These Terms and Conditions (“Terms”) form a legally binding contract (“Service contract”) between you (“the Client”) and TechIuris OÜ, a private limited company established under the laws of the Republic of Estonia, having its registered address at Juhkentali tn 8, 10132 Tallinn, Estonia, and registered in the Estonian Commercial Register under the code 14959657 (“GDPR Tool”).
GDPR Tool services (“Services”) are the subject, offered to the Client’s acceptance, without modification. GDPR Tool is offering services for legal entities only.
If the Client is entering into a Service contract on behalf of an entity, such as an employer or the company he/she works for, the Client confirms the legal authority to represent that entity.
Upon sign-up, Client must select a plan for the Services. The plans have different functionalities, options and rates. The applicable Fee is charged in advance on annual payment intervals unless agreed otherwise. The Service contract will be renewed after the payment for the next period.
All Fees are exclusive of all taxes, levies or duties applicable under any applicable law unless stated otherwise herein.
All Fees are non-refundable.
Annual payments will automatically renew at the end of each term unless either party gives the notice of termination at least 30 days prior to the end of the relevant term or either party terminates the Service contract.
The Service contract between GDPR Tool and the Client will be valid from the moment of the first payment and during the selected period.
DIY plans are offered by in partnership with GDPR Register OÜ, a private limited company established under the laws of the Republic of Estonia, having its registered address at Rotermanni tn 8, 10111 Tallinn, Estonia, and registered in the Estonian Commercial Register under the code 14432795 (“Partner”.)
The Partner may seek pre-authorisation of the Client’s credit card account prior to the purchase of GDPR Tool’s DYI Plan, in order to verify that the credit card is valid and has the necessary funds or credit available to cover the purchase. The Client authorises such credit card account to pay any amounts described herein and authorises the Partner to charge all sums described in these Terms to such credit card account. The Client agrees to provide the Partner with updated information regarding his/her credit card account upon Partner’s request and any time the information earlier provided is no longer valid. If the Partner is unable to get the pre-authorisation of the Client’s credit card or so it is agreed between GDPR Tools and the Client, the Partner will raise an electronic invoice against the Client for the payment of the Fee of the next payment interval. The Client must pay the invoice by the due date, as stated in the invoice.
Alternatively and if so is agreed between the Client and GDPR Tools, GDPR Tools will raise an electronic invoice against the Client who subscribes to a DIY Plan for the payment of the Fee of the next payment interval. The Client must pay the invoice by the due date, as stated in the invoice.
Advice & Register Plans
GDPR Tools will raise an electronic invoice against the Client who subscribes to an Advice & Register plan for the payment of the Fee of the next payment interval. The Client must pay the invoice by the due date, as stated in the invoice.
GDPR Tool and the Partner shall provide reasonable technical support to Client at the reasonable request of the Client.
GDPR Tool and the Partner shall respond to enquiries to support a Client as soon as reasonably possible.
GDPR Tool shall not warrant that:
- the use of the Service will always meet the Client’s requirements;
- the use of the Service will always be uninterrupted, timely, secure or free from error;
- any information obtained by the Client as a result of the use of the Service will be accurate or reliable;
- defects in the operation or functionality of any software provided to the Client as part of the Service will be corrected.
GDPR Tool shall not be liable to the Client for any consequences resulting from:
- any modifications in the Service contract;
- calculation and rates of Fees;
- using the Services or any part or element thereof, including any error, permanent or temporary interruption, discontinuance, suspension or other types of unavailability of the Services;
- deletion of, corruption of, or failure to store any data;
- use of Client’s data by the Client;
- any disclosure, loss or unauthorised use of the login credentials of Client due to Client’s failure to keep them confidential.
In particular, GDPR Tool does not represent or warrant that the data the Client enters into the Services gives full compliance with the requirements set by the General Data Protection Regulation 2016/679.
The maximum liability of GDPR Tool is limited to the annual Fee paid by the Client.
The Service contract may be terminated upon notice to the other party:
- for the subscribers of the DYI Plans: by the Client at any time by clicking the cancellation link, when logged in to the account;
- for the subscribers of the Advice & Register Plans: by the Client at any time, by sending an email to GDPR Tool (firstname.lastname@example.org);
- by GDPR Tool upon the decision to end the provision of the Services;
- immediately if proceedings are initiated for the other party’s liquidation or insolvency, or a negotiated settlement with the other party’s creditors is concluded, or an assignment is made on behalf of the other party for the benefit of creditors.
Annual payments will automatically renew at the end of each term unless the Client gives the notice of termination at least 30 days prior to the end of the relevant term or GDPR Tool terminates the Service contract.
In case of termination of the Service contract, the Fee is non-refundable. The copy of the Client’s data can be provided in CSV format and delivered to the Client by email upon request.
All trademarks, service marks, trade names, logos, domain names and any other features of the brand are the sole property of GDPR Tool.
Database rights, copyrights of the software, and any other intellectual property rights belong to the Partner. The purchase of the Services does not grant any rights to use any GDPR Tool’s or Partner’s brand features, whether for commercial or non-commercial use. The Client may not copy, duplicate, distribute, modify, adapt, hack, create derivative works, reverse engineer or decompile the Services or any part or element of Services unless agreed otherwise.
Change of the Terms and Services
GDPR Tool reserves the right to modify, add, or remove functionalities of the Services at any time without sending prior notice to the Client. The Client acknowledges and agrees that the Services may change over time and that GDPR Tool may make changes to the Services in its sole discretion.
GDPR Tool may discontinue the Services, or change the pricing model and the fees of the plans, at any time with thirty (30) days prior written notice. However, the updated fees will not take effect during the subscription period, selected by the Client. If such changes are unacceptable, the Client may terminate the Service contract by providing written notification to GDPR Tool at least thirty (30) days prior to the date the change is scheduled to take effect. Any use of the Services by the Client, after the effective date, will be deemed acceptance of the amendments of the Service contract.
Governing Law and Jurisdiction
In the event of a dispute, controversy or claim arising out of or in relation to these Service contract, such a dispute, controversy or claim shall be governed by and construed in accordance with the laws of the Republic of Estonia, with Harju County having exclusive jurisdiction and without giving effect to any principles of conflicts of law.
The Services may be performed using equipment or facilities located within the territory of the European Union. GDPR Tool and the Partner shall maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of the Client’s data.
GDPR Tool’s application is operated in Amazon Web Services (AWS) infrastructure located in Frankfurt, Germany. Amazon Web Services infrastructure has been certified for strictest industry-specific standards and certifications, including ISO 27001, ISO 9001, ISO 27017, ISO27018, PCI DSS Level 1, SOC1, SOC2, SOC3, HIPAA, GDPR, FedRAMP, FIPS and more. A full list of certifications, regulations and frameworks is available here.
AWS data centres are secure by design, and a large number of controls in use make that possible. Data centres include state-of-the-art physical security and environmental access controls in a highly-secure environment and safety features including: i) 24/7 professional security staff, video surveillance, and intrusion detection systems; ii) Fire detection and suppression, redundant electrical power systems, and uninterruptible power supply (UPS.) A full list of controls in AWS data centres is available here.
The Partner employs AWS RDS (Amazon Relational Database Service) as for storing its data. Amazon RDS takes care of security and data protection and provides a scalable and fast performing database. All data is encrypted inside AWS RDS database using AWS KMS (Amazon Key Management Service). KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect the encryption keys. All the uploaded documents in document store are being held inside the same encrypted AWS RDS database service.
All connections to GDPR Tool’s application use TLS 1.2 transport layer security protocols. All data is encrypted using 2048 bit RSA keys and SHA256withRSA as a signature algorithm.
Users of DYI plans can log in using their username and password. They can also switch on highly-secure Multi-Factor authentication via the user’s cell phone. During the login process, a one-time password is sent to the user’s phone number as SMS or into Authy mobile application. Multi-Factor authentication can be switched on from User Settings.
In order to provide a highly reliable service, the Partner employs technologies like AWS ELB (Amazon Elastic Load Balancing) into multiple application servers, which is adjustable based on system load.
The Partner uses AWS RDS as its database system, which creates automated encrypted data backups for multiple times in a day to prevent any data loss. As an additional data protection measure, a daily Offsite Backup process is transferring an encrypted copy of data into Tallinn, Estonia (a member of EU), Zone Media data centre.
GDPR Tool’s application has an Audit Trail functionality, which logs every user login and user transaction like creating, modifying or deleting any record in the system.
GDPR Tool’s application and the Partner follows closely OWASP Top 10 Most Critical Web Application Security Risks top list to provide security by recommended design principles.
For DYI Plans, the Partner utilises Chargebee (https://www.chargebee.com) as a subscription billing service provider. Chargebee is a PCI Data Security Standard (PCI DSS) Level 1 provider, certified to process credit card data. A full overview of certifications and security controls of Chargebee is available here.
The Partner periodically checks and applies patches for third-party software/services. As soon as vulnerabilities are discovered, the fixes are applied. It performs periodic vulnerability scanning using the services of an authorised vulnerability scanning software.
The data is accessible only to the Client and will not be provided to third parties.
In case of losing, forgetting or otherwise not being able to log into the account, GDPR Tool and the Partner may request additional information or proof of the person’s credentials.