Service Level Agreement (SLA) - Effortless365
2.2 Prices for additional services
Appendix A - Data subjects, Types of personal data, Purpose, Nature, Duration
Appendix B - Overview of subprocessors
1 Scope of the service
Effortless365 gives the Customer an easy administration of licenses and users in the Customer’s Office 365 tenant, as well as associated services.
This agreement is a framework between the Customer and the Supplier that regulates the requirements for both the Supplier and the Customer.
2 Pricing and payment
2.1 License prices
License prices follow Microsoft official price list in NOK at time of purchase or renewal. The price is fixed for the agreed term. Any additional purchases in this term will follow the price at the time of purchase.
The Supplier will give a 10% rebate on all Microsoft licenses accessible from Effortless365 with a one year commitment.
2.2 Prices for additional services
Follows the Supplier’s fixed prices, listed in Appendix 2
The supplier may adjust its prices for additional services once per year by up to 10%.
2.3 Changes
The price for new products to be covered by the Agreement will be automatically increased in the next issued invoice.
2.4 Payment terms
License rentals are invoiced at the end of the first month based on the number of licenses that have been available during that month. The invoice will be for the full committed term.
Any license with a one year term and an automatic renewal selected, will have the renewal invoiced two months in advance before the new term begins. Failure to pay will result in the licenses not being renewed and data associated with the license may be deleted. For detailed information, see Microsoft terms and conditions, Appendix 3.
Costs in connection with running services are invoiced at the end of each month, except for backup, which is invoiced in full when ordered.
The amount is due for payment in full 30 days after invoicing. Additional services are invoiced on an ongoing basis.
If the Customer does not pay by the agreed-upon time, the Supplier is entitled to interest according to the Act on Interest on Delayed Payment (1976 No. 100).
All prices are ex. VAT. in NOK.
3 Rights
The Supplier claims ownership of any material the Supplier creates that falls under Intellectual Property Protection. The Customer is free to use such material in their business. However, the Customer may not transfer such material to others without written consent from the Supplier. Regarding rights to equipment and software, the Customer cannot claim greater rights than those stipulated in the manufacturer's standard terms. Such terms are available upon request.
4 Confidentiality
The parties shall not disclose information about each other's systems, personnel, or business matters that are not publicly known. This applies to both their own employees and employees of collaborators.
5 Duration and termination
This agreement can be terminated with one month’s notice.
Products purchased under this agreement can be terminated with one month's notice unless the product has been committed for a longer period. Licenses follow Microsoft's terms and agreements, see Appendix 3. The customer is responsible for stopping the renewal of licenses purchased from another supplier.
In the event of payment default, the supplier may, by providing 7 business days' notice (Monday-Friday, excl. Norwegian public holidays), suspend the provision of all or part of the services to be performed under this agreement and any other agreements between the parties, until full payment (including penalty interest) has been received.
Appendix 1
1 Standard services
Access to Effortless365.
2 Additional services
Additional services are defined as all programs, customizations, configurations and integrations that are not defined under the section on Standard services to be included in the service.
Additional services are invoiced continuously based on the currently applicable price list.
2.1 Support
The supplier offers technical support on business days (Monday-Friday, excl. Norwegian public holidays) during the core working time (08:00-16:00). For contact information, see 4.3.
2.2 Backup
The Supplier offers backup services for the Office 365 products SharePoint, Onedrive, Teams and email. The Customer commits for a one year term from the time of ordering.
A request to restore any backed up data will result in a consultant fee.
2.3 Supplier contact information
Through support channel in Efforless365
Phone: +47 815 00 222 / +47 728 10 400
Email: effortless365@visma.com
3 Responsibility
3.1 Supplier responsibility
The Supplier is responsible for delivering the service ready for use. The Supplier is also responsible for monitoring the service and for reporting in case of suspected errors or anything that could degrade the performance of the service. The status will be reported to https://status.visma.com
3.2 Customer responsibility
The Customer is responsible for changes and orders made through Effortless365.
Appendix 2
1 Remuneration
1. Fixed prices
The Supplier's indicative price list at the conclusion of the contract
Products | Price | Description |
Backup | 600,-user/year | Backup of user data of Sharepoint, Onedrive, Teams and email. Max 100GB per user |
Consultant | 575,- | Consulting costs per started half hour. Double rate outside core working time |
Appendix 3
Data Processing Agreement
by and between
Data Controller: | <KUNDENAVN> |
Organization number: | <ORGNR> |
Country of establishment: | <COUNTRY> |
Data Controller’s contact information for inquiries (name, role, contact details): | <SIGNATURBERETTIGET> |
Data Processor: | Visma Software International AS |
Organization number: | 980 858 073 |
Country of establishment: | Norway |
Data Processor’s contact for general requests regarding the agreement (name, role, contact details): | effortless365@visma.com phone: +47 815 00 222 / +47 728 10 400 |
Henceforth respectively referred to as “Controller”, “Processor”, or “Party” and collectively as the “Parties”.
Introduction
1.1. Both Parties confirm that the undersigned have the power of attorney to enter into this data processing agreement (“Agreement”). This Agreement will form part of and regulate the processing of personal data tied to the Service Level Agreement (SLA) - Effortless365.
1.2. If the Controller changes the contact person(s) mentioned in the table above, the Processor must be informed of this in writing to the Processors contact information defined in Appendix 1, section 4.3 Supplier contact information.
Definitions
2.1. The definition of Personal Data, Special Categories of Personal Data (Sensitive Personal Data), Processing of Personal Data, Data Subject, Controller and Processor is equivalent to how the terms are used and interpreted in applicable privacy legislation, including the EU 2016/679 General Data Protection Regulation (“GDPR”).
Scope
3.1. The Agreement regulates the Processor's Processing of Personal Data on behalf of the Controller, and outlines how the Processor shall contribute to ensure privacy on behalf of the Controller and its registered Data Subjects, through technical and organizational measures according to applicable privacy legislation, including the GDPR.
3.2. The purpose behind the Processor’s Processing of Personal Data on behalf of the Controller is to fulfill the Service Agreement(s).
3.3. This Agreement takes precedence over any conflicting provisions regarding the Processing of Personal Data in the Service Agreements or in other former agreements or written communication between the Parties. This Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller according to the Service Level Agreement.
The Processor’s rights and obligations
4.1. The Processor shall only Process Personal Data on behalf of and in accordance with the Controller’s written instructions. By entering into this Agreement, the Controller instructs the Processor to process Personal Data in the following manner; i) only in accordance with applicable law, ii) to fulfill all obligations according to the Service Agreement, iii) as further specified via the Controller’s ordinary use of the Processor’s services and iv) as specified in this Agreement.
4.2. The Processor has no reason to believe that legislation applicable to it prevents the Processor from fulfilling the instructions mentioned above. The Processor shall, upon becoming aware of it, notify the Controller of instructions or other Processing activities by the Controller which in the opinion of the Processor, infringes applicable privacy legislation.
4.3. The categories of Data Subject’s and Personal Data subject to Processing according to this Agreement are outlined in Appendix A.
4.4. The Processor shall ensure the confidentiality, integrity and availability of Personal Data are according to the privacy legislation applicable to The Processor. The Processor shall implement systematic, organizational and technical measures to ensure an appropriate level of security, taking into account the state of the art and cost of implementation in relation to the risk represented by the Processing, and the nature of the Personal Data to be protected.
4.5. The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible and taking into account the nature of the Processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable privacy legislation with regards to request from Data Subjects, and general privacy compliance under the GDPR article 32 to 36.
4.6. If the Controller requires information or assistance regarding security measures, documentation or other forms of information regarding how the Processor processes Personal Data, and such requests exceed the standard information provided by the Processor to comply with applicable privacy legislation as Processor, the Processor may charge the Controller for such request for additional services.
4.7. The Processor and its staff shall ensure confidentiality concerning the Personal Data subject to Processing in accordance with the Agreement. This provision also applies after the termination of the Agreement.
4.8. The Processor will, by notifying the Controller without undue delay, enable the Controller to comply with the legal requirements regarding notification to data authorities or Data Subjects about privacy incidents.
Further, the Processor will to the extent it is appropriate and lawful notify the Controller of;
i) requests for the disclosure of Personal Data received from a Data Subject,
ii) requests for the disclosure of Personal Data by governmental authorities, such as the police
4.9. The Processor shall ensure that persons that have the right to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.10. The Processor will not respond directly to requests from Data Subjects unless authorized by the Controller to do so. The Processor will not disclose information tied to this Agreement to governmental authorities such as the police, hereunder Personal Data, except as obligated by law, such as through a court order or similar warrant.
4.11. The Processor does not control if and how the Controller uses third party integrations through the Processor's API or similar, and thus the Processor has no ownership to risk in this regard. The Controller is solely responsible for third party integrations.
4.12. The Processor might Process Personal data about users and the Controllers use of the service when it is necessary to obtain feedback and improve the service. The Controller grants the Processor the right to use and analyze aggregated system activity data associated with your use of the Services for the purposes of optimizing, improving or enhancing the way the Processor provides the services and to enable the Processor to create new features and functionality in connection with the services. Visma shall be considered the Controller for such processing and the processing is therefore not subject to this Agreement.
4.13. When using the service, the Controller will add data to the Software (“Customer Data”). The Controller acknowledges and does not object to the Processor using Customer Data in an aggregated and anonymized format for improving the services delivered to customers, research, training, educational and/or statistical purposes.
The Controller’s rights and obligations
5.1. The Controller confirms by the signing of this Agreement that:
- The Controller has legal authority to process and disclose to the Processor (including any subprocessors used by the Processor) the Personal Data in question.
- The Controller has the responsibility for the accuracy, integrity, content, reliability and lawfulness of the Personal Data disclosed to the Processor.
- The Controller has fulfilled its duties to provide relevant information to Data Subjects and authorities regarding processing of Personal Data according to mandatory data protection legislation.
- The Controller shall, when using the services provided by the Processor under the Services Agreement, not communicate any Sensitive Personal Data to the Processor, unless this is explicitly agreed in Appendix A to this Agreement.
Use of subprocessors and transfer of data
6.1. As part of the delivery of services to the Controller according to the Service Agreements and this Agreement, the Processor will make use of subprocessors and the Controller gives its general consent to usage of subprocessors. Such subprocessors can be other companies within the Visma group or external third party subprocessors. All subprocessors are included in Appendix B. The Processor shall ensure that subprocessors agree to undertake responsibilities corresponding to the obligations set out in this Agreement.
6.2. An overview of the current subprocessors with access to Personal Data can be found in the Visma Trust Centre on this web site: https://www.visma.com/trust-centre/product-search/ . The Processor may engage other EU/EEA located companies in the Visma Group as subprocessors without the Visma company being listed at Trust Center and without prior approval or notification to the Controller. This is usually for the purposes of development, support, operations etc. The Controller may request more detailed information about subprocessors.
6.3. If the subprocessors are located outside the EU or the EEA, the Controller gives the Processor authorisation to ensure proper legal grounds for the transfer of Personal Data out of the EU /EEA on behalf of the Controller, hereunder by entering into EU Standard Contractual Clauses (SCCs).
6.4. The Controller shall be notified in advance of any changes of subprocessors that Process Personal Data. If the Controller objects to a new subprocessor within 30 days after a notification is given, the Processor and Controller shall review the documentation of the subprocessors compliance efforts in order to ensure fulfillment of applicable privacy legislation. If the Controller still objects and has reasonable grounds for this, the Controller can not reserve themselves against the use of such a subprocessor (due to the nature of online standard Software in particular), but the Customer may terminate the Service Agreement for which the subprocessor in dispute is being used for.
Security
7.1. The Processor is committed to provide a high level of security in its products and services. The Processor provides its security level through organizational, technical and physical security measures, according to the requirements on information security measures outlined in the GDPR article 32.
7.2. The Service Agreement sets forth the measures or other data security procedures that the Processor implements in the Processing of the Personal Data. The Controller shall be responsible for the appropriate and adequate security of the equipment and the IT environment under its responsibility
Audit rights
8.1. The Controller may audit the Processor’s compliance with this Agreement up to once a year. If required by legislation applicable to the Controller, the Controller may request audits more frequently. To request an audit, the Controller must submit a detailed audit plan at least four weeks in advance of the proposed audit date to the Processor, describing the proposed scope, duration, and start date of the audit. If any third party is to conduct the audit, it must as a main rule be mutually agreed between the Parties. However, if the processing environment is a multitenant environment or similar, the Controller gives the Processor authority to decide, due to security reasons, that audits shall be performed by a neutral third party auditor of the Processor’s choosing.
8.2. If the requested audit scope is addressed in an ISAE, ISO or similar assurance report performed by a qualified third party auditor within the prior twelve months, and the Processor confirms that there are no known material changes in the measures audited, the Controller agrees to accept those findings instead of requesting a new audit of the measures covered by the report.
8.3. In any case, audits must be conducted during regular business hours at the applicable facility, subject to the Processors policies, and may not unreasonably interfere with the Processors business activities.
8.4. The Controller shall be responsible for any costs arising from the Controller’s requested audits. Requests for assistance from the Processor may be subject to fees.
Term and termination
9.1. This Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller after the Service Level Agreement.
9.2. This Agreement is automatically terminated upon termination of the Service Level Agreement. Upon termination of this Agreement, the Processor will delete or return Personal Data processed on behalf of the Controller, according to the applicable clauses in the Service Agreement. Such deletion will take place as soon as reasonably practicable, unless EU or local law requires further storage. Unless otherwise agreed in writing, the cost of such actions shall be based on; i) hourly rates for the time spent by the Processor and ii) the complexity of the requested process.
Changes and amendments
10.1. Changes to the Agreement shall be included in a new Appendix to this Agreement and signed by both Parties in order to be valid.
10.2. If any provisions in this Agreement become void, this shall not affect the remaining provisions. The Parties shall replace the void provision with a lawful provision that reflects the purpose of the void provision.
Liability
11.1. For the avoidance of doubt, the Parties agree and acknowledge that each Party shall be liable for and held accountable to pay administrative fines and damages directly to data subjects which the Party has been imposed to pay by the data protection authorities or authorized courts according to applicable privacy legislation. Liability matters between the Parties shall be governed by the liability clauses in the Service Agreement between the Parties.
Governing law and legal venue
12.1. This Agreement is subject to the governing law and legal venue as set out in the Service Agreement between the parties.
****
This Agreement is signed digitally.
Data Controller: | |
Signature: | (electronical) |
Signed by: | (electronical) |
Place and date: | (electronical) |
Data Processor: | |
Signature: | (electronical) |
Signed by: | (electronical) |
Place and date: | (electronical) |
Appendix A - Data subjects, Types of personal data, Purpose, Nature, Duration
A.1 Categories of Data Subjects
- customer employees
- customer contact persons
- license history
A.2 Categories of Personal Data
- contact information such as name, phone, address,email etc.
- history/status
- invoice information
- job information such as position, company etc
- user generated data
A.3 Special categories of Personal Data (Sensitive Personal Data)
In order for the Processor to process such data on behalf of the Controller, the types of Sensitive Personal Data in question must be specified below by the Controller.
The Controller is also responsible for informing the Processor of, and specifying below, any additional types of sensitive Personal Data according to applicable privacy legislation.
The Processor shall on behalf of the Controller, process information regarding: | Yes | No |
racial or ethnic origin, or political, philosophical or religious beliefs, | x | |
health information, | x | |
sexual orientation, | x | |
trade union membership | x | |
genetic or biometric data | x |
A.4 Purpose of the processing
The purpose of the data processor’s processing of personal data on behalf of the data controller is to fulfill the delivering of services in accordance with the Service Level Agreement.
A.5 Nature of the processing
The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
Granting access to Effortless365 and services.
A.6 Duration of the processing:
The duration of the processing of personal data is for as long as the Service Level Agreement applies.
Appendix B - Overview of subprocessors
The subprocessors of the Processor with access to the Controller’s Personal Data upon signing this Agreement include:
Name | Location/country | Legal transfer mechanism if the subprocessors has access to personal data from countries outside the EU/EEA | Assisting the Processor with |
Arrow | Within EU | Does not apply within the EU / EEA | License provider |
Atea | Norway | Does not apply within the EU / EEA | Backup storage |
Azure | Within EU | Does not apply within the EU / EEA | Hosting provider |
Within EU | Does not apply within the EU / EEA | Vismas mail provider |
The Processor may engage other EU/EEA located companies in the Visma Group as subprocessors without the Visma company being listed above and without prior approval or notification to the Controller. This is usually for the purposes of development, support, operations etc.