“Admin User Account” means the User Account created in Pagero Online by or on behalf of the authorized representative of the Customer in connection with concluding the Agreement with Pagero.
“Agreement” means the MSA and, where applicable, the Proposal, the Professional Services Agreement (the “PSA”), the Support and Service Level Agreements (the “SSLA”) and any other appendices and addendums. These documents are available at www.pagero.com/agreements and the most recent versions are those which are binding for the Customer.
“Affiliate” means a company, corporation or other entity which directly or indirectly controls, is controlled by or is under the joint control of a Party to this Agreement.
“Business Day” means any day which is not a Saturday, a Sunday or a public holiday in the country in which the Services are performed.
“Change Request” means a process or a form with which the Customer requests that Pagero implement new or amend existing Software Services.
“Customer Contact Data” means any kind of Personal Data which can be linked directly or indirectly to a natural person who is an employee of the Customer or otherwise represents the Customer in relation to Pagero or else uses or administrates Pagero Online on behalf of the Customer.
“Customer Data” means the data the Customer Processes via Pagero Online, such as e-Messages and their content, payment files and user account details.
“e-Invoice” means a document or dataset which can be considered an invoice under the applicable legislation and which has been issued and/or received in any electronic format.
“e-Message” means for the purposes of this Agreement an electronic business document exchanged between the Trading Partners, including but not limited to electronic orders, order confirmations, dispatch notifications, delivery confirmations, e-Invoices, reminders and payment files.
“Tax e-Invoice” means the e-invoice which can be used for tax purposes by the Trading Partners as opposed to an e-invoice copy.
“Pagero Group” means Pagero and its Affiliates as defined in this Agreement.
“Pagero Online” means the e-Message SaaS platform and its ancillary Software Services, including but not limited to any related materials and documentation and services developed, modified and/or owned by Pagero.
”Pagero Partner” is a third-party business partner of Pagero which sets up and/or manages accounts in Pagero Online on behalf of the Customer(s) under a separate agreement between the Customer and the Pagero Partner.
“Personal Data” means any kind of information which can be linked directly or indirectly to a natural person.
“Professional Services” means the provided professional services as defined in the Proposal or a Change Request, including but not limited to help desk and support.
“Proposal” means a proposal regarding the provision of Professional and Software Services.
“Recipient” means a party receiving an invoice or other electronic document, usually the buyer.
“Services” means Professional and Software Services collectively.
“Software Services” means the provided software services as defined in the Proposal or a Change Request, including but not limited to Pagero Online.
“Supplier” means an organization which supplies goods or services to a buyer and which may be obligated to issue and store an Invoice, as well as, where applicable, to report, account for and pay output VAT.
“Trading Partner” means either a Supplier or a Recipient, who together are referred to as “Trading Partners”.
“User Account” means a logged-in environment within Pagero Online through which the Customer’s representatives have access to e-Messages distributed or received via Pagero’s network, as well as ordered Customer specific settings.
2. Customer’s responsibilities
2.1. The Customer undertakes to:
- ensure that the environment integrated with or otherwise used by the Customer is updated in accordance with the instructions provided by Pagero at the time;
- ensure that all instructions provided by Pagero are followed;
- be solely responsible for any backup of its Customer Data;
- ensure that the Customer Data passed through the Software Services is free from any viruses or other similarly harmful software and that the Customer Data can in no way have a negative effect on Pagero or its Software Services;
- not attempt to use the Software Services with crawlers, robots, data mining or extraction tools other than where provided by Pagero;
- ensure that the Customer Data in Pagero Online is provided in accordance with Pagero’s instructions and recommendations at the time;
- ensure that login credentials for the User Accounts are kept safe and that internal security protocols and procedures are followed when Pagero Online is used;
- appoint a natural person (officer) for receiving the login credentials for Pagero Online and keep Pagero informed of the contact details of that person;
- be solely responsible for communication between the Customer and Pagero Online, including ensuring that the Customer has the necessary equipment and software applications or access points to access and use Pagero Online, as communicated by Pagero to the Customer from time to time; and
- update and correct information which has been submitted through Pagero Online, including but not limited to the User Accounts, and ensure that it is always accurate (outdated information may result in a User Account being blocked or otherwise invalidated).
2.2. The Customer undertakes to not:
- attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit or distribute all or any portion of the Software Services in any form or media or by any means;
- attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software Services;
- access all or any part of the Software Services in order to build a product or service which competes with the Software Services;
- use the Software Services to provide services to third parties, unless otherwise explicitly agreed with Pagero;
- license, sell, rent, lease, transfer, assign, distribute, display, disclose, commercially exploit or otherwise make the Software Services available to any third party; or
- attempt to obtain, or assist third parties in obtaining, access to the Software Services and/or any related documentation outside the scope of normal usage of the Services.
2.3. The Customer shall take all reasonable measures to prevent any unauthorized access to, or use of, the Software Services and, in the event of any such unauthorized access or use, promptly notify Pagero or its Affiliates.
2.4. The Customer has full responsibility for the following aspects of an e-Message:
- timely delivery of the e-Message, especially payment instructions, to Pagero if certain time frames, e.g. bank holidays, are to be observed;
- sole responsibility for ensuring that the content of the exchanged e-Messages is correct and complete, and that the e-Messages otherwise fulfil the applicable legal requirements;
- the correct payment authority for VAT and any other applicable taxes being used in e-Messages in compliance with the applicable laws;
- implementing and following tailored business control processes, e.g. the creation, issue and receipt of invoices, credit notes, corrective invoices, etc.; and
- special requirements regarding self-invoicing (self-billing) and other indirect invoicing processes being followed and complied with.
2.5. The Customer, when acting as the Recipient of an e-Message transaction, is obligated to receive e-Messages in an electronic form and to treat these electronic documents as Tax e-Invoices for tax purposes, where this is applicable.
2.6. The Customer acknowledges and confirms that it is fully liable to the tax authorities for the e-invoice, VAT and other tax-related consequences. Among other things, the Customer is fully responsible for reporting and paying VAT and other taxes as appropriate in the same way as if the e-Invoice had been issued directly by the Customer. The outsourcing of e-Invoice issuing or validation functions does not result in any shift in liability as regards the Customer’s obligations in relation to tax or accounting law.
In respect of the payment instructions, the Customer is responsible for activating the file approval service in Pagero Online if the file is automatically processed (without approval in the bank interface) by the bank/clearing house.
3. Intellectual property rights and know-how
3.1. Pagero retains all ownership and intellectual property rights to anything developed or modified by Pagero or its Affiliates and provided to, or accessed by, the Customer.
3.2. The Customer retains all ownership and intellectual property rights related to their software, content or data.
3.3. After the termination of the Agreement, the Customer undertakes to immediately remove and destroy all provided login credentials, documentation and similar materials belonging to Pagero and its Affiliates.
4. Third-Party Terms
4.1. The Customer acknowledges that Pagero’s Software Services may contain software (including open source software) distributed under third-party agreements (“Third-Party Components”) which contain terms and conditions regarding the rights to use certain portions of the Software Services (“Third-Party Terms”).
4.2. Such Third-Party Components may require notice or acceptance of additional terms and conditions. Such notice of additional terms and conditions can be obtained by visiting www.pagero.com/customerinformation and is incorporated by reference in this Agreement.
4.3. Pagero is not responsible for updating or maintaining such Third-Party Components or for technical errors such as bugs and the like.
5. Personal Data Protection
5.1. The Parties agree and acknowledge that the Customer will act as Data Controller and Pagero as Data Processor in respect of any Personal Data Processed under this Agreement, with the exception of that which is stated regarding Customer Contact Data and outlined below. Additional provisions regarding the Processing of Personal Data are defined in the Data Protection Agreement.
5.2. Processing of Customer Contact Data – The Parties agree and acknowledge that they will both be acting independently as Data Controllers of the contact names, telephone numbers, email addresses and postal addresses of the other party’s staff involved in this Agreement for the purposes of the effective administration of this Agreement. Pagero may use Customer Contact Data in order to send newsletters, to conduct product surveys, to advertise similar products or services from Pagero and for event invitations. Pagero is entitled to supply the Customer’s data, including its contact persons, to its Affiliates, which are entitled to use the data for the purposes described above to the extent permitted by law. The recipient of such advertising can opt out from receiving further marketing communications by contacting [email protected].
6. Error management in Pagero Online
6.1. Through Pagero Online, Pagero receives and delivers e‐Messages between Trading Partners. Pagero will notify the Customer of any failure in delivering any e‐Message, regardless of the reason, by sending a notification in Pagero Online, an e‐mail or a message via another agreed communication channel. Such notifications will be sent as soon as the failure is discovered by Pagero. Thereafter, the Customer is responsible for any appropriate actions.
7. Originals management
7.1. Unless otherwise agreed between the Trading Partners and explicitly communicated to Pagero, Pagero will have the right to determine the Tax Invoice and its format, in accordance with the applicable regulations, or else the most appropriate e‐Invoicing and, where applicable, other e‐Messaging practice in the given country, industry or field.
7.2. Pagero will ensure appropriate document labelling in Pagero Online.
7.3. Any printouts from Pagero Online shall constitute copies and shall be marked as such.
7.4. The invoice distributed via the e‐mail service shall constitute the Tax e‐Invoice.
8. Duplicate control
8.1. The Customer acknowledges and agrees that Pagero, in order to perform its Services or if requested or otherwise ordered by the Customer, has the right to perform any necessary duplicate control on the numbering of e‐Invoices and, where applicable, other e‐Messages, i.e. checking that the identification number of an e‐Invoice or, where applicable, other e‐ Message has not already been used during the same fiscal year.
9. Format, content and code list conversions
9.1. The Customer acknowledges and agrees that Pagero, in order to perform its Services or if requested or otherwise ordered by the Customer, has the right to perform any necessary conversions of the format or the content of the e‐Messages and invoice data exchanged between Trading Partners in order to ensure, among others, the correct delivery and originals management of e‐Messages.
10. Content validation
10.1. The Customer acknowledges and agrees that Pagero, in order to perform its Services or if requested or otherwise ordered by the Customer, has the right to perform any necessary content validation, such as checking whether the mandatory data fields lack values, in order to ensure the conformity of e‐Invoices or, as the case may be, other e‐Messages with both the applicable legislation and the Recipients’ requirements.
11. Content enrichment
11.1. The Customer acknowledges and agrees that Pagero, in order to perform its Services or if requested or otherwise ordered by the Customer, has the right to perform any necessary content enrichment, such as adding missing data elements, in order to ensure the conformity of e‐Invoices or, as the case may be, other e‐ Messages with both the applicable legislation and the Recipients’ requirements.
12. Outsourcing authorizations
12.1. Where required and permitted by local regulations and in order to deliver ordered services, the Customer authorizes Pagero or, as the case may be, Pagero’s subcontractors to perform certain services in the name of or on behalf of the Customer. The details of such authorizations are stated in the appendices to the GTC.
12.2. If necessary, for compliance with the applicable legislation, the Customer agrees to sign further documentation to enable Pagero to provide its Services.
12.3. The Customer acknowledges and agrees that the authorizations and other rights under this Agreement and its appendices have been provided to Pagero solely for the purpose of enabling correct e‐Message handling and electronic invoice issuing.
13. Data Export
13.1. The Customer may at any time request a Customer Data export from Pagero Online or, as the case may be, the archiving service. Pagero will assist the Customer by providing such exports in accordance with its current hourly fees.
13.2. The Customer has been informed and confirms that when exports of Customer Data from Pagero Online are requested, only data from the last ninety (90) days will be available.
14. Connection to e-Invoicing platforms
14.1. In certain jurisdictions, enabling electronic invoicing entails the integration with and the creation of a user account for external e-Invoicing infrastructure, whether private or state-owned (“e-Invoicing platform”).
14.2. Where required and allowed, the Customer authorizes Pagero or, as the case may be, Pagero’s sub-processors to integrate with such e-Invoicing platforms and, where needed, to create such user accounts in the name of and on behalf of the Customer.
14.3. Pagero will only create user accounts and is not responsible for their administration. Any login credentials will be forwarded to the Customer and will not be used by Pagero, other than as explicitly instructed by the Customer.
15.1. In order to perform ordered services, the Customer acknowledges and agrees to Pagero and its Affiliates engaging other interoperability providers for the performance of ordered Services without any notification to or approval from the Customer.
16. Effect of cancellation or termination of the Agreement
16.1. Upon the effective date of the cancellation or termination of this Agreement:
- The Customer shall promptly discontinue its use of Pagero’s Software Services, and Pagero shall have the right to discontinue all further Customer access to its Software Services.
- All outstanding invoices immediately fall due and payable by the Customer.
- The Customer shall promptly return to Pagero and/or destroy all Pagero property, including but not limited to all copies of login credentials for Pagero Online and any other proprietary information belonging to Pagero Group delivered under the Agreement.
- The Customer acknowledges that, unless prevented by law, all Customer Data will be deleted ninety (90) days after the termination of the Agreement, with the exception of payment instructions, which will be deleted after twenty-four (24) months. Pagero may, however, keep anonymized and aggregated Customer Data for herein agreed purposes.
- The Customer acknowledges that it is the Customer’s responsibility to before the termination of the Agreement store any Customer Data which the Customer wishes to keep after said termination. Pagero may upon the Customer’s request and for the applicable remuneration assist in such archival work (data export).
In the event of the termination of the Agreement with immediate effect by the Customer Customer shall pay any outstanding fees from the date of termination.
Data Processing Agreement
1. Scope and order of precedence
1.1 This Data Processing Agreement, including its Appendices (1 and 2), constitutes the “Data Processing Agreement” or “DPA”. This DPA shall apply as a supplement to the Agreement currently in force and the incorporated appendices thereto (referred to as the “Agreement”).
1.2 Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and the terms of this DPA, the relevant terms of this DPA shall take precedence.
1.3 This DPA serves as a written data processing agreement between Pagero and the Customer, regulating Personal Data Processed under or in connection to the Agreement, in the event Pagero can be defined as the Data Processor in the meaning of the at any time applicable Data Protection Laws and Regulations. It furthermore defines the applicable technical and organizational measures Pagero and its Sub-processors shall implement and maintain to protect Personal Data Processed under the Agreement.
1.4 This DPA shall be effective for the term of the Agreement.
2.1 “Agreement” means the Proposal and the General Terms and Conditions currently in force and the incorporated appendices thereto (the “GTC”).
2.2 “Customer” is specified in the Agreement.
2.3 “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
2.4 “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
2.5 “Data Protection Laws and Regulations” means the applicable legislation protecting the fundamental rights and freedoms of persons and, in particular, their right to privacy, including the EU Directive 95/46/EC and the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, repealing Directive 95/46/EC (GDPR).
2.6 “Data Subject” means an identified or identifiable living individual, as defined under the applicable Data Protection Laws and Regulations.
2.7 “Instruction” means a written instruction, issued by the Customer to Pagero, directing Pagero to perform a specific action with regard to Personal Data. Instructions shall initially be specified in the DPA and may, from time to time thereafter, be amended, amplified or replaced by the Customer in separate written instructions.
2.8 “Independent Data Processor” means an organization – another Data Processor – which, by agreement or by law, performs certain processes in relation to the e-Message (e.g. receiving or sending) on behalf of another Data Controller (Pagero Customer’s Buyer or Supplier) and is appointed by this Data Controller to perform such actions.
2.9 “Personal Data” means any information relating to an identified or identifiable person, as defined by the Data Protection Laws and Regulations.
2.10 “Process” or “Processing” means any operation or set of operations upon Personal Data as defined by the Data Protection Laws and Regulations.
2.11 “Sub-processor” means any third-party suppliers engaged by Pagero in accordance with Section 6.
2.12 “Pagero” means Pagero AB, registration number 556581-4695, with its registered office at Västra Hamngatan 1, 411 17 Göteborg, Sweden or any of Pagero’s affiliates, which means a company, corporation or other entity which directly or indirectly is controlled by Pagero.
2.13 “Data Protection Authority” means a national authority tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the European Union.
2.14 “Transfer” means a cross-border transfer of Personal Data outside the EU as set forth in Section 11.
3. Processing of personal data
3.1 Purpose, Types and Categories. The nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects Processed within the scope of this DPA and the Agreement are further defined in Appendix 1.
3.2 Data Controller. The Customer acts as, and between itself and Pagero will at all times remain, the Data Controller concerning any Personal Data provided by the Customer under or in connection with the Agreement. The Customer is responsible for the accuracy, quality and lawfulness of the Personal Data and the means by which the Customer acquired the Personal Data.
3.3 Data Processor. Pagero and its Sub-processors act as, and between themselves and the Customer shall remain, Data Processors and shall only Process Personal Data on behalf of the Customer and in accordance with lawful instructions provided by said Customer, the applicable Data Protection Laws and Regulations and any other applicable mandatory legislation.
3.4 Processing purposes. The Customer shall determine the purposes of the Processing of Personal Data under the Agreement. The purposes of the Processing of Personal Data by Pagero and its Sub-processors under this DPA are limited to:
- fulfilling the agreed obligations under the Agreement, such as for providing a system or software, consultancy services, maintenance services, support services and other services to the extent agreed by the Parties under the Agreement;
- setting up, operating and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc.) required to provide the relevant services under the Agreement and to meet the technical, security and organizational requirements for the Processing of the Personal Data;
- communicating with the Customer and the Customer’s staff;
- executing Instructions issued by the Customer in accordance with Section 3.5 below; and
- addressing service issues, technical problems or incidents.
3.5 Instructions. The Customer is responsible for issuing Instructions to Pagero regarding the Processing of Personal Data under the Agreement. Pagero shall only Process such Personal Data in accordance with the terms of this DPA and the from time to time other Instructions provided by the Customer. If Pagero believes that an Instruction from the Controller is not compliant with the Data Protection Laws and Regulations, Pagero shall notify the Customer of this opinion without unreasonable delay.
4. Pagero Staff
4.1 Confidentiality. Pagero shall ensure that its and its Sub-processors’ staff who have access to Personal Data are informed of the confidential nature of said Personal Data and have entered into appropriate confidentiality agreements.
4.2 Limitation of Access. Pagero shall ensure that its and its Sub-processors’ access to Personal Data is limited to the individuals performing services in accordance with the Agreement.
5. Protection of Personal Data
5.1 Technical and Organizational Measures. When Processing Personal Data on behalf of the Customer in connection with the Agreement, Pagero and its Sub-processors shall implement and maintain appropriate administrative, physical, technical and organizational security measures for the protection of the rights of the Data Subjects in compliance with the Data Protection Laws and Regulations and in particular Article 32 of the GDPR. These measures shall be implemented to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access and against all other unlawful forms of Processing. Further details of the administrative, physical, technical and organizational security measures to be implemented and maintained by Pagero when Processing Personal Data under the Agreement are described in Appendix 2 of this DPA.
5.2 Rights of Data Subjects. Pagero will promptly notify the Customer if it receives a request from a Data Subject for information regarding, access to, rectification, completion or deletion of that individual’s Personal Data. Pagero will not respond to any Data Subject request without the Customer’s prior written consent except to confirm that the request has been received and sent to the Customer. To the extent legally permitted, Pagero shall provide the Customer with help and assistance in relation to the handling of a Data Subject’s request.
5.3 Communication with supervising authorities. Except as otherwise required by law, Pagero will notify the Customer without undue delay of any contact or requests from any Data Protection Authority concerning or of significance to the Personal Data Pagero Processes on the Customer’s behalf. At the Customer’s request, Pagero will provide the Customer with relevant information in its possession relating to the contact or request, as well as any assistance reasonably required for the Customer to respond to the Data Protection Authority in a timely manner. Pagero has no right to represent the Customer or to act on behalf of the Customer.
5.4 Pagero shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the EU General Data Protection Regulation, taking into account the nature of the Processing and the information available to Pagero.
6.1 Use of Sub-processors. Pagero may from time to time contract Sub-processors to meet its obligations under the Agreement. Pagero shall provide the Customer with a list of contracted Sub-processors upon request. Pagero shall ensure that the same data protection obligations as set out in this DPA are imposed on the Sub-processor by way of written agreement.
6.2 Change of Sub-processor. Pagero may decide to remove, replace or appoint additional Sub-processors. Pagero shall notify the Customer in writing before authorizing any new Sub-processor(s) to Process Personal Data within the scope of the Agreement. If the Customer does not accept the change and/or appointment of a Sub-processor, the Customer is entitled to terminate the parts of the Agreement affected by the change by notifying Pagero thereof in writing within ten (10) days of receiving the change notification and with thirty (30) days’ notice.
6.3 Liability. Pagero shall be liable and accountable for the acts and omissions of its Sub-processors to the same extent that Pagero is liable and accountable for its own actions or omissions under this DPA.
7. Independent Data Processors
7.1 In order to fulfil its obligations under the Agreement, on occasion Pagero may need to exchange data with Independent Data Processors.
7.2 Under no circumstances can Pagero be held liable for the Processing of Personal Data by such Independent Data Processors.
8. Audit rights
8.1 Audits. The Customer is entitled to audit Pagero’s Processing under the Agreement to ensure compliance with this DPA, subject to the provisions below. Pagero shall always allow and cooperate in any audits conducted or required by a Data Protection Authority responsible for monitoring the Customer’s Processing of Personal Data.
8.2 Customer Audits. Pagero shall provide the Customer or the Customer’s independent third-party auditor with such information and access to its premises as may reasonably be required to satisfy them that Pagero is complying with its obligations under this DPA.
Prior to such audits, the Customer shall provide Pagero with reasonable written notice (at least 30 days unless a Data Protection Authority requires an earlier audit under mandatory law).
8.3 Customer Audit Restrictions. The following audit restrictions shall apply:
- Unless required by mandatory Data Protection Laws and Regulations or the Customer has a reason to suspect that Pagero or one of its Sub-processors is not complying with the obligations set out in this DPA, an audit pursuant to Section 8.2 is limited to once in any twelve-month period.
- The Customer shall conduct the audit in a reasonable time, place and manner during normal business hours and subject to Pagero’s security policies and may not unreasonably interfere with Pagero’s business activities.
- The Customer shall bear all costs of an audit pursuant to Section 8.2, unless the audit finds that Pagero or one of its Sub-processor is in breach of its obligations under this DPA due to wilful intent or gross negligence, in which case Pagero shall bear all of its own costs. Pagero’s internal costs shall be based on the then-current daily professional service rates as applicable to the Customer or, in the absence of such an agreement, on Pagero’s price list.
8.4 Audit Findings. Without prejudice to any other of the Customer’s rights or remedies, Pagero shall without unreasonable delay remedy any audit findings if the audit determines that Pagero or one of its Sub-processors has breached its obligations under this DPA. If Pagero cannot remedy an audit finding it must notify the Customer. The Customer is then entitled to terminate the Agreement without any compensation.
9. Incident management and security breach notification
9.1 Incident management. Pagero shall evaluate and respond to events suspected to lead to unauthorized access to or Processing of Personal Data (“Incidents”). If there is a risk that the Incident may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data, Pagero will promptly notify the Customer and provide relevant information regarding the Incident. Pagero will define appropriate activities to address Incidents and work with the Customer when appropriate to protect the Personal Data. The objective of the Incident response will be to restore the confidentiality, integrity and availability of the related service and Personal Data.
10. Return and deletion of Customer data
10.1 Return and deletion. Pagero shall upon the Customer’s request return all stored Personal Data provided by the Customer within the scope of the Agreement to the Customer and then delete all such data, including any data in backups or the like, within ninety (90) days of the termination of the Agreement or this DPA, unless otherwise agreed in writing. Due to the different nature of such files, payment instructions will be deleted after twenty-four (24) months.
11. Transfer of personal data
11.1 General. Pagero and its Sub-processors shall not Process or Transfer Personal Data outside the EU or the EU Approved Countries (“Third Country Data Transfer”) without a written mandate from the Customer.
11.2 Mandate. Pagero is hereby mandated by the Customer to Transfer Personal Data to approved Sub-processors located in a country or territory outside the EEA or the EU Approved Countries, and to allow such Sub-processors to access and Process Personal Data from a country or territory located outside the EEA or the EU Approved Countries, solely for the purposes stated in Section 3.4 and provided that:
- the recipient has been found to ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data through the Privacy Shield framework;
- the Transfer is governed by and in accordance with a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including without limitation Binding Corporate Rules for Processors; or
- the Transfer is governed by and in accordance with the Standard Contractual Clauses as further set forth in Section 11.3 below.
11.3 Standard Contractual Clauses. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. For the avoidance of doubt, the Standard Contractual Clauses will only apply to Transfers of Personal Data.
12.1 Each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties resulting from, arising out of or relating to any breach by such first-mentioned Party of this DPA or Data Protection Laws and Regulations as set out in Article 82 in the EU General Data Protection Regulation.
12.2 Without prejudice to the foregoing, neither Party shall be held liable for indirect losses, including damages and/or consequential damages such as loss of profit or revenue, or other economic losses incurred pursuant to this DPA, except in cases of wilful intent or gross negligence on the part of the indemnifying Party. A Party’s total liability to the other Party under this Section 12 shall never exceed the value of all fees paid by the Customer to Pagero during the past 12 months, or if 12 months has not passed, a calculated 12‐month period encompassing fees paid and expected fees payable. This limitation shall not apply to damages caused by Party’s gross negligence or wilful misconduct.
DPA Appendix 1
1. Data subjects
The Processing of Personal Data covered by this DPA concerns the following categories of Data Subjects:
Pagero will only Process the Personal Data of Data Subjects provided by the Data Controller.
2. Categories of data
The Processed Personal Data concerns the following categories of data:
Pagero will only Process categories of Personal Data for the purposes established by the Customer’s Processing operations. For example, these categories may include information about customers, employees and customer contacts at suppliers.
3. Special categories of data
Pagero will only Process Personal Data for the purposes established by the Customer’s Processing operations.
The Processed Personal Data will be subject to the following basic Processing activities:
The Personal Data will be Processed within the framework of the provision and operation of Pagero Online and its ancillary services. The system will be available to the Customer in its daily operations, as well as for Pagero to provide support and maintenance. The Personal Data will be stored and Processed, for example, in different e-Messages, including but not limited to orders and invoices.
4. List of Sub-processors
The Processing of Personal Data covered by this DPA may be performed by one or several of Pagero’s Sub-processors. By agreeing to the terms of this DPA, the Customer approves Pagero’s current list of Sub-processors:
The current list of Sub-processors can be found here: www.pagero.com/customerinformation.
To access the list, please enter the password Compliance (NOT TO BE DISCLOSED TO UNAUTHORIZED PERSONS).
DPA Appendix 2
Description of the technical and organizational security measures to be implemented for the protection of Personal Data.
The purpose of this document is to describe the technical and organizational security measures regarding the General Data Protection Regulation (EU 2016/679) which are in place within all services Pagero Group offers to its Customers.
Risk assessment regarding Data Protection
Pagero conducts a documented risk assessment for each product and service used within the Pagero Group and for all products offered to its Customers. The risk assessment is reviewed on a regular basis. Based on the findings in the risk assessment, different security measures may be implemented, documented and reviewed for each product or service in order to fulfil legal requirements.
The Risk Management Process is based on five different steps:
- Identify risk
- Analyze and assess risk
- Perform decision making
- Implement decision
- Validate the effectiveness of the decision
As part of its information security management system (ISMS), Pagero has made part of the documentation available upon request to Customers. The documentation that is available is classified as public or restricted information. All documentation within Pagero’s ISMS is reviewed on a yearly basis as a part of the company’s ISAE audit program and Cyber Essential certification. The ISAE audit is performed by an independent auditor and is based on the trust service principles Confidentiality, Integrity and Availability. The ISAE audit report is available upon request to Customers and prospects. The following security measures have been implemented based on the GDPR.
Pseudonymizing and encryption of personal data
Pagero uses pseudonymizing and/or encryption where possible to protect Customers’ Personal Data and to reduce the risk of data exposure. The exact security measures vary between services and products depending on risk level, technical requirements and product type.
All data at rest are encrypted
Passwords are hashed and stored in an encrypted form. If Personal Data are used in test environments, the data are pseudonymized according to company policy and procedures. Pagero Online Backup files are stored in encrypted form at an offsite location according to company policy.
Confidentiality, Integrity and Availability
Multiple security controls must be in place to ensure that a person can only access the data they are authorized to view. Pagero has taken the following measures to ensure access control:
- Unauthorized parties are denied access to data processing systems where Personal Data and Customer Data are Processed or used.
Pagero ensures logical security of access to Customer Data in the following ways:
- Pagero has strict controls for accounts and account creation.
- Accounts may be granted only to individuals with a verified business need.
- Accounts are never to be shared with anyone for any reason.
- Accounts must be granted with the minimum level of access to the minimum number of systems required for the user to complete their required business tasks.
- Accounts may only be issued when authorization for the accounts can be verified.
- Account abuse results in immediate account termination.
- Account credentials must meet the password complexity requirements of Pagero.
- Accounts determined to be idle or unused by otherwise active employees, contractors or consultants for a period of six months must be disabled and the direct supervisor of the account holder notified.
Only authorized staff with valid business reasons have access to Pagero’s data centres. The data are protected from accidental or illegal destruction by physical and environmental controls. The physical and environmental controls are reviewed on a yearly basis as a part of the company’s ISAE audit report. Remote access to the company’s data centres is secured by a two-factor login process which is mandatory, with the username, password and access rights different to those used for Pagero Network.
Pagero has taken the following measures to ensure entry control in order to prevent unauthorized parties from being able to enter data processing systems:
- Network security
- The network is divided into different subnets
- IDS and IPS are in place
- Firewalls are in place and the settings are reviewed on a regular basis in accordance with company policies
- Pagero enforces the use of complex passwords or biometric identification in combination with a two-factor login process in accordance with company policy.
Pagero ensures physical security of access to Customer Data in the following ways:
- All data centres are ISO 27001 certified, audited in accordance with the ISAE audit standard or have a similar level of equivalent security framework.
- Sensitive areas and systems must be physically secured, and access must be granted only to authorized individuals, all of whom must demonstrate an understanding of Pagero’s security policies. Access to sensitive areas is logged.
- Access is revoked upon inappropriate use, a security breach or termination of employment.
- Servers are physically located in an access-controlled environment.
- Pagero ensures that data are protected from accidental or unlawful destruction in the following ways:
- Backups are stored outside the data centre
- Warm standby environment where data are transferred regularly in accordance with company policies
- The date centres are protected against environmental incidents in accordance with industrial standards
- Redundant power systems (UPS, for example)
- Protected against flooding
- Fire alarm/protection
Pagero Online and Primelog TMS are Pagero’s cloud services and are hosted in a private cloud. Only authorized staff within the Pagero Group have access to the environment and a two-factor login process is mandatory for these user groups. The data are protected from accidental or unlawful destruction by physical and environmental controls. The physical and environmental controls are reviewed on a yearly basis as part of the company’s ISAE audit report.
The cloud service is based on two independent data centres where one of the data centres is a warm standby data centre as described, Data centres.
The data are backed up according to industry standards and are protected from accidental or unlawful destruction by physical and environmental controls as described above, Data centres.
The backup process is tested on a regular basis to ensure that it is possible to restore the data in an effective manner.
Internal system within Pagero Group
Internal systems within the Pagero Group are only accessible via the company’s secure intranet solution and access to this intranet is protected by a two-factor VPN solution to ensure that only approved internal or external staff can access the systems.
External Pagero tools hosted in the cloud outside Pagero’s intranet are protected by one or several of the following standards: Active Directory Federation Services (AD FS), two-factor login, approved IP ranges, username and password access. Each external system is reviewed in accordance with the supplier management procedure and a risk management procedure to set the security level of the application. Criteria included in the risk management procedure are:
- Type of data stored (internal data, Customer Data)
- Place of storage
- Number of employees accessing the application
- All internal systems containing Customer Data are always protected by either VPN or two-factor login
In order to secure system availability and access to Personal Data in the event of technical or physical incidents, Pagero has backup processes in place as well as independent secondary warm standby data centres to secure access to the Personal Data stored in the company’s cloud services.
Pagero has defined how business continuity should be achieved in the event of a critical system failure in order to provide Customers with high availability to the cloud services. The business continuity plan is tested on a regular basis, two to four times a year, in order to minimize manual steps and to make the plan as effective as possible. The business continuity plan is reviewed on a yearly basis by an independent auditor as a part of the company’s ISAE audit report.