in advance by the Controller.

9. Documentation and auditing rights

A party has the obligation to make available to the other party all the required information and documents that are necessary for demonstrating compliance with this DPA and the Data Protection Laws.

At the request of the Controller, the Processor must also allow audits of the Processing, Services, information security measures and the Processor’s information systems and processes, and participate at reasonable intervals to such audits for the purpose of ensuring compliance with this DPA and the Data Protection Laws. Such audits may be carried out no more than once a year, unless there is a justified reason to assume that the Processor does not comply with the DPA or the Data Protection Laws. Audits may also include visits to the Processor’s offices or other physical premises. The audit is carried out during normal working hours and in such a way that it does not unnecessarily disturb the Processor’s operations. Each party is responsible for its own costs related to the audit. The Processor must be notified of planned audits at least fifteen (15) days before the intended audit. Information about the Processor’s activities obtained by the Controller during the audit is confidential.

10. Assisting the Controller

The Processor must, at the request and expense of the Controller, reasonably assist the Controller in complying with the obligations data controllers have in accordance with the Data Protection Laws. The duty to assist applies in particular to the following matters:

10.1 Access to Personal Data

Insofar as the Personal Data is not available directly through the Services, the Processor shall, upon request, provide the Controller with the data in question. If the information is available in electronic form, it must also be delivered to the Controller in that form.

10.2 Fulfillment of Data Subjects’ rights and requests from the supervisory authority

The Processor must notify the Controller without delay: (i) of all requests, complaints or notifications made by the supervisory authority or other competent authority; and (ii) from any requests received directly from the Data Subject, related to the fulfillment of the data subject’s rights. The Processor may respond directly to the request only if the Controller has given permission and instructions to do so in advance. If the Controller so requests, the Processor must reasonably assist the Controller in responding to official requests and in fulfilling the data subject’s rights according to the Data Protection Legislation.

10.3 Data protection impact assessment

If the Processor becomes aware that the planned Processing would cause a high risk in terms of the rights and freedoms of a natural person, it must inform the Controller of this and, if necessary, assist the Controller in carrying out an impact assessment regarding data protection.

10.4 Correction, deletion and restriction of Personal Data

The Processor must either (i) offer the possibility to correct, delete or limit the processing of Personal Data through the functions of the Service or (ii) correct, delete or limit the processing of Personal Data in accordance with the instructions of the Controller.

11. Term and termination

11.1 Entry into force and termination

Unless otherwise agreed, this DPA enters into force at the same time as the Agreement and remains valid as long as the Processor Processes the Controller’s Personal Data in connection with the provision of its Services. Regardless of the termination of the DPA, the provisions of the DPA, which are of such a nature that they are intended to remain in force regardless of the termination of the Agreement, remain in effect regardless of the termination of the DPA.

11.2 Returning or deleting Personal Data at the end of Processing

Upon termination of the DPA, the Processor must, at the Controller’s choice, either delete all Personal Data Processed on behalf of the Controller or, alternatively, return all Personal Data to the Controller and delete existing copies, unless the Data Protection Laws require retention of Personal Data. In that case, the Processor has the right to keep the Personal Data in accordance with the requirements of the law, without otherwise continuing the Processing of the Personal Data and still complying with the confidentiality obligations described in this DPA. The return or deletion of personal data must be carried out without undue delay after the Controller’s request. If the Controller has not given any instructions regarding the deletion or return of Personal Data, the Processor may on its own initiative delete the Personal Data in its possession when twelve (12) months have passed from the end of the DPA. The Processor must return the Personal Data in a commonly used, data-secure electronic format or in another format agreed upon by the parties.

12. Other terms

12.1 Changes

All changes to this DPA must be agreed in writing between the parties. For the sake of clarity, it is stated that the written instructions given by the Controller from time to time to carry out the Processing of Personal Data are not considered to be changes to this DPA.

12.2 Responsibilities and liability

If the Data Subject suffers damage due to a violation of the Data Protection Laws, the responsibility of the Controller and the Processor for the damage is determined in accordance with Article 82 of the EU General Data Protection Regulation (2016/679). Each party is responsible for possible administrative fines imposed by the supervisory authority on the basis of a violation of the Data Protection Laws. A party’s liability for damages to the other party based on a breach of contract of this DPA is a total maximum amount that corresponds to the VAT-free service fees paid on the basis of the Agreement for the six (6) months preceding the submission of the first claim for damages. In other respects, the terms of limitation of liability that may be contained in the Agreement between the parties or its appendices also apply to this DPA. Unless otherwise expressly stated herein, a party is not liable to the other for any indirect, consequential, incidental, special or punitive damages (including any damages for business interruption and loss of use, data, sales, revenue or profit), which are specifically excluded.

12.3 Applicable law and dispute resolution

Regarding the applicable law and the resolution of disputes, the terms of the Agreement between the parties are followed, unless the Data Protection Laws states otherwise. If the Agreement does not state applicable law or contain dispute resolution terms, the DPA shall be governed by the substantive laws of the Processor’s domicile.

13. Appendices

This DPA consists of this document and the attachments listed below:

  • Appendix 1: Description of processing operations
  • Appendix 2: Technical and organizational information security measures

Appendix 1 to DPA (and where applicable, to Standard Contractual Clauses)

Description of processing operations

A. The parties’ contact persons
Data exporterName: MVP Digital OyActivities relevant to the data transferred under these Clauses: operation of the HeadQ ecommerce platformRole (controller/processor): processor
Data importerName and contact details: as specified in the commercial agreementActivities relevant to the data transferred under these Clauses: use of the HeadQ ecommerce platformRole (controller/processor): controller
B. Description of the processing operations performed by the Processor
Categories of Data Subjects whose personal data is processed:The controller’s customers and potential customers that use the HeadQ platform for ecommerce transactions.
Categories of Personal Data to be Processed:Name, employer’s name, e-mail address, IP address, data about transactions made in the HeadQ platform and other data.
Whether sensitive data is processed:Not by default.
Nature of the Processing:Storing and processing data relating to transactions made in the HeadQ platform.
Purpose for which personal data is processed on behalf of the controller:Business-to-business ecommerce transactions.
The frequency of the transfer / processing:On a continuous basis.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:The validity period of the DPA and the provision of services.
C. Competent supervisory authority
Finland:Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)Street address: Lintulahdenkuja 4, 00530 HelsinkiPostal address: PL 800, 00531 Helsinki, FinlandSwitchboard: +358 29 566 6700Registry: +358 29 566 6768www.tietosuoja.fi

Appendix 2 to DPA (and where applicable, to Standard Contractual Clauses)

Technical and organizational information security measures

A description of the technical and organizational measures that the Processor must implement in addition to the general obligations mentioned in the DPA to ensure an appropriate level of data security.

Security of premises
The Processor ensures that unrelated persons do not gain access to its premises where personal data is processed. Personal data is processed and stored in professionally managed facilities.
Systems securitySystems must not be accessed without personal user IDs. Usernames are issued in a controlled manner and each person is responsible for using the username in accordance with the instructions. Usernames are checked and unnecessary ones are deleted regularly.
Information management securityAs far as possible, each user has access only to the information that he needs to access for his work duties, and personal data may not be viewed, copied, edited or deleted without the relevant right or permission. Access to personal data must clearly be part of the person’s duties.
Transmission of personal dataIf Personal Data is transmitted on public networks, the data is transmitted encrypted. Access to personal data is only available to users with user IDs, and this way it can also be ensured that those who should not have access to personal data do not have access. User rights are managed and checked regularly. Personal data will not be forwarded to test or other temporary environments unless the data is adequately protected.
Control of information mediaAccess to personal data is controlled and, where possible, the systems have log data. Terminal devices and information systems must be behind user-specific identifiers at the operating system level, and identifiers must not be shared or others’ identifiers used. When leaving workstations, terminals and information systems must be locked at the operating system level.
Backups of personal data and/or the systems that use them are taken in accordance with good practices in the industry in order to enable data recovery. The systems and architecture use fault-tolerant technology.
The Controller will be notified if its personal data has been leaked or if there has been another significant data security leak from the systems.