Authopia Terms of Service

calendarEffective from: 21 June 2024

1. Business agreement

These Terms of Service (“Terms”) govern access to and use of Authopia services, which include relevant software, its integration, and any services provided to Customer through Authopia business-related software, features, applications or otherwise (all of which are collectively referred to as the “Services”).

The Terms are between the organization agreeing to these Terms (“you” or “Customer”) and Nord Security Inc. (“we”, “us”, “our” or “Nord”).

Please note that the Terms constitute a binding legal agreement between you and Nord. By visiting the website, registering for, integrating with and(or) using any of the Services on any platform or device you agree to be bound by these Terms. It is only under these Terms that Nord allows Customers to use Services. If you do not agree to these Terms or any provisions hereof, please do not integrate with and do not use our Services.

When you are agreeing to Terms for the use of the Services by an entity, you are agreeing on behalf of that entity. You must have, and hereby you confirm that you have, the authority to bind that entity to these Terms, otherwise you must not sign up for the Services.

Services are developed for use by businesses and organizations. To the maximum extent permitted by law you hereby acknowledge and agree that consumers’ laws are not applicable to these Terms.

You are not allowed to access and use Services if you are a competitor of our business and (or) are using our Services in order to gain information to be used for unfair competition, if you have been or are prohibited from accessing the Services, or if your integration with us has been suspended or closed due to any reason.

For information about how we process data about you and your use of our Services, please see our Privacy Policy, which is published here: /privacy and is hereby incorporated into and subject to provisions of these Terms by this reference.

2. Services

Under Terms, at your individual request and at your sole discretion we provide Services for your exclusive use. Nord is a provider of the Services, but its Customers have a duty to comply with all applicable laws and regulations when using the Services.

Please note, that when you interact with Services, Nord may use your interactions and related usage information to improve and develop Services.

Nord will not be liable in any way or form for actions done by its Customers while using Services, including criminal liability and civil liability, for harm executed, intended or otherwise.

Encryption

YOU ACKNOWLEDGE THAT, DUE TO THE ENCRYPTED NATURE OF THE SERVICES, (I) THERE IS NO WAY TO PROVIDE PASSKEYS BASED AUTHENTICATION SERVICE WITHOUT A RESPECTIVE PRIVATE KEY OF THE ACCOUNT AND (II) AUTHOPIA HAS NO ABILITY OR OBLIGATION TO PROVIDE PASSKEYS BASED AUTHENTICATION SERVICE IF THE PRIVATE KEY IS LOST OR DAMAGED OR OTHERWISE INACCESSIBLE FOR ANY REASON, INCLUDING IF YOU OR YOUR END USER MISPLACED PRIVATE KEYS.

Ownership and Customer’s rights. If you believe any Customer or end user of the Services infringed the Terms (e.g., violated your privacy or infringed your copyright, other intellectual property rights, or any other rights in any way), please notify us in writing, by email: info@authopia.io.

Software. To access and use our Services, you may be required to integrate with our Software. Pursuant to these Terms, “Software” means any software, feature, integration or part of the code (including any releases, updates, enhancements, or revisions) and any documentation that accompanies or is made available in connection with such software provided by us to you for your use of the Services.

Support. Customer will, at its own expense, be responsible for providing support to its end users. Customer will use reasonable efforts to resolve any such support issues before escalating them to Nord. Nord shall only provide business support to the Customer when the issue arises from the technical side of Nord and it could not have been solved by the Customer.

3. Customer obligations

Customer is responsible for (a) duly payment of all fees relating to Customer’s (including its end users) use of the Services; (b) promptly notifying Nord of any unauthorized use of or access to the Services; (c) taking all necessary measures to protect Nord's intellectual property rights in the Software, including implementing reasonable security measures to prevent unauthorized access, reproduction, or distribution of the Software; (d) maintaining the confidentiality and security of passwords and accounts and managing access to admin panel; (e) maintaining the accurate and current account and contact information for each admin account; and (f) ensuring that any and all use of Services complies with the Terms and applicable laws.

Restricted uses. Customer will not, and will ensure that end users or its affiliates do not: (a) offer for sale or lease, sell, resell or lease access to the Services; (b) attempt to reverse engineer Services or any software or other components used therein or assist anyone else in doing so; (c) use Services in a manner or under circumstances where use or failure of Services could lead to death, personal injury, physical or property damage, or use Services for purposes that otherwise require significant safety precautions; (d) use Services in a manner that would violate applicable laws or distribute any malware or malicious content; (e) attempt to create a substitute or similar service through the use of, or access to, the Services or the Software; (f) use any automated process or service (such as a bot, a spider, or periodic caching of information stored by the Services or the Software) to access or use the Services; (g) use Services for crawling, scraping or other such automated means in any form or scale; (h) violate general ethic or moral norms, good customs and fair conduct norms; (i) use Services to communicate any message or material that is defamatory, harassing, libelous, threatening, or obscene; (j) establish an account on the Services as an individual for personal, family, or household purposes; or (k) otherwise infringe or circumvent the Terms.

Nord does not tolerate any unlawful, illicit, criminal or fraudulent activities perpetrated by using the Services. Customer has the sole control to select the persons and enable them to use the Services, effectively making them end users. Customer is therefore responsible for the use of the Services by respective end users. Customer will (and Customer will make sure its end users will) comply with laws and regulations applicable to Customer's use of the Services. Customer will not take any action that would cause Nord to violate any applicable laws. It is Customer’s responsibility to know and comprehend any and all relevant laws related to any jurisdiction or venue that concerns Customer or any of its end users, their actions and their use of Nord. If an end user: (a) violates the Terms; or (b) uses Services in a manner that Nord reasonably believes will cause its liability, then Nord may suspend or terminate the end user’s account.

Sanctions. Customer represents and warrants to Nord that the Customer and any of its end users are not direct or secondary target of any sanctions administered by the Office of Foreign Control of the U.S. Department of the Treasury ("OFAC"), the U.S. Department of State, the United Nations Security Council, the European Union, Her Majesty's Treasury of the United Kingdom, or other relevant sanctions authority (collectively, "Sanctions"), nor is the Customer, any of its subsidiaries or any end user located, organized, or resident in a country or region that alone or in correlation with other factors makes the Customer subject or target of Sanctions, forbidding or limiting the use, import, export, sale of, or payment for the Services, including, without limitation, Crimea, Cuba, Iran, North Korea and Syria; and the Customer and any of its end users will not use the Services in any such jurisdiction or in violation of any the United States of America’s, the European Union’s, the United Kingdom’s, the United Nations’ or other relevant international body’s, country’s or state’s export law or regulation or in any other manner that may result in a violation by any person of applicable Sanctions. Any breach of this clause will be treated as a material breach of the Terms and Nord reserves the right to suspend or terminate the access to the Services to such Customer immediately, without any advance notice.

4. Ownership. Intellectual property rights

By using Services you accept and acknowledge that the Software, including, but not limited to, the appearance, content, selection, assembly and functionality and any other parts or specifics of the Software, are the sole ownership of Nord (despite whether the specific content is individually protected by copyright or other intellectual property rights). Except as expressly set forth herein, these Terms do not grant either party any rights, implied or otherwise, to the other party's intellectual property. No title to or ownership of or any other rights in or to the Services or the Software is transferred to Customer under the Terms.

Customer is granted a limited, non-exclusive, non-transferable, non-sublicensable, worldwide, revocable license to (1) integrate the Software into Customer’s IT system; (2) use our Services; and (3) for better usability and design purposes modify the part of the Software code provided for Customer’s integration. Software code modification does not transfer or extend ownership of the Software or any parts thereof. Customer acknowledges that any improvements, enhancements, or modifications made to the Software by the Customer remains and becomes the property of Nord and may not be used outside the scope of these Terms without explicit written consent from Nord. By modifying the Software the Customer acts at its own risk and undertakes full liability on it. Nord does not provide any representations or warranties regarding the modified Software, nor undertake to provide any support to the Customer or end-users regarding the issues arising from modified Software.

The license provided herein is effective until terminated. This license automatically terminates if you fail to comply with these Terms. Upon termination or upon Nord's request, the Customer shall promptly return or destroy all copies of the Software code, including any modifications, and cease any further use of the Software.

Name and Trademarks. Customer hereby grants Nord a non-exclusive, irrevocable (during the Subscription Period), worldwide, royalty-free license to use (including, reproduce, modify, make available) Customer’s name, primary logo or other trademarks solely for the purpose of identifying you as our Customer and sending Service related emails to your end-users identifying you as a sender (e.g., noreply-[company_name]@authopia.io) with or without your testimonials and without any other restrictions. Rights granted in the previous sentence include our right to include you in any customer list on our website, application or printed marketing materials.

Feedback. Reporting any flaws, errors, or imperfections found in Services is something we encourage you to do. We value your prompt and accurate feedback, as it helps us improve the quality of our services. Therefore, feel free to provide reports on all aspects of Services, including both positive and negative aspects.

You hereby grant us a perpetual, irrevocable, worldwide license to use any Feedback you communicate to us during the Subscription Period, without compensation, without any obligation to report on such use, and without any other restriction. “Feedback” refers to any suggestion, comment, recommendation, or idea arising out or in connection with the performance of these Terms, including without limitation all intellectual property rights in any such suggestion, comment, recommendation, or idea.

5. Third party requests

Customer acknowledges and agrees that it is responsible for responding to a request from a third party for records relating to Customer's or an end user's use of Services (including but not limited to criminal or civil subpoenas or other legal process requesting Customer or end user information) (“Third Party Request”). If Nord receives a Third Party Request, Nord will, to the extent allowed by law and by terms of the Third Party Request, direct the third party to the Customer to pursue the Third Party Request. Nord retains the right to respond to Third Party Requests for Customer’s information where Nord determines, in its sole discretion, that it is required by law or its internal policies to comply with such a Third Party Request.

6. Payments

CUSTOMER ACKNOWLEDGES THAT CUSTOMER AND ITS END USERS MAY LOSE ACCESS TO SERVICES IN THE EVENT THAT CUSTOMER FAILS TO PROVIDE TIMELY PAYMENT.

Services are subscribed on a service period basis. The Customer chooses the service period and the payment method when signing up for the Services. In some cases, Nord might make parts of Services with limited functionality available free of charge. In case it is technologically available depending on the selected payment method, subscription to the Services and therefore payments will be recurring, meaning that your chosen payment method will be charged at the beginning of each service period, repeating the length of the previous service period, unless you decide to cancel your subscription for the Services. Fees are non-refundable except as required by law or as otherwise specifically permitted in these Terms.

7. Refunds

If the Customer wishes to claim a refund, the Customer can do so within 14 days following its initial purchase of our Services. We seek your full satisfaction with our Services and we would like to troubleshoot an issue you experience first. There are common service configuration issues that may hinder the Services for you, and we resolve most issues encountered.

Refunds will not be provided after the 14 days term from the initial purchase, and Services’ subscription automatic renewal does not restore the Customer’s right to request a refund. Payments made in cryptocurrency, using prepaid cards or gift cards will not be refunded as well.

You have a right to cancel your account at any time. You can cancel a recurring subscription by contacting our Customer Support. Canceled accounts will not be refunded for the unused part of the ongoing service period. No refunds will be considered for accounts terminated for violation of these Terms.

Services purchased via third parties are subject to their refund policies. Nord cannot refund any purchases made from our resellers and other third parties. In such cases, refunds are handled according to the terms of service of the reseller or other third party from which the Services were purchased.

8. Taxes.

Any fees charged by us are exclusive of taxes. We may calculate and add any taxes and / or additional fees, including, but not limited to sales tax, value added tax and other taxes or fees under laws applicable to you. Such taxes and fees will be calculated according to the billing information provided by you to Nord at the time of purchase.

Each party shall be responsible for paying all local, state, federal or foreign taxes, duties or levies, due in relation to amounts collected by it. All payments to be made under the Terms shall be free and clear of any and all taxes, levies, duties, imports, fees or other charges. Where any sum due to be paid hereunder is subject to any withholding tax, the Customer may be entitled to deduct it from the amount payable to Nord under the condition that it duly provides Nord with the proper required certificate and shall take all other actions to enable Nord to take advantage of any applicable double taxation agreement or treaty. Each party shall be responsible for paying all local, state, federal or foreign taxes, duties or levies, due in relation to amounts collected by it.

Changes in fees. We may introduce and change the price of our Services from time to time and add new fees and charges for certain features or to reflect a change in business or legal rules, but we will provide you with advance notice of the introduction of or changes in recurring subscription fees. Any increase in charges for the same Service would not apply until the expiration of your then current billing cycle, unless otherwise specifically provided in our notice to you, and would become effective no sooner than the next time you would be charged for that Service. If you do not agree with the new price or other applicable charges, you may elect not to renew Service subscription or if you were using Services for free - discontinue the use of our Service before the price change goes into effect, such cancellation becoming effective at the expiration of your then current subscription period, or if you were using Services for free - when the new pricing goes into effect.

9. Term

The Terms shall be effective from the date Terms are accepted by Customer and until the Customer account deletion if Customer was using free subscription or the end of paid subscription period chosen by Customer upon registration ("Subscription Period") unless (i) Subscription Period has been renewed (see Section "Automatic Renewals"), which would extend the validity of the Terms for the respective period, or (ii) the access to the Services has been terminated in accordance with the provisions of Section "Termination". The effective date may differ in the event a transition period is clearly defined at the beginning of the Terms.

Automatic Renewals. Following the initial Subscription Period, the subscription to the Services will automatically renew repeating the length of the previous Subscription Period, unless either party gives the other written notice of termination prior to the expiration of the then-current Services term.

End Users. End user's rights under the Terms remain effective until Customer's subscription expires or terminates, or Customer's or end user’s access to the Services has been terminated by Customer or Nord.

10. Termination

Either party may terminate the Services if: (a) the other party is in material breach of Terms and fails to cure that breach within 30 days after receipt of written notice (except where otherwise indicated in these Terms); or (b) the other party ceases its business operations or becomes subject to insolvency, bankruptcy, winding-up or similar proceedings and the proceedings are not dismissed within 30 days.

Nord may suspend or terminate Customer’s access to the Services: (a) if required to do so by law, or (b) for conducting criminal or illegal activities by Customer or its end users when using Services if reasonably suspected by Nord, or (c) if Nord determines in its absolute discretion that the provision of the Services to Customer is not in the best interests of Nord. If Nord terminates the Customer’s access to the Services as per event indicated in point (c) of this paragraph, the subscription fees already paid for the Services (for the current Subscription Period only) will be refunded to Customer and Customer will be released from paying any subscription fees that were or are to be due for the current Subscription Period; whereas the Customer acknowledges that the refund of subscription fees paid is its sole remedy in the event of termination of the Customer’s access to the Services by Nord in the event indicated in point (c) of this paragraph and all other liability of Nord is hereby expressly excluded.

Nord shall also have the right to suspend or terminate the Customer’s access to Services if all of the following conditions apply: (i) the entity providing the Services changes for any reason, and (ii) a consent, confirmation, acceptance, instruction or similar action (“Consent”) of the Customer is required under the Terms or the applicable laws (including any privacy laws) in order to change the contracting party, and (iii) the Customer does not provide its Consent in due time, and (iv) the new provider of the Services is not able to continue providing Services without such Consent of the Customer. If all such aforementioned conditions apply, Nord shall have the right to suspend or terminate the Customer’s access to the Services from the moment Nord is not able to continue providing Services to the Customer without its Consent. In such event, the Customer shall have the right to request for a refund for the unused part of the then-current Subscription Period by contacting Nord via e-mail (see Section "Notices").

Consequences of termination. After termination of Customer’s access to the Services for any reason whatsoever and without prejudice to any other applicable provisions set forth in the Terms: (a) except as set forth in this Section, the rights and licenses granted by Nord to Customer and its end users will cease immediately; (b) Nord shall delete or otherwise make unrecoverable and (or) anonymized any end user accounts and other data relating to Customer’s and its end users’ account in a commercially reasonable period, except for copies as authorized under the Terms, automatic backups (if any), or as required to be retained in accordance with applicable laws; (c) all provisions of the Terms which by their nature are intended to continue in effect after the expiration or termination and all rights and remedies of the parties that accrued up to the termination date or by virtue of the termination or expiration will survive the termination date.

11. Confidentiality

Confidential Information shall mean and include all data and information disclosed by a party to the other party during the Subscription Period and (or) pre-contractual relationship (whether written or oral, regardless of the way in which it has been provided), information designated as confidential by either party and all other information which relates to the business, affairs, customers, products, development, know-how, trade secrets and personnel of either party (“Confidential Information”).

The receiving party shall: (a) keep Confidential Information in strict confidence; (b) not disclose any of the Confidential Information in any manner to any third party; (c) use Confidential Information solely for the purposes established in these Terms; (d) adopt the measures necessary to protect Confidential Information received from the disclosing party against disclosure, which shall represent at least the same degree of care as used to protect its own confidential information; (e) communicate and allow access to Confidential Information solely to those employees, individuals and legal entities providing services to the receiving party which may require it for the purpose of providing Services; each party shall be responsible for any breach of the confidentiality obligations by the individuals or legal entities to whom it has communicated the Confidential Information; (f) make no copies of any Confidential Information or alter, modify or in any other way change it without the disclosing party’s prior consent, except to the extent it is required for Nord to implement these Terms; (g) not assert any claim of title or ownership to the Confidential Information or any portion thereof.

The confidentiality obligations shall not apply to that information which: (a) is or becomes publicly available other than as a result of a breach of Terms by the receiving party; (b) is already in the receiving party’s lawful possession prior to disclosure by the disclosing party or is independently derived by the receiving party without the aid, application or use of the Confidential Information or other than by breach of these confidentiality obligations; (c) is lawfully disclosed to the receiving party by a third party on a non-confidential basis; or (d) is necessary to allow a party to comply with applicable law, decision by a court or, requests from government agencies or third parties, that such party determines require disclosure, but only after first notifying the other party of the required disclosure, unless such notification is prohibited.

12. Disclaimer of warranties

THE SERVICES AND SOFTWARE ARE PROVIDED "AS IS" AND "AS AVAILABLE". TO THE FULL EXTENT PERMISSIBLE BY APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING THROUGH COURSE OF DEALING OR USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, WE NEITHER WARRANT NOR REPRESENT THAT SERVICES WILL MEET ALL REQUIREMENTS OF CUSTOMER OR ANY END USER, OR THAT THE OPERATION OF THE SOFTWARE OR SERVICES WILL BE UNINTERRUPTED OR ERROR FREE, OR THAT ALL DEFECTS IN THE SOFTWARE AND SERVICES WILL BE CORRECTED.

YOU ACKNOWLEDGE THAT WE DO NOT HAVE CONTROL OVER YOUR USE OF THE SERVICES. CUSTOMER IS RESPONSIBLE FOR USING SERVICES OR SOFTWARE (INCLUDING FOR ITS END USERS USING SERVICES AND SOFTWARE) IN ACCORDANCE WITH THE TERMS SET FORTH HEREIN.

IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE SERVICES OR WITH THESE TERMS OF SERVICE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USE OF THE SERVICES.

Third-party software. We may from time to time include as part of the Services computer software supplied by third parties which is utilized by permission of the respective licensors and/or copyright holders on the terms provided by such parties. Nord expressly disclaims any warranty or other assurance to you regarding such third-party software.

13. Limitation of liability

There are inherent risks in relying upon, using, transmitting or retrieving any data and (or) content on the internet, and we urge you to make sure you understand these risks before using the Services.

TO THE FULLEST EXTENT PERMITTED BY LAW, NORD AND ITS AFFILIATES, SUPPLIERS, RESELLERS AND DISTRIBUTORS WILL NOT BE LIABLE UNDER THESE TERMS FOR (A) INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, WHETHER ARISING IN CONTRACT OR IN TORT (INCLUDING BUT NOT LIMITED TO NEGLIGENCE); OR (B) LOSS OF USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

NORD’S AGGREGATE AND CUMULATIVE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED THE AMOUNT OF FEES PAID BY THE CUSTOMER TO NORD UNDER THESE TERMS AND FOR THE SPECIFIC APPLICABLE SERVICE DURING THE TWELVE- MONTH PERIOD PRECEDING THE INITIATION OF ANY CLAIM FOR DAMAGES. FOR FREE ACCESS SUBSCRIPTIONS OR TRIALS, NORD’S TOTAL LIABILITY WILL NOT EXCEED, IN AGGREGATE, FIFTY EUROS.

IN COUNTRIES WHERE THE ABOVE TYPES OF EXCLUSIONS AND LIMITATIONS AREN’T ALLOWED, WE ARE RESPONSIBLE TO YOU ONLY FOR LOSSES AND DAMAGES THAT ARE A REASONABLY FORESEEABLE RESULT OF OUR FAILURE TO USE REASONABLE SKILL AND CARE OR OUR BREACH OF OUR CONTRACT WITH YOU.

14. Indemnification

By Customer. Customer will indemnify and hold Nord harmless from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of any claim, judgment or proceeding against Nord and its affiliates resulting from or related to Customer's or Customer's end users' use of Services or Software in violation of the Terms.

By Nord. Nord will indemnify and hold Customer harmless from and against all liabilities, damages and costs arising out of any claim, judgment or proceeding against Customer and its affiliates resulting from or related to an allegation that Nord’s technology used to provide Services to Customer infringes or misappropriates any copyright, trade secret, patent, or trademark right of a third party. In no event will Nord have any obligations or liability under this Section arising from the use of any Services or Software in a modified form or in combination with materials not furnished by Nord. Nord’s liability, damages and costs under this provision are limited to the same amount as foreseen in the Section “Limitation of liability”.

The indemnified party will promptly notify the indemnifying party of all claims of which it becomes aware and will: (a) provide reasonable cooperation to the indemnifying party at the indemnifying party’s expense in connection with the defense or settlement of all claims, and (b) be entitled to participate at its own expense in the defense of all claims. The indemnified party agrees that the indemnifying party will have sole and exclusive control over the defense and settlement of all claims provided. The indemnifying party will not acquiesce to any judgment or enter into any settlement, either of which imposes any obligation or liability on an indemnified party, without the indemnified party's prior written consent. THE INDEMNITIES ABOVE ARE THE CUSTOMER'S ONLY REMEDY UNDER THESE TERMS FOR VIOLATION BY NORD OF A THIRD PARTY'S INTELLECTUAL PROPERTY RIGHTS.

15. General terms

Disputes; Governing law. The parties shall endeavor in good faith to resolve any dispute, claim, controversy, or disagreement relating to or arising out of these Terms, or the subject matter of these Terms (“Dispute”), by negotiation. Any Dispute which remains unresolved 30 (thirty) days after either party gives written notice of the existence of such Dispute, may be referred for final resolution by the competent courts of England and Wales in London, United Kingdom. The proceedings shall be held in English language. The parties agree that these Terms shall be governed by the laws of England and Wales.

End user disputes. End users of the Customer acknowledge and agree that, as between Nord and Customer, it is solely the Customer's responsibility to respond and resolve any dispute with any end user relating to or based on the Services or Customer's failure to fulfill his obligations under these Terms.

Class action waiver. Where permitted under the applicable law, class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in such representative capacity are not allowed. Unless both Customer and Nord agree, no arbitrator or judge may consolidate more than one person’s claims or otherwise preside over any form of a representative or class proceeding.

Modification. Nord may revise these Terms from time to time without any liability and the most recent version will always be posted on the Website(s). The amendment of Terms may be communicated to you by sending an email or by publishing the updated Terms on the Website(s). Revised Terms will not be applied retroactively and, if not stated otherwise, will become effective from the day they are updated on the Website(s). Customer's continued use of Services after the effectiveness of any update will be deemed to represent Customer's consent to be bound by, and agreement with, the amended Terms.

Notices. Any notice required or permitted to be given hereunder shall be given in writing by personal delivery, by e-mail or by world-recognized courier delivery. Notices to Customer may also be sent to the applicable account email address and are deemed given when sent. Notices to Nord, in any case, must also be sent to info@authopia.io or, if the notice is related to a specific Service only, to the email address indicated in the Service Specific Terms, and are deemed given the next business day from such notification.

Communication. When communicating with our customer support or other representatives or employees, you agree to be respectful and kind. If we feel that your behavior towards any of our representatives or employees is at any time threatening or offensive, we reserve the right to immediately terminate your access to the Services.

Data Protection. Customer is responsible for obtaining any consent(s) in accordance with applicable data protection laws from its end users and (or) providing all necessary information to its end users relating to the processing of their personal information. Data Processing Agreement, as published on our Website(s), forms part of the Terms between Nord and the Customer.

Entire agreement. The Terms shall constitute the entire understanding and agreement between the parties with respect to the subject matter thereof and supersede all previous communications, representations, understandings, arrangements and agreements, either oral or written, between the parties with respect to the subject matter thereof. All attachments to Terms, Privacy Policy, Data Processing Agreement (if applicable) and Customer invoices executed by the parties, are hereby incorporated into Terms by this reference.

Independent contractors. Nothing in the Terms shall be considered as grounds for partnership, agency, distribution, joint venture or similar relationship between you and Nord.

Assignment. Neither party shall assign these Terms or any right or interest under these Terms, nor delegate any obligation to be performed under these Terms, without the other party's prior written consent. Nord can assign its rights and obligations under these Terms to a selected third party without Customer’s consent in case of corporate reorganization, merger, acquisitions, sale or transfer of any part of its assets.

Third parties. Customer acknowledges and agrees that Nord uses third party services providers (including but not limited to servers’ services providers) to provide Services and will not be held liable for third party services providers’ actions or inaction beyond reasonable Nord’s control.

Force majeure. If either party is prevented from performing any portion of the Terms (except for payment obligations) by causes beyond its reasonable control, including, without limitation, failures of telecommunication or internet service providers, labor disputes, civil commotion, war, governmental regulations or controls, casualty, inability to obtain materials or services or acts of God, such defaulting party will be excused from performance for the period of the delay and for a reasonable time thereafter.

Waiver. The failure by either party to exercise or the delay in exercising any right or remedy provided by these Terms or by applicable law shall not constitute or be construed as a waiver of that right or remedy, a waiver of any other right or remedy or in any way affect the validity of these Terms.

Severability. If any provision of these Terms is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that the Terms shall otherwise remain in full force and effect and enforceable.

If you have questions or concerns regarding these Terms, please contact us at info@authopia.io.

DATA PROCESSING AGREEMENT

LAST UPDATED: 21 June 2024

This Data Processing Agreement (“DPA”) is an integral part of the Terms of Service of Authopia Services (“Terms”) concluded between the Customer and Nord (hereinafter collectively referred to as the “Parties”). The main purpose of this DPA is to define how Nord processes personal data on behalf and under the Customer’s instructions while providing the Services.

  1. Definitions
    1. Unless expressly stated in this DPA, the capitalized terms shall have the meanings indicated below:
      Personal Datameans any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
      Customer’s Personal Datameans all Customer’s Personal Data in whatever form or medium which is (i) supplied to, or in respect of which access to the Authopia is granted by the Customer or otherwise in connection with the Terms, or (ii) produced or generated by or on behalf of the Customer in connection with the Terms.
      EEAmeans the European Economic Area.
      Data Protection Lawsmeans all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of processing Personal Data in question under this DPA, including, without limitation, European data protection laws: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (hereinafter, the “GDPR”); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); (iii) the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (hereinafter, the “UK GDPR”); regulations of the United States of America, including the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations (hereinafter, the “CCPA”), applicable to the processing of the Personal Data (or an analogous variation of such term); other applicable data protection and privacy laws.
      SCCsmeans standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Commission implementing decision 2021/914 of 4 June 2021) as updated or replaced from time to time. The current version of the SCCs (i.e., applicable at the time of the conclusion of this DPA) is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
      UK SCCsmeans an International Data Transfer Addendum to the SCCs approved by the UK as updated or replaced from time to time. The current version of the Addendum to the SCCs (i.e., applicable at the time of the conclusion of this DPA) is available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/.
    2. The following lower-case terms used but not defined in this DPA, such as “controller”, “processor”, “sub-processor”, “processing”, “special categories of Personal Data”, “Personal Data breach” and “supervisory authority” shall have the same meaning as set forth in the GDPR, irrespective of whether the GDPR applies.
    3. Terms and expressions used in this DPA and not defined herein have the meaning assigned to them in the Terms.
  2. Application of this DPA
    1. This DPA applies when Nord processes the Customer’s Personal Data in order to provide Services under the Terms. Nord, as defined in this DPA, acts as the data processor, whereas the Customer acts as the data controller.
    2. The nature, purpose, subject matter, and other details of processing activities performed as part of the Services are set out in Annex I of this DPA.
  3. General Obligations
    1. Nord warrants and undertakes to process the Customer’s Personal Data only for the limited and specified purposes set out in the Terms and/or as otherwise lawfully instructed by the Customer in writing (as specified in the Terms) and mutually agreed by the Parties, except where otherwise required by the Data Protection Laws. Nord will not process the Customer’s Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Laws.
    2. The Customer’s initial instructions to Nord are set forth in the Terms and any applicable documentation of the Authopia service, this DPA and its Annex I. All the instructions provided are comprehensive and reflect the Customer’s will.
    3. Nord shall not evaluate any instructions of the Customer, which shall be held responsible and liable for any given instructions, to be fully lawful and compliant with the applicable Data Protection Laws. If in Nord’s reasonable opinion, an instruction undoubtedly infringes the applicable Data Protection Laws, Nord shall notify the Customer. Nord is not responsible for compliance with any Data Protection Laws applicable to the Customer or its industry that are not generally applicable to Nord.
    4. Nord shall not take any action that would cause the Customer to violate the Data Protection Laws.
    5. In particular but without prejudice to the generality of the foregoing, the Customer acknowledges and agrees that it will be solely responsible for: (i) the accuracy, quality, and legality of the Customer’s Personal Data and the means by which it acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including any necessary notifications, consents, and authorizations that are needed for the Customer’s use of Nord’s Services; (iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Nord for processing in accordance with the provisions of the Terms (including this DPA); and (iv) ensuring that its instructions to Nord regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws. The Customer shall also inform Nord without undue delay if the Customer is not able to comply with its responsibilities under this Section.
  4. Data Disclosure
    1. Nord undertakes not to disclose the Customer’s Personal Data to any third party other than through the use of sub-processors as specified in this DPA, except if the Personal Data is disclosed under third parties’ request of information in accordance with applicable legal acts or under legitimate requests from law enforcement or other competent authorities.
    2. To the fullest extent permissible under the Data Protection Laws, the Customer provides a general authorization to Nord to use sub-processors to fulfill its obligations as set forth in this DPA provided that Nord maintains a list of sub-processors and, upon receiving a written request from the Customer, provides the Customer with such list.
    3. Nord shall: (i) ensure that any sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and complies with the Data Protection Laws; (ii) be fully responsible and liable to the Customer for acts and omissions of any sub-processor as if they were Nord’s own act or omission.
    4. If required to do so by applicable Data Protection Laws, in case of a new sub-processor: (i) Nord will inform the Customer thereof; and (ii) Nord shall enable the Customer to object, by way of providing Nord with a reasoned, specific and written objection, to changes concerning the addition or replacement of sub-processors to the aforementioned list.
  5. Data Transfers
    1. The Customer shall transfer the Customer’s Personal Data in accordance with the requirements of Data Protection Laws applicable to the Customer.
    2. The Customer acknowledges and agrees that Nord may access and process the Customer’s Personal Data on a global basis as necessary to provide the Services in accordance with the Terms.
    3. The Customer’s Personal Data from EEA, or UK may only be exported to or accessed by Nord or its sub-processors outside the EEA or the UK (“European Transfer”), as applicable:
      1. if the recipient or the country/territory in which it processes or accesses the Customer’s Personal Data ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction (“Adequacy Decision”); or
      2. in the absence of an Adequacy Decision, the European Transfer only can take place in accordance with Annex II of this DPA.
  6. Data Security
    1. Nord shall take appropriate technical and organizational measures (hereinafter, the “TOMs”) to protect the processed Customer’s Personal Data. TOMs must ensure an adequate level of security, taking into account:
      1. context, objectives, and particular risks associated with the processing of Personal Data;
      2. the risks to the rights and freedoms of data subjects arising from the processing of Personal Data;
      3. existing Nord’s technical capabilities; and
      4. costs of the measures or their implementation.
    2. Nord must ensure that the TOMs used to protect the Customer’s Personal Data include the following measures/requirements where appropriate:
      1. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services of the Customer’s Personal Data processing;
      2. the ability to restore the availability and access to the Customer’s Personal Data in a timely manner in the event of a physical or technical incident;
      3. regular assessment of the efficiency of TOMs to ensure the security of the processing of Personal Data.
    3. Nord shall also ensure that persons authorized to process Personal Data, including sub-processors, authorized to process the Customer’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    4. The list of the current Nord’s TOMs used to protect the Customer’s Personal Data is set out in full in Annex I of this DPA. Notwithstanding any provision to the contrary, Nord may modify or update the TOMs at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the current TOMs.
    5. Nord, having become aware of any Personal Data breach affecting the Customer’s Personal Data shall: (i) report the breach to the Customer without undue delay, after becoming surely aware of the Personal Data breach; (ii) make reasonable efforts to assist the Customer in fulfilling its obligation under applicable Data Protection Laws to notify a relevant supervisory authority and/or data subjects about such Personal Data breach. For the avoidance of doubt, Nord will not notify and/or disclose any information relating to the Personal Data breach to any third party, including but not limited to data subjects and supervisory authority, unless required to do so by Data Protection Laws.
  7. Cooperation and Data Subjects Rights
    1. The Customer shall process and respond to every enquiry, request, notice, question, complaint or other communication related to the processing of the Customer’s Personal Data under this DPA (“Request”) received from: (i) any natural person whose Personal Data is processed by Nord on behalf of the Customer or (ii) any supervisory authority.
    2. When the Customer is not able to solely process and respond to the Request, the Customer may ask Nord for reasonably required assistance (subject to the nature of the processing and the information available to Nord) to enable the Customer to:
      • comply with (and demonstrate compliance with) its obligations under the Data Protection Laws (including, but not limited to data protection impact assessments, reporting to and consulting with supervisory authorities); and
      • respond to, comply with, or otherwise resolve the Request. In the event that any such Request under this Section is made directly to Nord, Nord shall promptly inform the Customer by providing full details of such Request. For the avoidance of doubt, Nord will not respond to any Requests, unless Nord is legally compelled to do so.
  8. Right to Carry Out an Audit
    • When reasonably necessary, the Customer shall have the right to take the measures necessary to verify Nord’s compliance with this DPA.
    • The Customer shall also have a right to request an audit performed by the independent, accredited, and reputable third-party audit firm agreed by both Parties. For the avoidance of doubt, neither the Customer nor the appointed auditor shall be a competitor of Nord’s business and, under no circumstances may the Customer, or the selected auditor, have access to Nord’s confidential information, information of Nord’s other clients, nor to any information of third parties to whom Nord owes a duty of confidentiality. Before conducting the audit, the Customer and auditor must execute a written confidentiality agreement acceptable to Nord or otherwise be bound by a statutory confidentiality obligation.
    • This audit will only take place where there is a specific and well-founded suspicion of misuse of the Customer’s Personal Data, and only after the Customer has requested and assessed similar existing reports from Nord and has made reasonable arguments to justify an audit being initiated by the Customer. For the avoidance of doubt, such an audit can be justified only if similar reports (that Nord has available) provide insufficient or inconclusive answers regarding compliance with this DPA by Nord.
    • An audit shall take place during regular business hours in a manner that is not disruptive to Nord’s business, upon reasonable no less than two (2) month advance notice to Nord (unless mandatory applicable Data Protection Laws or the supervisory authority requires a shorter notice) and subject to a maximum capacity of confidentiality undertaking as provided below. Before the commencement of any such audit, the Parties shall mutually agree upon the timing, duration, and scope of an audit, which shall not involve physical access to the servers from which the Customer’s Personal Data processing is provided.
    • The Customer shall notify Nord regarding any non-compliance discovered during the course of an audit. The Customer may not audit Nord more than once during any consecutive twelve (12) month period. The Customer is responsible for all costs and fees related to such audit, including all costs and fees for any and all time Nord expends for any such audit.
    • All information discovered in the course of an audit shall be treated as “Confidential Information” and shall be subject to the “Confidentiality” Section of the Terms.
  9. Term
    • This DPA shall apply as long as the Services are provided to the Customer as set out in the Terms unless the Parties terminate the Terms and/or this DPA earlier on the grounds provided therein.
    • Following termination of the DPA, Nord shall delete or return the Customer’s Personal Data to the Customer at its choice. The Customer’s Personal Data shall be deleted as determined in the Terms.
  10. Liability
    1. Nord’s liability, taken together in the aggregate, arising out of or related to this DPA, whether contractual, tort or under any other theory of liability, shall be subject to the limitations and exclusions set out in the Terms. Liability of Nord shall mean the aggregate liability of Nord under the Terms and this DPA together.
  11. Other Provisions
    1. All notices between the Parties shall be given following the provisions of the Terms.
    2. Nord shall have the right to any reimbursement of reasonable expenses, costs, and fees which were incurred as a result of Customer’s (i) inaccurate, incomplete, or unlawful instructions; and/or (ii) requests for cooperation which are unfounded, excessive, and/or impose unreasonably disproportionate costs to Nord.
    3. This DPA shall be governed and any disputes or claims arising from this DPA shall be settled according to the provisions of the Terms.
    4. Notwithstanding anything to the contrary in the Terms, in the event of any conflict or inconsistency between the terms of this DPA and the Terms, the provisions of this DPA shall prevail.

ANNEX I

Description and Instructions for Processing

Purpose and nature of the processingTo provide the Services to the Customer as provided in the Terms or as instructed by the Customer.
Categories of the data subjectsCustomer’s end users of the Services, including Customer’s employees, representatives, contractors, customers, and any other natural persons that are authorized by and/or receive access to the Services through the Customer.
Categories of the Personal DataCustomer and Customer end users: basic organization contact information, email address;
Identification data, such as user email address and relationship to Customer;
Passkey data, such as public key and metadata;
Usage information, such as security changes, login, and registration attempts, other event types and activity dates.
Duration and frequency of the processingThe processing is performed on a continuous basis for the period of providing the Services to the Customer.
The subject matter, nature, and duration of the processing by sub-processorsSub-processors are an integral part of the Services provided to the Customer. Sub-processors are used in all stages of providing the Service and the Customer’s Personal Data is processed for as long as it is needed to provide the Service.
Description of the TOMs implemented by NordTechnical Measures

Encryption
Personal data is encrypted during transmission (e.g., TLS) and at rest (e.g., AES256).
Strong and unique encryption keys, with regular rotation and secure storage.

Access Control
Role-based access controls is in place to ensure only authorized personnel can access Personal Data. Access to the Customer’s Personal Data is granted only to persons, who require the Customer’s Personal Data to carry out their functions (on need-to-know basis) Multi-factor authentication is implemented for systems storing or processing Personal Data. VPNs for secure jumpboxes are used for remote systems storing or processing Personal Data. Admininstrator level privileges to the Nord’s infrastructure is restricted to only a limited number of employees.

Firewalls and Intrusion Detection
Firewalls are implemented to monitor and control incoming and outgoing network traffic. Network intrusion detection and prevention systems are used to detect and counteract malicious activities.

Server Security
Nord uses configuration management software that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and other needs.

Data Backup
Regular backups are made to backup Personal Data. Backups are stored in remote location. Regular testing of backup restoration processes are in place to assure integrity and availability.

Endpoint Security
Anti-malware and antivirus software is deployed on all devices accessing Personal Data. Devices are centrally managed to control configuration, hardening, patching and updates. Nord maintains employee software inventory and is able to detect unauthorized software.

Vulnerability management
Personal Data is ensured by inside security team professionals and outside consultants that perform periodic manual and automated security reviews and penetration tests for Nord’s applications, web applications and services.

Organizational Measures

Training and Awareness:
Regular information security and privacy training is completed by employees working with Personal data. Training material is regularly updated on evolving threats and protective measures.

Vendor Management:
Vendor Risk Management process is implemented to asses the risk and complies with data protection standards. Regular reassessments of vendor security practices are conducted annually.

Physical Security:
Secure access are in place to physical locations where Personal Data is stored or processed. Security cameras, alarms, and access logs are used to secure places with Personal Data.

Data Breach Notification:
Procedures for notifying relevant parties in the event of a data breach. Regular incident response drills are organized to ensure the organization can respond swiftly to a breach.

The TOMs to be taken by sub-processorsNord implements technical and organizational measures to ensure that security practices upheld by its sub-processors are not less protective than those provided in the DPA with respect to the protection of the Customer’s Personal Data (to the extent applicable depending on the nature of the services provided by a sub-processor).

ANNEX II

The SCCs and European Transfers Agreement
  1. EEA Transfers. In relation to the Customer’s Personal Data that is subject to the GDPR: (i) the Customer is the "data exporter" and Nord is the "data importer"; (ii) the relevant provisions contained in the SCCs are incorporated by reference and are an integral part of this DPA - the Module Two terms apply to the extent the Customer is a Controller of Personal Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and the time period for prior notice of sub-processor changes shall be ten (10) calendar days; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the Parties agree that the governing law and forum for disputes for the SCCs will be the Netherlands; (vii) the Annexes of the SCCs will be deemed completed with the information set out in Annex I of the DPA; and (viii) if and to the extent the SCCs conflict with any provision of this DPA the SCCs will prevail to the extent of such conflict.
  2. UK Transfers. In relation to the Customer’s Personal Data that is subject to the UK GDPR, the SCCs will apply in accordance with sub-section (a) and the following modifications: (i) the SCCs will be modified and interpreted in accordance with the UK SCCs, which will be incorporated by reference and form an integral part of the DPA; (ii) Tables 1, 2 and 3 of the UK SCCs will be deemed completed with the information set out in Annex I of the DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the SCCs and the UK SCCs will be resolved in accordance with Section 10 and Section 11 of the UK SCCs.

ANNEX III

CCPA Data Protection Addendum
  1. This CCPA Data Protection Addendum (“Addendum”) reflects the requirements of the CCPA and is in effect for so long as Nord maintains Personal Information (as defined in and to the extent protected by the CCPA) provided by the Customer or which is collected on behalf of the Customer by Nord (“Personal Information”).
  2. This Addendum prevails over any conflicting terms of the Terms or DPA but does not otherwise modify the Terms or DPA.
  3. The following terms used but not defined in the DPA or this Addendum, such as “Business”, “Service Provider”, “Business purpose”, “Consumer” and “Third party” will have the same meaning as set forth in the CCPA.
  4. Scope and Applicability of this Addendum
    1. This Addendum shall only apply and bind the Parties if and to the extent the Customer is the Business and the Customer appoints Nord as the Service Provider to process the Personal Information on behalf of the Customer.
    2. This Addendum applies to the collection, retention, use, and disclosure of the Personal Information to provide the Services to the Customer pursuant to the Terms or to perform a Business purpose.
    3. Nord’s collection, retention, use, or disclosure of Personal Information for its own purposes independent of providing the Services specified in the Terms are outside the scope of this Addendum.
  5. Restrictions on Processing
    1. Nord is prohibited from retaining, using, selling or disclosing the Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Terms for the Customer, as set out in this Addendum, or as otherwise permitted by the CCPA.
  6. Consumer Rights
    1. If Nord, directly or indirectly, receives a request submitted by a Consumer to exercise a right they have under the CCPA in relation to that Consumer’s Personal Information, it will provide a copy of the request to the Customer.
    2. Nord shall provide reasonable assistance to the Customer in facilitating compliance with Consumers rights requests.
    3. Upon direction by the Customer and within a commercially reasonable amount of time, Nord shall delete the Personal Information.
  7. No Sale of Personal Information
    1. The Parties acknowledge and agree that the exchange of Personal Information between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Terms, the DPA, or this Addendum.