General conditions

GENERAL TERMS AND CONDITIONS OF USE LICENSE

1 Definitions

The definitions that will govern these General Terms and Conditions of Business are set out below:

Contract: The document formed by these General Conditions, as well as the Special Conditions, is considered as a License Agreement for the Use and Provision of Additional Services.

Special Conditions: For the purposes of the Contract, those that establish the relationship between the Licensee and the Partner, and that regulate detailed aspects of the Contract, such as the price, the type of accommodation, the Additional Services or the contracted modalities of risk4all, shall be considered Special Conditions.

The Parties: This is the joint name for the Licensor and the Licensee.

Licensor: Is the company that authorizes the use of risk4all in accordance with the provisions of the Agreement. This company is risk4all, S.L., with domicile at C/ Rozabella, 6 Ed. París, bajo nº 13, 28290, Las Rozas de Madrid, Madrid (Spain), NIF B88516257, entity registered in the Madrid Mercantile Registry.

Licensee: This is the individual or legal entity that contracts the license to use risk4all. In the case of business groups or equivalent entities that contract risk4all jointly, the term will be applied to the entire group. The individual acting in the name and on behalf of the Licensee at the time of contracting must have sufficient capacity to accept these Conditions.

Partner: This is the individual or legal entity authorised by the Licensor to distribute risk4all to the Licensee.

risk4all: Is software for the management, maintenance and control of compliance with privacy and information security regulations, with the functionalities and limitations set out in the Agreement.

Additional Services: These are services linked to risk4all that the Licensee can contract as an accessory through the Specific Conditions.

Users: These are the individuals or automatic processes that make use of the risk4all licenses acquired by the Licensee.

2 Object of the Contract

The purpose of the Agreement is to regulate the granting of licenses for the use of risk4all by Licensor, so that Licensee may make use of risk4all for its own organization, subject to the conditions and limitations set out in these General Conditions, as well as in the Special Conditions.

In no event may the Special Conditions contradict these General Conditions without the express written consent of Licensor.

Consequently, by accepting the Agreement, the Licensee is granted one or more licenses to use risk4all that are revocable, non-exclusive, temporary, non-sub-licensable, non-transferable and onerous.

In no event shall acceptance of these Terms constitute a sale or transfer of ownership of risk4all or any intellectual property or other rights in this tool that are not expressly governed by the Agreement.

Furthermore, the Agreement shall regulate the provision of the Additional Services that, where applicable, the Licensee contracts through the Partner.

Licensee undertakes to use risk4all in accordance with the provisions of the Agreement and applicable legislation, as well as in accordance with good faith, morals, good customs and public order.

3 Description of risk4all and Accessory Services

Modules, functionalities and modalities of recruitment

Below is a description of the functionalities available in each module, as well as the conditions corresponding to each type of contract (Premium, Standard and Basic).

The Licensee may change the contracting modality at any time, without prejudice to the costs, penalties and/or deadlines that this implies and which will be assessed by the Partner.

In the event that the change is to a lower price modality, such change shall not imply a refund of the difference in price by the Licensor, without prejudice to the provisions of the Special Conditions agreed with the Partner.

Additional Services

Alternatively, the Licensee may request from the Partner the provision of certain Ancillary Services, which shall be provided and invoiced in accordance with the Particular Conditions.

The Ancillary Services may be subcontracted, where appropriate, to companies that specialise in the provision of such services.

4 Limitations and guarantees of use

Licensee agrees to make appropriate use of risk4all by ensuring the following limitations:

Licensee will protect and safeguard access to risk4all and may not transfer or assign to any third party in any way whatsoever the rights acquired through acceptance of the Agreement. Under no circumstances will Licensee allow the use of risk4all by third parties outside of his or her organisation.

The use of risk4all by Licensee for the provision of direct or indirect services to entities other than the organization of Licensee, as well as for purposes other than those set out in the Agreement or any other purpose not previously authorized by Licensor, is prohibited.

Any activity contrary to risk4all’s internal use as set out in the Agreement is prohibited. By way of example and without limitation, the following actions are prohibited with respect to risk4all without the prior express written authorisation of the Licensor: assignment, sale, sub-licence, reverse engineering, decompiling, reproduction, translation, modification, versioning, marketing, duplication, transformation or transmission to any other entity or legal person of all or part of risk4all, removal of proprietary or authorship marks, etc.

Similarly, any rights not expressly mentioned in the Agreement are reserved entirely to Licensor and in no event may the provisions of these Terms and Conditions be interpreted in a manner that is detrimental to Licensor or contrary to the legal exploitation of the license.

Accordingly, Licensor reserves the right to make such checks as may be necessary to verify the proper use of risk4all and compliance with the provisions of the Agreement.

5 Responsibility, requirements and maintenance of risk4all

Taking into account the functionalities of risk4all and the content of the Accessory Services, Licensor shall not assume any liability whatsoever for damages, direct or indirect, that Licensee or other third parties may suffer due to causes such as, but not limited to: service interruption, breakdown, failure, or loss of information.

Without prejudice to the foregoing, the Licensor undertakes to adopt the necessary means and solutions to correct or minimize the possible problems suffered by the Licensee, who in no case may claim any amount as compensation or any other concepts for possible errors, response time or problems of access to risk4all.

Without this implying an authorisation to assign any of the rights derived from the Contract, the Licensee will be responsible for any relationship that it formalises with third parties as a consequence of the use of risk4all, these relationships being understood to be carried out exclusively between the Licensee and the third party. Consequently, the Licensor shall not be liable for any damages caused to the Licensee or to the third party as a result of the relationships entered into between the two as a consequence of the use of risk4all or through the same.

The Licensee shall be solely responsible for its Users and shall hold Licensor harmless in this regard. Thus, the Licensee shall implement the necessary measures to prevent the unauthorized, fraudulent or irregular use of risk4all by its Users.

In addition, Licensee shall be responsible for compliance by Users with the conditions governing risk4all. By way of illustration and not limitation, Licensee shall assume the responsibilities arising from:

The non-diligent use of risk4all by Users.

The use of identification data that is not true, accurate, complete and up to date, as well as the use of false identities or other Users.

Lack of operation for reasons beyond the control of Licensor.

The dissemination, storage, publication or distribution of defamatory, violent, obscene, xenophobic or discriminatory information.

The inclusion or use of any software, data, virus, code or any other device, mechanism or routine that may cause damage to risk4all or to other equipment or systems owned or operated by third parties.

The introduction, transmission or dissemination by means of risk4all of any content that infringes the rights of third parties or is contrary to the law.

In addition, for the proper functioning of risk4all, the Licensor recommends compliance with the following technical requirements:

Internet connection.

Internet browser.

Office suites (for reading reports extracted from risk4all).

In accordance with the above requirements, Licensee is solely responsible for ensuring that risk4all is compatible with its operating systems and IT equipment.

6 Financial conditions

Price and payment

The Licensee undertakes to pay for the risk4all licenses and the Additional Services contracted in accordance with the provisions of the Special Conditions agreed with the Partner.

Non-payment

In the event of non-payment for a period of three (3) months, Licensor reserves the right to suspend the licenses to use risk4all.

In the event of three (3) or more repeated non-payments during the period of one (1) year, Licensor reserves the right to terminate the Agreement early without any right to compensation of any kind for Licensee and without prejudice to any claim for outstanding payment.

7 Intellectual Property

The Licensor is the legitimate owner or licensee of all intellectual and industrial property rights inherent in risk4all, as well as its content (including, but not limited to, databases, images, photographs, drawings, graphics, icons, operations and text, audio, video and code files), as well as the trademarks, logos, trade names or any other distinctive signs, which form or have formed part of risk4all at any time. All these materials are protected by Spanish intellectual and industrial property laws.

Any improvements, changes or additional developments to risk4all shall be the property of Licensor, including the functionalities developed at the request of Licensee.

Under the terms of the Agreement, Licensor only grants one or more non-exclusive licenses for use in favour of Licensee. In no event does this document grant to Licensee any intellectual property rights in risk4all beyond those that are strictly necessary for its proper use and operation, nor does it constitute a waiver of such rights by Licensor.

Except where expressly indicated in writing by Licensor to the contrary, all or part of the content of risk4all may not be reproduced, modified, extracted, adapted, published, transmitted, copied, made available or distributed or otherwise used without the prior written permission of Licensor. Any use of such content may constitute a violation of the intellectual property rights of the Licensor, and the Licensor reserves the right to take appropriate legal action.

Licensee may not sell, resell, distribute or otherwise make available risk4all content or excerpts or other information derived from it to a third party in any manner or by any means without the express prior written authorization of Licensor. Under no circumstances may risk4all or any of its contents be downloaded or run in any form or on any media other than as specified in the Agreement.

Licensor reserves the right to modify and update risk4all. The Licensor does not warrant or certify that the content of risk4all is accurate, complete, or current, or that it is free from errors or omissions.

8 Confidentiality

The Parties undertake to maintain the utmost reserve and secrecy regarding information classified as confidential, whether it relates to technical, commercial, industrial or any other aspect, provided by the other party in connection with the provision of services covered by the Contract or the negotiation, conclusion or execution thereof. Confidential information may not be disclosed, communicated or provided to third parties without the prior express written authorization of the party disclosing such information.

Confidential information shall be considered to be any information that a party may access under the Contract, in particular information and personal data that is the responsibility of the other party and that it has accessed or may access during the execution of the Contract. Such information, as well as copies and/or reproductions thereof, shall be treated as confidential information for the purposes of the Contract.

All information and data that is in the public domain or in the possession of the Parties prior to the start of the negotiation of the Contract and that has been obtained by lawful means in accordance with the applicable legislation shall not be considered confidential.

The obligation of confidentiality contained in the Contract shall be of an indefinite nature, remaining in force after the termination, for whatever reason, of the relationship between the Parties.

Each of the Parties shall be responsible for ensuring that their personnel, collaborators, managers and, in general, all persons under their responsibility who have access to confidential information and personal data for which the other party is responsible, respect the confidentiality of the information, as well as the obligations relating to the processing of personal data, even after the Contract has ended. Therefore, the Parties will make as many warnings and sign as many documents as necessary with such persons, in order to ensure compliance with such obligations.

Each of the Parties shall keep at the disposal of the other the documentation accrediting the fulfilment of the obligation established in the previous paragraph.

9 Data protection

Personal data of Licensee’s representatives and contacts

Partner and/or Licensee shall communicate to Licensor personal identification and contact data of Licensee’s representatives and professional contacts for the purpose of the proper performance of the Agreement.

Licensor hereby informs such interested parties that their personal data will be processed for the purpose of perfecting, executing, controlling and maintaining the Agreement.

The legal basis for the processing of the data of the data subjects is the necessity for the conclusion and execution of the Contract.

The data will be kept for the duration of the Contract and, subsequently, for 15 years in order to meet any possible liabilities, including criminal liabilities, arising from the contractual relationship.

In addition, Licensor will use the contact details of the interested parties to send, by any means of contact provided, (i) functional information on the use, incidents or updates of risk4all, as well as (ii) commercial information on Licensor’s products, services, promotions, news or events related to the information security sector, privacy, software, technology and other related sectors. When these communications are sent by email, the tool used for sending communications will include links and tiny, transparent images that will be associated with the recipient’s email address. In this way, when one of these images is downloaded or the links contained in the e-mail are accessed, the recipient can know for statistical purposes if the e-mail has been opened or if any link has been accessed from the e-mail. The recipient may reject these uses by configuring their manager or email program to prevent automated downloading of images, as well as not accessing the links included in the emails they receive. Likewise, in each commercial communication, the Licensee may object to receiving this type of information through the contact method indicated for processing his or her cancellation. The legal basis that legitimizes this treatment is the legitimate interest of the Licensor, as well as the existence of a previous legal relationship being commercial communications about products or services similar to those originally contracted by the Licensee. Your data will be processed for this purpose indefinitely until you object to it or request the deletion of your data.

In any case, the affected parties may exercise their rights of access, rectification, suppression, opposition, limitation and portability before the Licensor by means of written communication to the registered office that appears at the beginning of this document, providing a copy of their ID card or equivalent document and identifying themselves as a party or interested party in this Agreement. Likewise, in the event that they consider their right to the protection of personal data to have been violated, they may file a complaint with the Spanish Data Protection Agency (www.aepd.es) or with the Data Protection Delegate of the Licensor (dpo@risk4all.es).

Ordering treatment

In order to maintain the Agreement, Licensor may process personal identification and contact data that is the responsibility of Licensee or that has been commissioned by third parties. For the purposes of the Contract, the Licensee shall be deemed to be the data controller and the Licensor shall be deemed to be the processor in accordance with the provisions of Articles 28 and 29 of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 (hereinafter, RGPD).

Consequently, the Licensor assumes the following obligations:

Access to the personal data is the responsibility of the Licensee only when it is indispensable for the proper development of the services for which it has been contracted, for example, for support or maintenance work, or, if applicable, for the housing of risk4all.

To process the data in accordance with the documented instructions received from the Licensee.

Immediately inform the Licensee if the Licensor detects that any of the Licensee’s instructions violates current data protection regulations.

Not to use, apply or otherwise use the personal data at Licensee’s risk for any purpose other than the purpose indicated in the Agreement or in any other way that violates Licensee’s instructions.

Not to disclose, transfer, assign or otherwise communicate the personal data under the responsibility of Licensee, whether orally or in writing, by electronic means, paper or by computer access, even for storage, to any third party, except with the prior authorization or instruction of Licensee.

Except for the auxiliary services inherent to the activity of the Licensor, in the event that it is necessary to subcontract all or part of the services contracted by the Licensee in which the processing of personal data intervenes, it must previously notify the Licensee in writing, at least one month in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the Licensee does not express his opposition within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established in this document for the data processor and the instructions given by the data controller. The Licensor shall remain fully liable to the Licensee for compliance with the obligations. In connection with the foregoing, the Licensee authorizes the Licensor from the outset and in general to subcontract the hosting of risk4all and the development and maintenance work to companies or entities located within the European Union. The Licensee may at any time request information from the Licensor regarding the services and companies or entities that have been subcontracted.

To notify the Licensee as soon as possible, and within a maximum period of two (2) working days, of any request to exercise the right of access, rectification, deletion, opposition, limitation of processing, portability of the data and not to be the object of automated individualized decisions, made by an affected party whose data have been processed by the Licensor for the purpose of fulfilling the object of the Contract, so that it may be resolved within the periods established by the regulations in force.

To make available to the Licensee all the information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Licensee or another auditor authorized by the Licensee.

In the event that the Licensor is required to transfer or allow access to personal data for which the Licensee is responsible to a third party under applicable Union or Member State law, the Licensor shall inform the Licensee of that legal requirement in advance, unless it is prohibited for reasons of public interest.

Once the contractual relationship agreed upon between the Licensee and the Licensor has been fulfilled or terminated, the Licensee shall provide the Licensor with precise instructions as to the destination of the data, and may choose between its return, referral to another service provider or complete destruction, provided that there is no legal provision requiring the retention of the data, in which case no destruction may take place.

To adopt and apply the appropriate technical and organisational measures to guarantee a level of security that prevents its alteration, loss, treatment or unauthorised access, taking into account the state of technology, the nature of the data stored and the risks to which it is exposed, in accordance with the provisions of article 32 of the RGPD.

Such measures may include, among others:

pseudonymisation and encryption of personal data;

the ability to ensure the confidentiality, integrity, permanent availability and resilience of processing systems and services, as well as the availability of and access to personal data in a timely manner in the event of a physical or technical incident.

a process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the security of processing.

In the event of a breach of the security of the personal data in the information systems used by the Licensor for the provision of the services covered by the Contract, the Licensor shall notify the Licensee, without undue delay, and in any event before the maximum term of three (3) working days, of the breaches of the security of the personal data under its responsibility of which it is aware, together with all the relevant information for the documentation and communication of the incident in accordance with the provisions of Article 33.3 of the RGPD.

Both Parties are obliged to comply with their respective obligations regarding data protection.

Order of the treatment

Consequently, the Licensor assumes the following obligations:

To process the data in accordance with the documented instructions received from the Licensee.

Immediately inform the Licensee if the Licensor detects that any of the Licensee’s instructions violates current data protection regulations.

– Except for the auxiliary services inherent to the activity of the Licensor, in the event that it is necessary to subcontract all or part of the services contracted by the Licensee in which the processing of personal data is involved, it must give prior written notice to the Licensee, at least one month in advance, indicating the processing that is to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the Licensee does not express his opposition within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established in this document for the data processor and the instructions given by the data controller. The Licensor shall remain fully liable to the Licensee for compliance with the obligations. In connection with the foregoing, the Licensee authorizes the Licensor from the outset and in general to subcontract the hosting of risk4all and the development and maintenance work to companies or entities located within the European Union. At any time, the Licensee may request information from the Licensor regarding the services and companies or entities that have been subcontracted.

– To notify the Licensee as soon as possible, and within a maximum period of two (2) working days, of any request to exercise the right to access, rectify, delete, oppose, limit the processing and portability of the data and not to be subject to automated individualized decisions, made by an affected party whose data have been processed by the Licensor in order to comply with the object of the Contract, so that it may be resolved within the periods established by the regulations in force.

– To make available to the Licensee all the information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Licensee or another auditor authorized by the Licensee.

– In the event that the Licensor is required to transfer or allow access to personal data for which the Licensee is responsible to a third party under applicable Union or Member State law, the Licensor shall inform the Licensee of that legal requirement in advance, unless it is prohibited for reasons of public interest.

– Once the contractual relationship agreed upon between the Licensee and the Licensor has been fulfilled or terminated, the Licensee shall provide the Licensor with precise instructions as to the destination of the data, and may choose between its return, referral to another service provider or complete destruction, provided that there is no legal provision requiring the retention of the data, in which case no destruction may take place.

– To adopt and apply the appropriate technical and organisational measures to guarantee a level of security that prevents its alteration, loss, treatment or unauthorised access, taking into account the state of technology, the nature of the data stored and the risks to which it is exposed, in accordance with the provisions of article 32 of the RGPD.

Such measures may include, but are not limited to pseudonymisation and encryption of personal data;

the ability to ensure the confidentiality, integrity, continuous availability and resilience of processing systems and services, as well as the availability of and access to personal data in a timely manner in the event of a physical or technical incident.

a process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the security of processing.

Both Parties are obliged to comply with their respective obligations regarding data protection.

10 Duration and termination of the contract

Entry into Force and Duration of the Contract

The License Agreement shall become effective within three (3) business days after Licensor records payment of the Price. Licensor will confirm the entry into force of the License Agreement by email.

The License Agreement shall be effective for one (1) year from the effective date.

The License Agreement shall be automatically renewed for successive annual periods, provided that Licensee has not requested termination through Partner, within one (1) month prior to the expiration of the License Agreement.

Early Termination of the Agreement

Either Party may suspend or definitively terminate the Contract when the other Party seriously and/or repeatedly fails to comply with any of the clauses set forth in the

Contract. In this sense, it will be understood that:

Serious breach: A breach that causes direct damage or harm to the other party, or that without causing direct damage or harm is not remedied within three (3) months.

Repeated non-compliance: That which occurs more than 3 times within one (1) year.

The early termination of the Contract for any of the causes established in this Clause does not exonerate the Parties from the compliance of their outstanding obligations under the Contract. Early termination of the Contract shall in no event result in the refund of payment of the Price or the proportional part thereof.

11 Assignment of Contract

Neither Party may assign, encumber, transfer or otherwise dispose of the Contract or any rights or obligations contained therein without the prior written knowledge of the other Party.

In such a situation, the party intending to assign the Contract must inform the other party one (1) month in advance, during which time the other party may proceed with the early termination of the Contract.

12 Miscellaneous

In the event that any of the clauses of the Contract were to be declared invalid or null and void, it shall be modified to the extent possible, so as to comply with the will of the Parties. In any case, all the other clauses of the Contract shall be considered valid and enforceable in their entirety.

At any time, the Licensee may request information about other Partners, as well as, if applicable, the assignment of a new Partner.

The Licensee may request a trial or demonstration license for the operation of risk4all. Such test or demonstration will be carried out in test environments that do not guarantee the confidentiality, security or persistence of the information. Therefore, the Licensee must not use real or confidential data during the trial period.

The Parties declare themselves to be independent entities without the provisions of the Agreement implying in any way an agency, collaboration or joint venture relationship.

The signing of the Contract does not imply any waiver of the rights that each of the Parties may have in accordance with the legislation applicable at any time.

The Parties declare that both the General Conditions and the Specific Conditions, as well as any annex or addendum thereto, shall constitute the only valid agreement and the main instrument of the relationship between them, any previous provision contrary to what is established herein being invalid, and remaining without effect unless expressly agreed in writing by the Parties.

The Parties may add amendments, modifications and annexes to the Contract, which shall be binding on them from the date of effect, provided that such amendments, modifications and annexes are set forth in writing, signed or accepted by an authorized representative of the Parties and incorporated into the Contract.

The Agreement shall be accepted by the means provided by the Partner, or by the means mutually agreed between the Licensee and the Partner.

The Agreement was originally drafted in the Spanish language. In case of contradiction between the English version and its translation into any other language, the English version shall apply.

By accepting the Agreement, the Licensee agrees to fully and unreservedly adhere to all clauses set forth at the time of engagement and guarantees:

That he/she has read, understands and accepts these General Conditions, as well as the Special Conditions.

That the person who has made the acceptance of the Contract has sufficient capacity of representation to bind the Licensee with what has been agreed in the Contract.

The Licensee will always and in any case have access to these General Conditions prior to the start of the contracting procedure, and they may be stored and/or reproduced in a durable medium.

By accepting the Agreement and without prejudice to the provisions of the confidentiality conditions, the Licensee authorizes Licensor to use its logo and its brand or company name for the purpose of promoting the use of risk4all on its website, in promotional or informational emails, as well as in any commercial material of Licensor, whether online or on paper; all of this is free of charge, and without any territorial or temporal limitation. In the online materials, the logo or trademark may act as a link to the Licensee’s website. Licensee’s representative in accepting the Agreement warrants that he or she has sufficient capacity to execute this authorization. This authorization does not give Licensor any other rights to the logo, trademark or business name of Licensee. Licensee may revoke this authorization at any time by written notice to Licensor.

13 Applicable law and jurisdiction

The Contract shall be governed by and interpreted in accordance with Spanish law.

For any questions that may arise from the interpretation and execution of the clauses of the Contract, both Parties, with express waiver of any other jurisdiction that may correspond to them in law, submit to the jurisdiction and competence of the Courts and Tribunals of Madrid (Spain).