Standard terms & Conditions

Appendix 1 

These Standard Terms and Conditions (hereinafter referred to as the “Standard Terms”) and the Data Processing Addendum (hereinafter individually referred to as the “Data Processing Addendum” or “DPA”), jointly referred to as the “Agreement”, are entered into between Creditro A/S, registered in the Danish Central Business Register under CVR no. 39181169 (hereinafter referred to as “Creditro”), and the entity placing an order for access to the Creditro KYC Platform (hereinafter referred to as the “Customer”). Creditro and the Customer are individually referred to as a “Party” and collectively as the “Parties”.

1. Introduction 

1.1 These terms apply to and regulate the relationship between the Customer and Creditro.

2. Definitions 

2.1 Where the Agreement (including the Order Confirmation, Appendix 1, and Appendix 2) uses the terms below with capital letters, the following definitions apply: 

Regular Business Hours: Monday to Thursday from 9:00 AM – 4:00 PM (CET), and Friday 9:00 AM – 3:00 PM (CET), excluding Danish public holidays. 

Agreement: Refers to the Standard Terms, the Data Processing Agreement, the Order Confirmation, and any appendices related to these documents. 

User: A person created by the Customer in Creditro’s systems who can use Creditro’s modules on behalf of the Customer. 

Call: A technical inquiry to Creditro Assess to retrieve information about a specific company or person. 

Owner: An employee appointed by the Customer, responsible for internal setup, user management, and other technical/practical matters. 

Client: The person, company, etc., that the Customer wishes to check in Creditro Comply, Comply Light or Creditro Assess. Normally, the Client is the Customer's own client. Each Client may be associated with multiple cases. 

Monitoring: Ongoing monitoring by Creditro to ensure previously collected Master Data remains accurate. 

Order Confirmation: An integral part of the Agreement specifying prices, product features, and any additional services agreed upon. 

Package: The version of a Creditro module selected by the Customer, typically including a number of units (e.g., number of Users).

Report: A collection of data retrieved by the Customer through Creditro, e.g., via Creditro Comply. 

End-User: A person whose Master Data is to be included in an investigation in Creditro Comply and/or Creditro Comply Light, e.g., a beneficial owner or management member of a company. 

Master Data: Information on a Client or End-User such as name, possibly CPR/CVR number, contact details, industry, and identification documents; status as PEP, and any listing on sanction lists. 

Dispatch: One or more documents sent for signature via Creditro Sign to one or more signatories. 

3. Right of Use 

3.1 Based on the Agreement, the Customer obtains a non-exclusive right to use the Creditro modules covered by the Agreement to the agreed extent and for as long as the Agreement is in effect. 

3.1.1 The Creditro modules may be used by the Customer either by logging in through Creditro’s website, https://app.creditro.com, or—provided a specific agreement has been made—through the APIs made available by Creditro. 

3.1.2 When the Customer’s Users log into Creditro’s service to use one of Creditro’s modules, each User must use a separate login consisting of a username and a password. If the number of Users is limited, the Order Confirmation will state how many Users the Customer may create in Creditro. Usernames and passwords are personal and must be kept confidential. The Customer’s Account Administrator may manage User access through Creditro’s website. If the Customer uses one of Creditro’s modules via API, the Customer must use the authentication credentials issued by Creditro for login. 

3.1.3 If the Customer becomes aware of or suspects misuse of their or their Users’ access to Creditro’s modules, the Customer must immediately change any compromised usernames and passwords and notify Creditro.

3.1.4 The Customer’s Users must belong to the Customer’s legal entity, and Creditro’s modules may only be used internally within the Customer’s legal entity. Neither the Customer nor the Customer’s Users may transfer or allow any other persons, whether inside or outside of the Customer’s legal entity, to use their login credentials. 

4. Prices and Payment 

4.1 The prices for the Customer’s access to Creditro’s modules at the time of entering into the Agreement are stated in the Order Confirmation. All prices are, unless otherwise specified, listed in Danish kroner and exclusive of VAT. 

4.1.1 Upon entering into the Agreement, the startup price for the modules to which the Customer subscribes according to the Agreement will be invoiced. 

4.1.2 Volume-based charges, e.g., based on the number of Clients, Users, Calls, or Dispatches—excluding International Data—are invoiced in advance for the Agreement Period at the start of said period, or proportionally for a shorter period if the Parties have agreed to this. 

4.1.3 If the Customer has exceeded what is included in the agreed Package, such excess usage will be retroactively adjusted from the time it is identified until the end of the current subscription period. Any excess usage will be billed per unit. No adjustment is made for usage below the agreed amount. The Customer’s acquisition of International Data is invoiced upon entering into the Agreement. 

4.1.4 If the Customer wishes Creditro to carry out programming tasks—including the development of new or customised components or modules that interact with Creditro’s other modules—a separate agreement must be entered into by the Parties regarding such work. This agreement must at a minimum describe the desired functionality and estimated time required. A separate order will be prepared for such work. 

4.1.5 If the Customer wishes Creditro to perform special setup/configuration of its modules for the Customer, or desires customisations that do not involve programming, such work will be invoiced based on time spent, at a rate of DKK 999 per started hour. Before Creditro begins work on 

setup/configuration, a separate agreement must be made with the Customer. This agreement must describe the Customer’s setup/configuration requests as well as Creditro’s expected time consumption.

4.1.6 If the Customer requires support from Creditro beyond the support included in this agreement, cf. section 6., such support will be billed at a rate of DKK 499 per hour. Billing is in increments of 15 minutes. 

4.1.7 Issued invoices are due for payment at the end of the payment deadline stated in the main agreement. The payment term is calculated from the time of invoice submission. In the case of late payment, Creditro is entitled to charge default interest from the due date until payment is made, using the interest rate applicable under the Danish Interest Act at any given time. If payment is not made within 5 days after the first reminder is sent, Creditro is also entitled to block the Customer’s access to any of Creditro’s modules until payment is received. 

4.1.8 Creditro’s standard prices are adjusted once annually on March 1st, based on the percentage increase in the Consumer Price Index for the month of January in the preceding year. Agreed prices are adjusted at the beginning of the next Agreement Period at the same rate, unless otherwise agreed. 

4.1.9 In addition to the adjustment mentioned in section 4.1.8, Creditro is entitled to change prices with 3 months’ notice. The Customer has the right to terminate the Agreement with 3 months’ notice within 14 days of being notified of the price increase, regardless of section 13. 

4.1.10 A client created for KYC/AML or monitoring purposes is billable for a minimum period of 12 months at a time. A client or monitoring service is automatically renewed the day before the anniversary of the original setup date. A client or monitoring service can be archived before 12 months from the setup date have passed, but remains billable for a minimum of 12 months per instance. 

5. Rights 

5.1 Creditro owns all intellectual property rights, including ownership and copyright, to Creditro’s modules, including the provided APIs, or has the right to make them available to the Customer under the terms of the Agreement. 

5.1.1 The Customer is granted only a right of use to Creditro’s modules as specified in the Agreement.

5.1.2 Creditro does not obtain any rights to the data that the Customer provides to Creditro in connection with the use of Creditro’s modules, other than the rights necessary to deliver Creditro’s modules to the Customer. 

5.1.3 In the event that the Customer is met with claims that Creditro’s modules, or the Customer’s use thereof, infringe upon third-party rights, or if the Customer otherwise becomes aware of such allegations, the Customer must immediately inform Creditro. 

6. Support 

6.1 In connection with the initiation of the collaboration, the Customer is oered 1.5 hours of assistance for setting up the Customer’s account at a cost of DKK 2,760 excl. VAT. The assistance is provided via an online meeting between a person appointed by the Customer and Creditro’s Client Management Team. 

6.1.1 It is the Customer’s responsibility to adequately train its Users in the use of Creditro’s modules. 

6.2 Availability 

6.2.1 Creditro guarantees an availability for each of its modules of 98% during Normal Business Hours, measured as an average over each calendar month. 

6.2.3 If a service has less than the guaranteed availability during a given period, Creditro shall, upon the Customer’s request, provide a proportional reduction in the part of the fee related to the service for which availability was reduced. If a service is available 95% of the guaranteed uptime in a calendar month, a reduction of 3% (98% - 95% = 3%) is granted on the monthly fee (1/12 of the annual fee). If the availability for the service in a given calendar month is below 90%, the entire monthly fee for that service is deducted. 

6.2.4 “Availability” is defined as the relevant Creditro module being operational and responsive, measured from outside the firewall at the operations center used by Creditro. It is not considered a lack of availability if a non-response from a Creditro service is due to third-party data providers failing to respond—e.g., if the CVR register or CPR register does not respond to Creditro’s request. 

6.3 Backup 

6.3.1 Creditro continuously performs backups of all data stored in Creditro's systems. Full backups are made at appropriate intervals. 

6.3.2 Full weekly backups are stored for a period of 6 months; incremental backups are stored for a period of 30 days. Backups are stored in encrypted form. Backup data is duplicated across the operational centers used by Creditro. 

6.3.3 Creditro regularly, and at least every 6 months, checks the functionality of its backup systems, including testing the ability to restore data. 

6.3.4 If the Customer wishes to have data restored from backup, Creditro should be contacted. Creditro is entitled to invoice the Customer for the work involved in restoring data from backup, provided the need for restoration is not due to circumstances for which Creditro is responsible. The invoicing of such work will follow the rates for Technical Configuration, etc., cf. section 4. 

6.4 Maintenance 

6.4.1 Creditro performs ongoing maintenance of its modules. Maintenance is typically carried out between 21:00 and 06:00 (CET). 

6.4.2 If Creditro’s maintenance is expected to render the modules unavailable to the Customer for a period, the Customer shall be notified no later than two business days before the scheduled maintenance begins. Planned maintenance may not exceed 4 hours per calendar month. 

6.4.3 Unplanned maintenance will be carried out, to the extent possible, within the time frame stated in section 6.4.1. If Creditro becomes aware that unplanned maintenance is expected to cause module unavailability to the Customer, the Customer will be notified as soon as possible. 

6.4.4 Changes to Creditro’s APIs will be communicated to the Customer as soon as possible. 

6.5 Error Correction 

6.5.1 If the Customer discovers errors in Creditro’s modules, the Customer must immediately inform Creditro. The Customer must, if possible, provide detailed information about how the error manifests and under what conditions. 

7. Personal Data 

7.1 Creditro processes personal data in accordance with applicable legislation at all times. Creditro's processing of personal data on behalf of the Customer is governed by Appendix 2 of the Agreement – the Data Processing Agreement. 

8. Breach of Contract 

8.1 If either Party materially breaches the Agreement, the other Party is entitled to terminate the Agreement with immediate effect. 

9. Confidentiality etc. 

9.1 Each Party shall, unless otherwise stated in the Agreement, keep confidential all internal information received from the other Party, including information received in connection with the delivery of Creditro’s modules as well as information received in connection with entering into the Agreement, including the content of the Agreement. 

9.1.1 Creditro’s employees are subject to a duty of confidentiality under their employment contracts both during and after employment. Creditro ensures that each employee only has access to the information necessary for the performance of their duties. 

9.1.2 Creditro has the Customer’s express and general approval to engage subprocessors. Creditro must have a written agreement with each Subprocessor, ensuring that the Subprocessor complies with the provisions of EU law and the terms described in this DPA. Creditro remains liable to the Customer if a Subprocessor fails to fulfill its data protection obligations regarding processing activities under the Agreement. 

List of Subprocessors: Creditro maintains an updated list of its Subprocessors. 

Notice of new Subprocessors: Creditro will notify the Customer in writing of any planned changes regarding the addition or replacement of Subprocessors at least thirty (30) days in advance. 

Objection to new Subprocessors: During the thirty (30) day notice period, the Customer may object in writing to the engagement of a new Subprocessor, which will result in termination of the Agreement in accordance with clause 2.4 of the Standard Terms.

Third countries: Any transfer of personal data to third countries may only be performed by Creditro based on documented instructions from the Customer and must always comply with Chapter V of the GDPR. 

9.1.3 Creditro is entitled to use the Customer’s name, logo, and other identification details as a reference on its website and in marketing materials, unless the Customer has explicitly and in writing objected to this. 

10. Liability and Limitation of Liability 

10.1 The Parties are, subject to the specifications otherwise stated in the Agreement, liable to each other according to the general rules of Danish law. Neither Party shall be liable for indirect or consequential losses, including, but not limited to, operational loss, loss of goodwill, and other commercial losses, as well as claims from third parties, cf. clause 5.1.4. 

10.1.1 Creditro shall not be held liable for third-party solutions that are not developed by Creditro or for integrations with Creditro’s modules not configured by Creditro. 

10.1.2 Creditro shall not be held liable for the Customer’s use of information obtained through Creditro’s modules or for the consequences of such use. 

10.1.3 Creditro’s potential liability to the Customer shall not exceed an amount equivalent to 12 months of subscription fees, calculated from the date the loss giving rise to compensation occurs. 

10.1.4 Neither Party shall be liable to the other for matters beyond their control that could not have been foreseen, avoided, or otherwise taken into account, including, but not limited to, labor strikes, governmental interventions or restrictions, telecommunications infrastructure failures, and labor disputes. The same applies to such circumstances at Creditro’s subcontractors. In such cases, Creditro’s obligations are suspended without further action until they can reasonably be resumed. 

11. Amendments to the Agreement 

11.1 If, at the time of entering into the Agreement, the Parties agree on deviations from Creditro’s standard agreement, including these General Terms or Creditro’s Special Terms, such deviations must be stated in the main agreement or in a separate appendix approved by both Parties. 

11.1.1 If Creditro makes changes to the Agreement and its terms, such changes shall be notified, unless otherwise stated in the Agreement, with appropriate notice. Further changes can only be made if the Parties agree. 

12. Force Majeure Clause 

12.1 If Creditro is unable to fulfill its obligations under the Agreement due to force majeure, it shall immediately notify the Customer. Force majeure refers to circumstances beyond Creditro’s control that cannot be remedied through reasonable economic or practical measures, including, but not limited to, war, mobilisation, terrorist attacks, failure or breakdown of public electricity supply, strikes, pandemics, fires, or floods. 

12.2 Consequences of force majeure: Neither Party shall be liable for damages resulting from force majeure. If the Platform remains unavailable due to force majeure for more than thirty (30) consecutive days, either Party may terminate the Agreement in writing without any claim against the other Party. 

13. Commencement, Commissioning, Duration, and Termination

13.1 The Agreement enters into force on the date stated in the main agreement, and no later than the date of the last signature by the Parties, and the modules shall be made available to the Customer no later than the commissioning date. The Agreement runs for periods of 12 months from the effective date or the end of the latest Agreement Period. The Agreement is ongoing and will thus be automatically renewed unless either Party terminates the Agreement in writing with 3 months' notice to expire at the end of the current Agreement Period. 

13.1.1 The Customer may at any time up to the end of the final Agreement Period retrieve all data uploaded or stored in connection with Creditro’s modules. Upon the expiration of the final Agreement Period, all of the Customer’s data in Creditro’s systems will be deleted, and data stored in Creditro’s backups will be deleted no later than 90 days after the final Agreement Period ends. It is solely the Customer’s responsibility to retrieve their stored data before the end of the final Agreement Period. Subject to a separate agreement, Creditro may assist the Customer in retrieving their stored data.

14. Dispute Resolution 

14.1 If a dispute arises between the Parties, such dispute shall initially be attempted to be resolved amicably. 

If an amicable resolution cannot be achieved, the dispute shall be brought before the Copenhagen City Court as the court of first instance.

Data Processing Agreement 

The Data Processing Agreement meets the requirements of Article 28, paragraph 3, of Regulation 2016/679 (the General Data Protection Regulation) regarding the Processor's processing of personal data.

Between the Parties:

Visma By Creditro A/S (Data Processor)

&

The Customer (Data Controller)

This Data Processing Agreement constitutes Appendix 2. The Customer and Creditro have entered into an agreement on Creditro's standard terms for the provision of digital platforms. This data processor addendum (hereinafter referred to as “Data Processor Addendum” or “DPA”) is an integrated part of the Agreement and defines the terms for the processing of personal data.

1. Content
2. Preamble
3. Rights and Obligations of the Controller
4. The Processor acts on instruction
5. Confidentiality
6. Processing Security
7. Use of Sub-processors
8. Transfer to third countries or international organisations
9. Assistance to the Controller
10. Notification of Personal Data Breach
11. Deletion and Return of Data
12. Audit, including Inspection
13. Parties' Agreement on Other Matters
14. Entry into Force and Termination
15. Contact Persons at the Controller and the Processor
    

Appendix A Information on Processing 

Appendix B Sub-processors 

Appendix C Instructions regarding the processing of personal data

Appendix D Parties' Regulation of Other Matters

2. Preambel

1. These Clauses set out the rights and obligations of the Processor when processing personal data on behalf of the Controller.
2. These Clauses are designed to ensure the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3. In connection with the provision of licenses for the Processor's solution(s) and service(s), the Processor processes personal data on behalf of the Controller in accordance with these Clauses.
4. These Clauses shall take precedence over any similar provisions in other agreements between the parties.
5. There are four appendices to these Clauses, and the appendices form an integrated part of the Clauses.
6. Appendix A contains detailed information on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects, and the duration of the processing.
7. Appendix B contains the Controller's conditions for the Processor's use of sub-processors and a list of sub-processors whose use the Controller has approved.
8. Appendix C contains the Controller's instructions regarding the Processor's processing of personal data, a description of the security measures that the Processor must implement as a minimum, and how the Processor and any sub-processors are supervised.
9. Appendix D contains provisions regarding other activities not covered by these Clauses.
10. These Clauses and their appendices shall be kept in writing, including electronically, by both parties.
11. These Clauses do not release the Processor from obligations imposed on the Processor by the General Data Protection Regulation or any other legislation.

3. Rights and Obligations of the Controller 

1. The Controller is responsible for ensuring that the processing of personal data complies with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU law or national law of the Member States, and these Clauses.
2. The Controller has the right and obligation to make decisions regarding the purpose(s) and means by which personal data may be processed.
3. The Controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the Processor is instructed to perform.

4. The Processor acts on instruction

1. The Processor may only process personal data on documented instructions from the Controller, unless required by EU law or national law of the Member States to which the Processor is subject. These instructions must be specified in Appendices A and C. Subsequent instructions may also be given by the Controller while personal data is being processed, but the instructions must always be documented and kept in writing, including electronically, together with these Clauses.
2. The Processor shall immediately notify the Controller if, in its opinion, an instruction is in breach of this Regulation or data protection provisions in other EU law or national law of the Member States.

5. Confidentiality

1. The Processor may only grant access to personal data, which is processed on behalf of the Controller, to persons who are subject to the Processor's instructions, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed continuously. Based on this review, access to personal data may be closed if access is no longer necessary, and the personal data shall thereafter no longer be available to these persons.
2. The Processor shall, upon request from the Controller, be able to demonstrate that the persons concerned, who are subject to the Processor's instructions, are subject to the aforementioned duty of confidentiality.

6. Processing Security

1. Article 32 of the General Data Protection Regulation states that the Controller and the Processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to those risks. 
   The Controller shall assess the risks to the rights and freedoms of natural persons that the processing entails and implement measures to address these risks. Depending on their relevance, these may include: 

1. 1. pseudonymisation and encryption of personal data. 
   2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
   3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 
   4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring processing security.
      
      
2. Pursuant to Article 32 of the Regulation, the Processor – independently of the Controller – shall also assess the risks to the rights of natural persons that the processing entails and implement measures to address these risks. For the purpose of this assessment, the Controller shall make the necessary information available to the Processor, enabling the latter to identify and assess such risks.
3. In addition, the Processor shall assist the Controller with the Controller's compliance with the Controller's obligation under Article 32 of the Regulation, inter alia, by making the necessary information available to the Controller regarding the technical and organisational security measures that the Processor has already implemented in accordance with Article 32 of the Regulation, and all other information necessary for the Controller's compliance with its obligation under Article 32 of the Regulation. 

If the mitigation of the identified risks – in the Controller's assessment – requires the implementation of additional measures beyond those already implemented by the Processor, the Controller shall specify the additional measures to be implemented in Appendix C.

7. Use of Sub-processors

1. The Processor shall fulfil the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation for using another processor (a sub-processor).
2. The Processor may therefore not use a sub-processor to fulfil these Clauses without prior timely notification to the Controller.
3. The Processor has the Controller's general approval for the use of sub-processors. The Processor shall inform the Controller in writing of any planned changes concerning the addition or replacement of sub-processors with at least 30 days' notice, thereby giving the Controller the opportunity to object to such changes before the use of the sub-processor(s) concerned. Longer notice for notification in connection with specific processing activities may be specified in Appendix B. The list of sub-processors already approved by the Controller is set out in Appendix B.
4. When the Processor uses a sub-processor in connection with the performance of specific processing activities on behalf of the Controller, the Processor shall, by way of a contract or other legal document under EU law or national law of the Member States, impose on the sub-processor the same data protection obligations as those set out in these Clauses, thereby providing in particular sufficient guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing complies with the requirements of these Clauses and the General Data Protection Regulation.
   The Processor is therefore responsible for requiring the sub-processor to comply at a minimum with the Processor's obligations under these Clauses and the General Data Protection Regulation.
5. Sub-processor agreement(s) and any subsequent amendments thereto shall be sent – upon the Controller's request – as a copy to the Controller, who thereby has the opportunity to ensure that equivalent data protection obligations as those arising from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-processor agreement shall not be sent to the Controller.
6. The Processor shall, if possible, include the Controller as a beneficiary third party in its agreement with the sub-processor in the event of the Processor's bankruptcy, so that the Controller can step into the Processor's rights and enforce them against sub-processors, which, for example, enables the Controller to instruct the sub-processor to delete or return personal data.
7. If the sub-processor does not fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the fulfilment of the sub-processor's obligations. This does not affect the rights of the data subjects, which follow from the General Data Protection Regulation, including in particular Articles 79 and 82 of the Regulation.

8. Transfer to third countries or internal organisations

• Any transfer of personal data to third countries or international organisations may only be carried out by the Processor on the basis of documented instructions from the Controller and shall always take place in accordance with Chapter V of the General Data Protection Regulation.
• If the transfer of personal data to third countries or international organisations, which the Processor has not been instructed to carry out by the Controller, is required by EU law or national law of the Member States, to which the Processor is subject, the Processor shall notify the Controller of this legal requirement before processing, unless the relevant law prohibits such notification on important grounds of public interest.
• Without documented instructions from the Controller, the Processor may therefore not, within the framework of these Clauses:

1. 1. transfer personal data to a controller or processor in a third country or an international organisation
   2. outsource the processing of personal data to a sub-processor in a third country 
   3. process personal data in a third country

• The Controller's instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation, on which the transfer is based, shall be specified in Appendix C.6.
• These Clauses should not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the General Data Protection Regulation, and these Clauses cannot constitute a basis for the transfer of personal data as referred to in Chapter V of the General Data Protection Regulation.

9. Assistance to the Controller

1. The Processor shall, taking into account the nature of the processing, as far as possible assist the Controller by means of appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests for exercising the rights of data subjects as set out in Chapter III of the General Data Protection Regulation.
   This implies that the Processor shall, as far as possible, assist the Controller in ensuring compliance with:
   1. the information obligation when collecting personal data from the data subject 
   2. the information obligation if personal data has not been collected from the data subject
   3. the right of access 
   4. the right to rectification
   5. the right to erasure (“right to be forgotten”)
   6. the right to restriction of processing 
   7. the notification obligation in connection with rectification or erasure of personal data or restriction of processing 
   8. the right to data portability
   9. the right to object
   10. the right not to be subject to a decision based solely on automated processing, including profiling
2. In addition to the Processor's obligation to assist the Controller in accordance with Clause 6.3., the Processor shall further, taking into account the nature of the processing and the information available to the Processor, assist the Controller with:
   1. the Controller's obligation to notify the competent supervisory authority, the Danish Data Protection Agency, of a personal data breach without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is unlikely that the personal data breach will result in a risk to the rights or freedoms of natural persons
   2. the Controller's obligation to notify the data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons
   3. the Controller's obligation to carry out an analysis of the intended processing activities' consequences for the protection of personal data (a data protection impact assessment) prior to processing
   4. the Controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency, before processing, if a data protection impact assessment shows that the processing will lead to a high risk in the absence of measures taken by the Controller to mitigate the risk.
3. The Processor's obligations under the agreement do not entail a claim for separate payment to the Processor for time spent, unless the time spent exceeds five (5) hours.
4. The parties shall specify in Appendix C the necessary technical and organisational measures by which the Processor shall assist the Controller, as well as the scope and extent of such assistance. This applies to the obligations arising from Clauses 9.1. and 9.2.

10. Notification of Personal Data Breach

1. The Processor shall without undue delay notify the Controller after becoming aware of a personal data breach.
2. The Processor's notification to the Controller shall, if possible, be made no later than 24 hours after becoming aware of the breach, so that the Controller can comply with its obligation to report the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
3. In accordance with Clause 9.2.a, the Processor shall assist the Controller in reporting the breach to the competent supervisory authority. This means that the Processor shall assist in providing the information below, which, according to Article 33(3), must be included in the Controller's report of the breach to the competent supervisory authority:

1. 1. the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
   2. the likely consequences of the personal data breach
   3. the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. If the Controller has been notified by the Processor of a personal data breach without undue delay in accordance with Clause 10, and the breach is solely due to the Controller's circumstances, the Processor is entitled to separate remuneration for time spent on the notification.

5. The parties shall specify in Appendix C the information that the Processor shall provide in connection with its assistance to the Controller in the latter's obligation to report personal data breaches to the competent supervisory authority.

11. Deletion and Return of Data

1. Upon termination of the Processor's services relating to the processing of personal data, the Processor is obliged to delete all personal data that has been processed on behalf of the Controller and confirm to the Controller that the data has been deleted, unless the Controller instructs the Processor otherwise, or unless EU law or national law of the Member States prescribes the retention of personal data.

12. Audit including Inspection

1. The Processor shall make all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Clauses available to the Controller and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor authorised by the Controller.
2. The procedures for the Controller's audits, including inspections, with the Processor and sub-processors are specified in Appendix C.7. and C.8.
3. The Processor is obliged to grant supervisory authorities, who, according to applicable legislation, have access to the Controller's or Processor's facilities, or representatives acting on behalf of the supervisory authority, access to the Processor's physical facilities upon proper identification.

13. Parties’ Agreement on Other Matters

1. The parties may agree on other provisions regarding the service concerning the processing of personal data, e.g., liability, as long as these other provisions do not directly or indirectly conflict with the Clauses or impair the fundamental rights and freedoms of the data subject as derived from the General Data Protection Regulation.

14. Entry into Force and Termination

1. The Clauses shall enter into force upon signature by both parties.
2. Both parties may demand renegotiation of the Clauses if changes in law or inconsistencies in the Clauses give rise thereto.
3. The Clauses are valid for as long as the service concerning the processing of personal data lasts. During this period, the Clauses cannot be terminated, unless other provisions governing the provision of the service concerning the processing of personal data are agreed between the parties.
4. If the provision of services concerning the processing of personal data ceases, and the personal data has been deleted or returned to the Controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated with written notice by both parties.

15. Contact Persons for the Controller and the Processor

1. The Processor can be contacted via the contact person below or by communication to persons normally communicated with in the contractual relationship between the Controller and the Processor.

Name - Asmita Velji Tejani

Position - Managing Director 

Email - avt@creditro.com

On behalf of the Data Processor

Asmita Velji Tejani

Managing Director

Appendix A - Information on Processing

A.1. Purpose of the Processor's processing of personal data on behalf of the Controller

The processing of the Controller's personal data is carried out for the purpose of fulfilling the agreement entered into between the Processor and the Controller regarding the Processor's delivery of the Processor's solutions and services. The Processor's solutions covered by this data processing agreement are listed in the Main Agreement and any addendums to the Main Agreement. The purpose of the Processor's solution(s) and/or service(s) is:

Creditro Comply

To assist the Controller in complying with its obligations under anti-money laundering legislation, including inviting persons associated with the Controller's Clients to be registered as End-users of Creditro and to store documentation for anti-money laundering investigations.

Kyc.Creditro.com / StoreMyID

To create and maintain an ID database of money laundering-relevant persons for use with the Creditro Comply solution.

Creditro Assess

To obtain and provide information on financial and credit-related matters to the Controller and to store the obtained information for the Controller.

Creditro Comply Light

To assist the Data Controller in fulfilling its obligations under anti-money laundering (AML) legislation, including the collection of ID documentation and the retention of such documentation for AML investigations.

A.2. The Processor's Processing of Personal Data on Behalf of the Controller Primarily Concerns (Nature of Processing)

As the owner and provider of the solution, the Processor, in its general operation—including hosting, display, organizing, receiving, forwarding, structuring, adapting, implementing, searching, processing, storing, restoring, deleting, restricting, maintaining, developing, logging, supporting, troubleshooting, and other IT services related to the Processor's solution(s) and/or service(s) to the Controller—acts in accordance with the agreement entered into between the parties.

A.3. The Processing Includes the Following Types of Personal Data Concerning the Data Subjects

The Processor generally processes the categories of personal data listed below. However, when using the solution, the Controller may transfer the processing of all types of data and personal data to the Processor, which means the Processor could potentially process all categories of personal data.

Categories of Personal Data:

Ordinary personal data (cf. Article 4, para. 1 and Article 6 of the General Data Protection Regulation): Ordinary and confidential personal data, including information about CPR numbers (cf. Article 87 of the General Data Protection Regulation):

Creditro Comply 

1. Name
2. Contact information, including email address and mobile phone number; 
3. Relationship to company, firm, or organization, including role as owner, management member, position; PEP status 
4. Anti-money laundering reports 
5. Copies of identity documents 
6. CPR number 
7. Media mentions 
8. Information in documents that the Controller uploads to the Processor's service 
9. Information that the Processor, by agreement with the Controller, obtains for the Controller's use

Kyc.creditro.com / StoreMyID 

1. Name
2. Contact information, including email address and mobile phone number;
3. Relationship to company, firm, or organization, including role as owner, management member, position; PEP status 
4. Anti-money laundering reports 
5. Copies of identity documents 
6. CPR number 
7. Media mentions 
8. Information in documents that the Controller uploads to the Processor's service
9. Information that the Processor, by agreement with the Controller, obtains for the Controller's use

Creditro Assess 

1. Name 
2. Contact information, including email and mobile phone number 
3. Relationship to company, firm, or organization, including role as owner, management member, and position 
4. Company reports 
5. Financial affairs
6. CPR number 
7. Media mentions
8. Information that the Processor, by agreement with the Controller, obtains for the Controller's use

Creditro Comply Light

1. Name
2. Contact information, including email address and mobile phone number; 
3. Copies of identity documents 
4. CPR number  
5. Information in documents that the Controller uploads to the Processor's service 
6. Information that the Processor, by agreement with the Controller, obtains for the Controller's use

A.4. The Processing Includes the Following Categories of Data Subjects

The Processor generally processes the categories of data subjects listed below. However, when using the solution, the Controller may transfer the processing of all types of data and personal data to the Processor, which means the Processor could potentially process personal data about more categories of data subjects.

Categories of Data Subjects:

Creditro Comply

a) Individuals whom the Controller wishes to conduct anti-money laundering investigations on 
b) Individuals who have a relationship with companies, firms, or organizations about whom the Controller wishes to obtain information 
c) Individuals who appear in documents that the Controller uploads to the used solutions

StoreMyID

a) Individuals whom the Controller wishes to conduct anti-money laundering investigations on
b) Individuals who have a relationship with companies, firms, or organizations about whom the Controller wishes to obtain information 
c) Individuals who appear in documents that the Controller uploads to the used solutions

Creditro Assess 

a) Individuals about whom the Controller wishes to obtain information

Creditro Comply Light

a) Individuals whom the Controller has registered as beneficial owners of funds on a Client Bank Account.
b) Individuals who appear in documents that the Controller uploads to the used solution

A.5. The Processor's Processing of Personal Data on Behalf of the Controller Can Commence After These Clauses Enter into Force.

The Processing Has the Following Duration:
The processing is not time-limited and continues until the subscription agreement between the parties regarding the delivery of the Processor's tools to the Controller is terminated or rescinded by one of the parties.

Appendix B - Sub-processors

B.1. Approved Sub-processors

Upon the entry into force of these Clauses, the Controller has approved the use of the following sub-processors, depending on the solution specified in the Main Agreement or addendum to the Main Agreement.

Creditro Comply

KYC.creditro.com / StoreMyID

Creditro Assess

Creditro Comply

Upon entry into force of the Provisions, the Data Controller has approved the use of the above-mentioned sub-processors for the described processing activity. The Data Processor may not – without notice to the Data Controller – use a sub-processor for a processing activity other than the described and agreed upon or use another sub-processor for this processing activity.

The Data Processor’s solutions covered by this Data Processor Agreement are set out in the Main Agreement and any amendments to the Main Agreement.

The data processor must maintain a current list of sub-processors on the data processor's website, which constitutes the current Annex B. The sub-processor agreements are requested via the website or by written request to the data processor.

B.2. Notice of Changes to Subprocessing

The Processor's notification of any planned changes regarding the addition or replacement of sub-processors must be received by the Data Controller at least 30 days before the use or change is to take effect, insofar as this is immediately possible, cf. Clause 7, 7.3.

The Processor guarantees that any use of sub-processors complies with legislation and this Agreement in general. Furthermore, the Processor ensures that in the event of a third-country transfer to an insecure third country, a valid transfer basis exists and a satisfactory Transfer Impact Assessment is available to the extent required by law.

Notwithstanding the above, the Data Controller accepts that there may be exceptional cases where a specific need arises for the change regarding the addition or replacement of sub-processors to occur with shorter notice, e.g., critical situations where the solution cannot be operated. In such cases, the Processor will notify the Data Controller of the change as soon as possible. It is noted that these cases are extraordinary critical situations. Critical situations are defined as situations that may cause, for example, non-compliance with legislation, including data loss and the like. In these cases, the Data Controller may object to the change regardless of whether the effective date has passed. Objections must be made within 30 days from the time the Data Controller is made aware of the change.

If the Data Controller has objections to the changes, the Data Controller must notify the Processor thereof before the change's notified effective date. The Data Controller may only object if the Data Controller has reasonable, specific grounds for doing so.
Upon the Data Controller's objection, the Data Controller simultaneously accepts that the Processor may be prevented from providing all or part of the agreed services. Such non-performance cannot be attributed to a breach of contract by the Processor. The Processor maintains its claim for payment for such services, regardless of whether they can be delivered to the Data Controller.

Where it is specifically agreed that the Processor may not make use of sub-processors without the Data Controller's prior permission, the Data Controller accepts that this may result in the Processor being barred from fulfilling the services. If the Data Controller has refused changes regarding the addition or replacement of sub-processors, the failure to deliver services will therefore not be considered a breach of the parties' agreement regarding the delivery of services attributable to the Processor in cases where the non-performance can be attributed to the circumstances of a sub-processor.

Appendix C - Instructions regarding the processing of personal data

C.1. Processing object

The Processor may only process data on instructions from the Data Controller. The Processor's processing of personal data on behalf of and as instructed by the Data Controller occurs as the Processor generally performs the following:

General operations, including hosting, display, organization, receipt, forwarding, structuring, adaptation, implementation, retrieval, processing, storage, recovery, erasure, restriction, maintenance, development, logging, support, troubleshooting, and other IT services associated with the Processor's solution(s) and/or service(s) to the Data Controller in accordance with the agreement entered into between the parties.

The Processor's processing of personal data on behalf of the Data Controller occurs as the Processor performs the following:

Creditro Comply

The Processor shall obtain information regarding the status of persons specified by the Data Controller as a PEP (Politically Exposed Person) or RCA (Relative or Close Associate). Furthermore, the Processor shall obtain information on whether the person in question is registered on public sanction lists. Based on the information uploaded by the Data Controller and the information obtained from third parties, Creditro shall, in accordance with the Data Controller's instructions, perform an assessment of the risk of the person's involvement or risk of involvement in money laundering or terrorist financing. In connection with Creditro Comply, the Processor performs continuous monitoring and updating of information regarding persons obtained by the Processor for the Data Controller.

StoreMyID

The Processor shall send invitations via email to the persons specified by the Data Controller containing a link for registration in StoreMyID. The recipient of the email creates a profile in StoreMyID for use in the Data Controller's documentation of compliance with the Anti-Money Laundering Act, including KYC (Know Your Customer) reviews. The Processor stores identity documents and responses to KYC questionnaires on behalf of the Data Controller.
The Processor shall send invitations via email to the persons specified by the Data Controller containing a link to StoreMyID regarding the updating of a profile in StoreMyID. The interval for this is determined by the Data Controller within StoreMyID.

Creditro Assess

The Processor shall obtain information regarding financial and credit-related matters concerning companies and individuals as instructed by the Data Controller. The Processor shall perform an analysis of the information using the scoring models defined and/or approved by the Data Controller. The Processor shall, on behalf of the Data Controller, store the information obtained and analyses prepared, and the Processor shall, by agreement, perform continuous retrieval of updated information regarding companies for which the Data Controller has obtained information.
The solutions covered by this Data Processing Agreement are set out in the Main Agreement and any addenda to the Main Agreement." 

Creditro Comply Light

The Processor shall obtain ID documentation about, the persons identified by the processor, and store documentation thereof.

C.2. Processing security

The level of security must reflect:

As a starting point, the Processor’s solutions and services involve the processing of personal data as covered by the various categories of personal data under the General Data Protection Regulation (GDPR), as set out in Annex A. Consequently, the Processor has chosen to implement a generally high level of security, reflecting the fact that such data may be processed. Accordingly, the Processor is entitled and obligated to make decisions regarding which technical and organizational security measures must be implemented to establish the necessary (and agreed) level of security. However, the Processor shall — under all circumstances and as a minimum — implement the following measures agreed upon with the Data Controller:

Information Security

The Processor has implemented policies, controls, and processes covering the information security areas described below:

• Confidentiality: Ensuring that unauthorized persons cannot gain access to data that could be misused to the detriment of the Processor's customers, business associates, and employees.
• Integrity: Ensuring that systems contain accurate and complete information.
• Availability: Ensuring that relevant information and relevant systems are accessible and stable.

Instructions

Written procedures are in place requiring that personal data may only be processed when instructions are available. An assessment of whether the procedures need updating is carried out continuously—and at least once a year. The Processor only carries out the processing of personal data as set out in instructions from the Data Controller.

Physical and Environmental Security

The Processor shall maintain physical security measures to secure premises used for the processing of personal data, including the storage of personal data covered by the Data Processing Agreement, against unauthorized access and manipulation. Appropriate technical measures must be in place to limit the risk of any unauthorized access to premises where personal data is processed. Furthermore, the Processor shall, where necessary, evaluate and improve the effectiveness of such measures. The level of physical security must at all times be aligned with the current threat landscape as well as the sensitivity and volume of personal data covered by the Data Processing Agreement.

Communication Links and Encryption

The Processor has appropriate technical measures in place to protect systems and networks, including protecting data during transmission and access via the internet, as well as limiting the risk of unauthorized access and/or the installation of malicious code. The Processor uses appropriate encryption technologies and other equivalent measures in accordance with legal requirements, approved standards for the encryption of classified information, and good data processing practice. To the extent required by applicable national and international legislation, standards regarding the encryption of classified information, or good data processing practice, the Processor utilizes encryption technologies and other equivalent measures. The transmission of sensitive and confidential information over the internet is protected by encryption. Technological solutions for encryption are available and activated. Firewalls only allow encrypted data traffic. Formalized procedures exist to ensure that the transmission of sensitive and confidential information over the internet is protected by strong encryption based on a recognized algorithm.

Firewall or Similar Technical Measures

External access to systems and databases used for the processing of personal data occurs solely through a VPN. Administrative access must be available to maintain firewall configuration and rule sets.

Antivirus

Antivirus software is installed and continuously updated for the systems and databases used for the processing of personal data.

Backup

The Processor shall have internal contingency procedures ensuring the restoration of services without undue delay in the event of service interruptions, in accordance with the Main Agreement. The Processor ensures daily backups. The backup of configuration files and data must take place in an uninterrupted process so that relevant data can be restored. Backups are stored in such a way that they are not accidentally or unlawfully destroyed, lost, impaired, disclosed to unauthorized persons, misused, or otherwise processed in violation of the rules and regulations applicable at any time for the processing of personal data (e.g., due to fire, flood, accident, theft, or similar). Backups must be stored physically separate from primary data and in a security-approved data center. The Processor utilizes a redundant environment to ensure access and continuous operation of the software solution. Ensuring that backups are saved in their full length.

Use of Home/Remote Workstations

If data processing is carried out from ad-hoc and/or home workstations, the Processor ensures that these meet the security requirements of this Data Processing Agreement, including annexes and other legislation. The Processor must, among other things, fulfill the following:
That an encrypted connection is used between the ad-hoc workstation and the Processor's/Data Controller's network.
The Processor has internal instructions for its own employees regarding ad-hoc and home workstations.
Furthermore, the Processor shall, where technically possible, use 2-factor authentication (MFA).
Instruction of Employees
The Processor ensures that employees are at all times aware of, and have received sufficient training and instruction regarding, the purpose of the data processing, policies, workflows, and their duty of confidentiality. An information security policy exists, which management has reviewed and approved within the past year. The information security policy has been communicated to relevant stakeholders, including the Processor's employees. The information security policy generally meets the requirements for security measures and the security of processing in entered data processing agreements. Formalized procedures exist to ensure the vetting of the Processor's employees in connection with employment. Employees have signed a confidentiality agreement. Employees have been introduced to:

• The information security policy.
• Procedures regarding data processing, as well as other relevant information.

Procedures exist to ensure that the rights of departing employees are inactivated or terminated upon departure, and that assets such as access cards, PCs, mobile phones, etc., are recovered. The rights of departing employees are inactivated or terminated, and assets are recovered. Formalized procedures exist to ensure that departing employees are made aware of the maintenance of the confidentiality agreement and general duty of professional secrecy. The employment contract contains guidelines stating that employees are subject to a duty of confidentiality after the termination of the collaboration. The Processor offers awareness training to employees, covering general IT security and security of processing in relation to personal data. Documentation exists showing that all employees who either have access to or process personal data have completed the offered awareness training.

Disposal of Equipment

The Processor shall have formal processes to ensure the effective erasure of personal data before the disposal of electronic equipment.

Logging

1. Ensuring logging on all environments where personal data is processed.
2. Activities performed by system administrators and others with privileged rights.
3. Changes to log configurations, including the deactivation of logging.
4. Changes to system rights for users. Ensures that the scope of the security log is defined based on a risk assessment performed by the Processor. Ensures that there is sufficient space for security logs to be saved for the period. Ensures that regular spot checks are carried out to verify that the security logs contain the expected information. Ensures that collected information about user activity in logs is protected against deletion and manipulation.

C.3 Assistance to the data controller

The data processor shall, to the extent possible and within the scope and extent set out below, assist the data controller in accordance with Clauses 9.1 and 9.2 by implementing the following technical and organisational measures:
Rights of data subjects, cf. section 9.1.

• The data processor must assist in observing the rights of the data subjects by, among other things, being able to provide insight into, delete, restrict and correct information, and ensure that this also happens with sub-data processors.
• The data processor must assist in fulfilling the rights of the data subjects without undue delay
• The data processor must have developed a procedure for how they handle requests from a data subject about their rights. 

Breakages and incidents, cf. clause 9.2.
Information to be sent:

• Facts about the observed breach (time, place, cause)
• When the breach started, when it was discovered and when the breach has stopped
• The nature of the personal data breach, including whether confidentiality, integrity and availability have been breached
• The categories and approximate number of affected data subjects, if possible
• The categories of personal data, if possible.
• Name and contact details of the point of contact where further information can be obtained
• Description of the likely consequences of the breach
• Description of measures taken or proposed to be taken as part of handling the breach and its possible adverse effects

C.4 Retention period/deletion routine

Personal data is stored for the period of the parties' agreement on the data processor's delivery of the data processor's solution(s) and/or service(s) to the data controller, or pursuant to a separate written agreement, after which it is deleted by the data processor.

Upon termination, the data processor shall thus either delete or return the personal data in accordance with clause 11.1, unless the data controller - after signing these provisions - has changed the data controller's original choice. Such changes must be documented and stored in writing, including electronically, in connection with the provisions.

C.5 Location of treatment

Processing of the personal data covered by the Provisions cannot, without the prior written approval of the data controller, take place at locations other than those specified in this data processing agreement and the addresses stated in the sub-data processors used, as well as sub-data processors in further stages, as described in more detail in the applicable Appendix B. 

C.6 Instructions regarding the transfer of personal data to third countries

If the data controller does not provide documented instructions in these Terms or subsequently regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of these Terms, unless such transfer is to one of the authorized sub-processors mentioned in Annex B. Transfer grounds are applied in accordance with Chapter V of the General Data Protection Regulation on transfers of personal data to third countries or international organizations. The specific transfer grounds follow from the applicable Annex B. The data processor is furthermore obliged to ensure that a satisfactory Transfer Impact Assessment is prepared where relevant prior to any third country transfer to an unsafe third country where this is required by law. 

C.7 Procedures for the controller's audits, including inspections, of the processing of personal data entrusted to the processor

The data processor shall, within a period of 12 months, obtain at its own expense an ISAE 3000 audit report or other equivalent verification from an independent third party regarding the data processor's compliance with the GDPR, data protection provisions in other EU law or the national law of the Member States and these Regulations.  

The audit report will be available to the data controller on the data processor's website.  

The data controller may, for a fee, challenge the scope and/or methodology of the report and may in such cases request a new report under a different scope and/or using a different methodology.

Based on the results of the report, the data controller is entitled to request the implementation of additional measures to ensure compliance with the GDPR, data protection provisions in other EU law or the national law of the Member States and these Regulations.

The controller or a representative of the controller shall also have access, for a fee, to carry out inspections, including physical inspections, of the premises from which the processor processes personal data. Such inspections may be carried out when the controller deems it necessary.

Any costs incurred by the controller in connection with a physical inspection shall be borne by the controller.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors  

The data processor shall, at its own expense, carry out appropriate supervision of sub-processors' compliance with the General Data Protection Regulation. The level of supervision shall follow the Danish Data Protection Authority's guidance on this matter.

Documentation for such supervision shall be forwarded to the data controller for information upon request.

Appendix D - The parties' regulation of other matters

D.1 Liability and breach

Any breach of the Provisions shall be regulated and dealt with in accordance with the parties' agreement regarding the provision of the services.

In cases where the data processor has paid amounts to data subjects in accordance with Article 82 of the General Data Protection Regulation or Section 26 of the Danish Liability Act, the data processor shall have full recourse against the data controller for the amount paid, which in terms of amount exceeds the agreed limitation of liability in the parties' agreement regarding the provision of the services.

The parties have hereby contractually deviated from Article 82(5) of the General Data Protection Regulation and Section 26 of the Danish Liability Act. Notwithstanding Article 82(5) of the General Data Protection Regulation, a party that has paid compensation to an injured party that does not correspond to full compensation may have recourse in accordance with the principle in Article 82(5).

In relation to other compensation for non-economic losses to data subjects, the principle in Article 82 shall also apply with regard to the internal final division of responsibility between the data processor and the data controller.

The parties may not assert recourse or claim for compensation against the other party for fines or other penalties imposed pursuant to section 41 of the Data Protection Act and for fines accepted pursuant to section 42 of the Data Protection Act.

D.2. Consequences of the data controller's unlawful instruction

The Data Controller is aware that the Data Processor is dependent on the Data Controller's instructions as to the extent to which the Data Processor is entitled to use and process the Personal Data on behalf of the Data Controller. The Data Processor is therefore not liable for claims arising from the Data Processor's acts or omissions to the extent that these acts or omissions constitute a direct data processing activity carried out in accordance with the Data Controller's instructions, unless it can be established that the Data Processor was aware of the unlawfulness of the processing.

D.3. Use of sub-processors that provide on standard terms

Notwithstanding clause 7 of the contract, it should be emphasized that if the data processor uses a sub-processor that provides its services on its own terms, from which the data processor does not have the possibility to agree deviations, the terms of the sub-processor apply to the processing activities entrusted to such sub-processor. Where processing takes place on the terms of a sub-processor, this is indicated by the relevant sub-processor in the list of sub-processors. By means of the Provisions, the data controller gives its acceptance of and instructions that such specific processing activities take place on the terms of the sub-processor.

D.4. Deletion and return of information

It is agreed between the parties that the data controller will instruct the data processor on the deletion and return of personal data in connection with the termination of the Provisions.

The data controller shall, no later than 30 days after the processing of personal data has ceased, notify the data processor whether all personal data shall be deleted or returned to the data controller. In the event that personal data shall be returned to the data controller, the data processor shall also delete any copies. The data processor shall ensure that any sub-processors also comply with the notification from the data controller.

If the data processor has not received notification from the data controller within 30 days after the processing of personal data has ceased, the data processor shall send a reminder to the data controller. If the data controller subsequently fails to notify the data processor whether all personal data shall be deleted or returned to the data controller, the data processor shall be entitled to delete personal data without further notice.

The data processor is entitled to remuneration for its processing activities up to the time when the data controller informs the data processor whether all personal data should be deleted or returned to the data controller.

Data Act Addendum

1.General terms 

1.1. Agreement. This Addendum is an integral part of the Agreement between the Parties. This Addendum shall prevail in case of any inconsistency with the Agreement, unless otherwise expressly stated. The Addendum is intended to implement the contractual obligations arising under the Data Act, with particular emphasis on the requirements set forth in article 25 of the Data Act, which states the rights of the customer and the obligations of the provider of data processing services in relation to switching between providers of such services or, where applicable, to an on-premises ICT infrastructure, shall be clearly set out in a written contract

1.2. Data Act. This Addendum incorporates the requirements of Article 25 of the Data Act (Regulation (EU) 2023/2854 of December 13, 2023), defining customer rights and service provider obligations for switching or migrating ICT infrastructure in a written contract. The Addendum is not to be interpreted to impose requirements on Creditro that deviate from the reasonable interpretation of the Data Act. 

1.3. Amendments. Creditro may amend this Addendum with thirty (30) days' prior written notice to the Customer to reflect changes in applicable regulations. Such amendments shall be deemed accepted unless explicitly rejected by the Customer in writing within thirty (30) days of receipt of the notice. In the event of a rejection, Parties shall engage in good faith discussions to seek a mutually agreeable resolution. 

Switching of Supplier

2.1. Switching right. Upon written request, the Customer can switch providers, move to on-premises infrastructure, or erase exportable data under the terms of this Addendum. Creditro provides all necessary information on switching and data transfer in Annex A.

2.2. Switching notice. Subject to a notice period of two (2) months, the Customer is entitled to (i) switch to another data processing service offered by a different supplier than Creditro, in which case the Customer shall provide the necessary details of that provider, (ii) switch to an on-premises ICT infrastructure, or (iii) have its exportable data and digital assets erased.  

2.3. Confirmation of switching. Creditro shall confirm the receipt of the Switching notice (“Confirmation of switching”) and inform the Customer of any affiliated cost. 

2.4. Transitional period. Creditro shall accommodate Customer’s aforementioned request without undue delay and in any event within a transitional period of thirty (30) calendar days, to be initiated after the notice period of two (2) months. If the Customer wishes to switch only specific Services, data or digital assets, this must be clearly specified in the notice. The Agreement shall remain applicable during the transitional period.

2.5. Extension of transitional period. Customer may, by notifying Creditro before or within five (5) days after the end of the notice period, extend the aforementioned transitional period once for a period that the Customer considers more appropriate for its own purposes.

2.6. Creditro’s obligation. During the transitional period, Supplier shall make sure to:

1. provide reasonable assistance to the Customer and third parties authorised by the Customer in the switching process;
2. act with due care to maintain business continuity, and continue the provision of the Services;
3. provide clear information concerning known risks to continuity in the provision of the data processing services on the part of the Supplier;
4. ensure that, in accordance with all applicable laws, a high level of security is maintained throughout the switching process, in particular the security of the data during their transfer and the continued security of the data during a retrieval period of 30 (thirty) calendar days, starting after the end of the transitional period.
5. Supplier shall support Customer’s exit strategy relevant to the Services, including by providing all relevant information. Customer undertakes to take all reasonable measures to achieve effective switching. Customer is responsible for the import and implementation of data and digital assets in its own systems or in the systems of the destination provider. Furthermore, Customer is responsible for providing Supplier with all the necessary information to enable Supplier to fulfill its aforementioned obligations.

2.7. Retrieval. Following the Transitional period, the Customer may retrieve its Exportable Data within thirty (30) days ("Retrieval period"). The Customer acknowledges that, in the case where the switching request occurs prior to the end of the Subscription period, the Customer will lose access to the Platform. 

2.8. Deletion. At the end of the Retrieval Period, and if the switching process has been completed successfully, Creditro shall erase all data within ninety (90) days.

2.9. Exportable data. All data regarding the clients will be exported.

Switching Charges and Termination

3.1. Switching charges. If Customer requests Creditro to switch in accordance with section 3 of this Addendum, Creditro will only be entitled to charge Customer for the switching process if the request is made before 12 January 2027.

3.2. Termination. The Agreement shall be considered terminated and the Customer shall be notified of this termination (i) upon the successful completion of the retrieval period, or (ii) at the end of the notice period mentioned under section 3.3 of this Addendum, where Customer does not wish to switch, but to erase its exportable data and digital assets upon termination of the Agreement.

Miscellanuous

4.1. Severability. If any term or provision of the Addendum is held by a competent court or authority to be void, illegal, or unenforceable, the validity or enforceability of the remainder of the Addendum will not be affected unless such enforcement would be clearly unreasonable. The Parties commit to negotiate in good faith with the aim of replacing any terms deemed void, illegal, or unenforceable with a legal, valid, and enforceable provision that, seen in the context of this Addendum as a whole, achieves as closely as possible the intention of the Parties under this Addendum. 

ANNEX A. Description of Switching Process

A.1. Through Creditro Support 

Process Description. During the transitional period and upon receipt of the switching notice from the Customer, Creditro will proceed with the transfer of data. To support this export: 

1. The Customer must provide, or authorise Creditro to create, the necessary API credentials to enable the complete export of the Customer’s data. 
2. Creditro must upload the exported Customer Data to a mutually agreed secure file-sharing platform. 
3. Creditro must provide the persons designated in the Customer's switching notice with secure credentials to access the exported Customer Data on the agreed platform. 

Processing Instruction. Within the scope of this Addendum, Creditro acts as a data processor, and the Customer acts as the data controller. The Customer acknowledges and understands that by assigning such Super API credentials, Creditro will have full access to all data, case files, and folders (including the content of case files) on the Customer’s Creditro account, including any personal data in clear text during this process, and instructs Creditro to process such data accordingly.

A.2. Self-Service The Customer may use the available automated self-service tools for switching via Creditro’s API. Publicly available documentation on the use of Creditro’s API is at the following link: https://learn.creditro.com/