These terms apply to the services offered by Seravo Oy (hereinafter referred to as “Supplier”) for business customers (hereinafter referred to as “Customer”). These services are not meant for individual consumers. Services refer to both consulting services and services that have been produced by means of information technology.
The Customer approves these terms by ordering a service from the Supplier. The terms shall enter into force on 2018-05-25 and they supersede any previous terms. Previous terms shall, however, be valid until the end of the agreement period for such customers that have terminated their service before the entry into force of the new terms.
2. Entering into an Agreement
The Customer and the Supplier will enter into an agreement, when the Customer has notified to have approved the Supplier's quote or work estimate, when the Supplier has confirmed the order in writing, when the delivery of the service has been started and it has been informed to the Customer, or when the Customer has paid for the ordered service, whichever of the above takes place first.
The Supplier may reject the agreement or postpone or suspend delivery, if the Customer has any unpaid receivables or the Supplier has otherwise justified reasons to suspect that the Customer will violate the agreement.
3. Delivery and acceptance of the service
A one-time service is delivered, or a continuous service delivery has started, when the Supplier so informs and the Customer has the opportunity to review the contents of the service.
The Supplier shall deliver the service as it sees most appropriate in such a way as it has been described in the service description or has been otherwise separately agreed with the Customer. In its deliveries, the Supplier may use subcontractors or other contractual partners.
The Supplier has the right to make technical and other changes to the service, if the content of the service is not significantly changed. The Supplier also has the right to make significant changes to the service, if the benefit is self-evident to the Customer, such as the introduction of a new technology. The Supplier is also entitled to make changes, if legislation changes, an authority requires so or if the implementation of the change is justified in order to avoid a future risk or damage.
The Supplier shall inform of any major service changes in advance. If informing in advance is not possible, the Supplier shall inform of the change as soon as it is possible.
The delivery of the service shall be deemed to have been accepted, when the Customer so informs, or when the Customer pays for the service. The service delivery shall also be deemed to have been accepted, if the Customer has not approved the delivery within two weeks of the Supplier's notice and has not presented a reclamation either.
4. Supplier's obligations
In terms of the consulting services, the Supplier is obliged to deliver a person, in accordance with the service description, who has sufficient skills and who is available at agreed times for at least the amount of time corresponding to the work estimate.
The Supplier is responsible for ensuring that the information technology services' environment is appropriately secured, monitored, maintained and confirmed.
5. Customer's obligations
The Customer is obliged to familiarise themselves with the Supplier's notices, which have been delivered to the Customer, to the informed address. The Customer is obliged to inform the Supplier of any changed contact details.
The Customer undertakes to comply with the instructions and user terms concerning ordered services. If several persons participate in the use of the Customer's services, the Customer is responsible for such personnel being provided the same information that the Customer has been provided.
The Customer is responsible for the safe distribution and storage of usernames and passwords, as well as for the use of sufficiently random passwords and the regular changing of passwords.
The Customer is responsible for all content on his/her own computers and, therefore, any content imported in to the Supplier's service, in order to ensure that the content or its use does not violate copyrights, data protection or other legislation concerning data processing or distribution.
The Customer undertakes to use the Supplier's services in such a way that the activities do not violate any legislation, regulations and are not contrary to good practice, and the Customer's activities do not cause harm to other customers or the Supplier's business activities. The Customer is liable to pay compensation, if a third party claims for damages from the Supplier for a reason caused by the Customer.
6. Information security and data protection
6.1 Information security
The Supplier is committed to the industry’s best security practices and guarantees that it has:
- the ability to maintain the continuous confidentiality, integrity, usability and fault tolerance of information management system services;
- the ability to rapidly restore the availability and access to information in the event of a technical or physical malfunction;
- A procedure, that regularly tests, inspects and evaluates the efficiency of data processing in organizational and technical procedures to ensure data security.
The supplier is responsible for the security of their own system to the extent that it has implemented and provided to the Customer according to the service description. The Supplier is not responsible for third-party software, that include, but are not limited to, Customer acquired WordPress themes, plugins and the modules and libraries included in said third-party software.
The Supplier offers technology that can advance the security of all components, but the Supplier cannot guarantee that no security violations happen.
The Customer has no right to break or circumvent the Supplier managed and protected information system’s technical protection methods. If the Customer wishes to conduct an information security audit, they must make a written security auditing contract with the Supplier in advance of conducting any testing. The contract will include a waiver, the time of the time audit as well as the limitation of disruption caused by the audit.
6.2 Data Protection
The service provided by the Supplier can be used for the management and storage of personal data according to the European Union’s General Data Protection Regulation (GDPR). Data protection and matters related to it are described in the data protection appendix.
7. Availability of network service (SLA)
The Supplier is obliged to ensure that the offered network services are available 99.9% at all times. Other service levels may be agreed in separate service agreements.
Service and maintenance measures, as well as other measures causing downtime, shall be carried out when the service has the least use on an average basis, mainly at night. The service has no regular maintenance hours' practice, but the maintenance is carried out as soon or as often as it is functionally justified. The availability guarantee concerns the service throughout the entire period, and the Supplier is responsible for ensuring that the downtime required by the maintenance measures remains within the framework of the availability guarantee.
If the availability level is not achieved, the Customer is refunded the amount corresponding to the duration of the downtime multiplied by 50, however, no more than an amount corresponding to one month's service fee. Refunds of less than 10 euros shall not be paid.
8. Service error
The service is considered to have an error, if it differs from the features determined in the agreement, order confirmation or service description, subject to the fact that the deviation effects the use of the service.
The Supplier aims to deliver a highest quality and error-free service. The Customer shall inform of any observed errors in writing. Both parties are only responsible for their own part for the work time used for investigating the error and any other costs. The Supplier shall not invoice the Customer for unnecessary notices.
The Customer must inform of an error in writing no later than eight days after he/she has observed the error or he/she should have observed the error, otherwise the Customer loses his/her right to compensation or the rescission of the agreement. Compensation must be claimed in writing within one month after informing about the error.
The Supplier is obliged to correct any significant errors in the services without delay during normal operating hours. If the error has been caused by a third party. such as a public communications network error or a software error, which has effects beyond the Supplier's systems, the Supplier is obliged to take such measures, which the Supplier is reasonably able to.
In the service, the Customer may have the possibility to make such changes to the data system that is in his/her use, but maintained by the Supplier, which have a significant impact on the operation of the data system. The Supplier shall not be required to correct any errors, which the Customer has caused with his/her operations.
9. Suspension or discontinuation of the service
The Supplier has the right to temporarily suspend the service, if the ensuring the service's long-term functionality requires it, such as, for example, in order to investigate exceptional disturbances or security violations.
The Supplier has the right to suspend or discontinue the service, if the Customer is in breach of the agreement terms. The Supplier must, however, provide notice of such action in advance, so that the Customer has the opportunity to correct matters. If the breach of contract is serious, the service may be cancelled without delay. The Supplier may also suspend or discontinue the service at the order of a court or other authority.
The Supplier may discontinue the service for a fixed term or until further notice at the request of the Customer. The Supplier reserves the right to charge an additional fee for reopening the service.
In connection with discontinuing the service, the Supplier shall deliver to the Customer, at no additional charge, all the materials in the Customer's service, such as files and databases. The Customer has the right to use them in another service to the extent that the copyrights and licenses of any possibly licensed materials permit this. The Supplier aims to prefer open source software in order to promote supplier independence.
10. Payments and billing
The Customer shall pay the Supplier the payment for the service in accordance with the price list or the payment determined in writing in accordance with the customer-specific order confirmation or work estimate. The Customer is required to pay the value added tax and any other fees under public law.
The billing period of the is one year, month or as agreed at the time of the order. Services are billed in advance. For consulting services, billing may also be done afterwards.
Terms of payment are net 14 days. The late payment interest is in accordance with the Interests Act (in 2018 ECB's benchmark interest rate + 8 %).
Paid payments are non-refundable. If the Customer wishes to upgrade their service level or capacity, the previously paid amount shall be refunded in the payment of the more expensive service. If the Customer wants a lower service level, the lower price shall enter into force, when the new billing period begins. If the Customer does not want to pay new invoices, the service must be terminated before the following billing period's invoice is sent.
One written reminder is sent for unpaid invoices, which is not subject to any fees. After this, the invoice is sent to collections, and the Customer is liable for the additional costs.
The Supplier has the right to review its pricing, in which case the new prices shall apply to all new orders from the time of change, as well as to current orders from the start of the new agreement term.
If any changes occur with the taxes or regulatory fees concerning the service, the Supplier may review its pricing to correspond these changes, without any time restrictions.
11. Damages compensation and limitation of liability
Neither the Supplier or the Customer is responsible for indirect damages to either party, unless the damages are deliberate or a result of gross negligence.
The Supplier’s compensation due to an error in the service is limited to an amount corresponding to the service fee of up to three months. The Supplier shall not compensate any indirect damages or the Customer's loss of working hours or income.
12. Validity of the agreement
The agreement term and billing period are the same. The agreement term shall continue automatically, when the billing period changes, to a period of time corresponding to the billing period, unless the agreement has been terminated in writing at least one month before the end of the agreement term.
If the Customer wishes to terminate the agreement term prematurely, the Supplier may, at its sole discretion, terminate the agreement before the end of the agreement term. In this case, however, the payment already paid for the service's agreement term shall not be refunded. The Supplier may also stop providing the service before the end of an agreement term for a Customer who has terminated their agreement, if the service is clearly not in use anymore or ensuring the service’s functionality is unnecessary or impossible.
By utilising the trader's right to withhold, the Supplier has the right to discontinue providing the service, refuse releasing or transferring the Customer's details, domain or other details or logins related to the management of the service, if the Customer has not paid the payments in accordance with the agreement or has failed to meet any other contractual obligations towards the Supplier.
13. Force majeure
The Supplier shall not be required to fulfil the agreement, if its fulfilment is prevented, or is unreasonably exacerbated, as a result of force majeure, such as a strike or labour action, state of emergency, war, wide disturbance in the communications or electricity network, natural disaster, terrorist attack, coercive measures of an authority, other legal measure or other exceptional situations.
14. Applicable law and disputes
The relations between the Customer and the Supplier shall be governed by Finnish law, however, not the provisions concerning the choice of international private law.
Any disputes between the Customer and the Supplier shall be settled at the District Court of Pirkanmaa.
Appendix for data protection and handling of personal data
This appendix complements the terms of service in the areas of data protection, information security and handling of personal data. The appendix enters the Supplier and the Customer into an agreement according to the requirements set in the European Union’s General Data Protection Regulation (GDPR) Article 28(3).
2. The Customer’s responsibilities
If the Customer handles personal data with their web service, the Customer will act as the data controller and the Supplier as the data processor.
The Customer is responsible for determining what sort of data is recorded, how the data is handled (including possible pseudonymization) and how the data is shared.
The Customer is responsible for ensuring the correct design and development of their web service, either by a third-party developer or subcontractor or by themselves. If the website is a part of a larger information system, especially one that handles sensitive information (such as medical records), the Customer is responsible for the proper separation of the individual systems in order to prevent a major leak in case of a security breach on the website.
3. The Supplier’s responsibilities
The Supplier does not monitor the data stored by the Customer, but the information security practices are designed in a manner that the Customer can store personal data in their web service.
The Supplier is responsible for developing their service in a manner that allows for data and information security to actualize by default when the service is used normally, and that the Customer has tools available which support them in acting as the data controller and in providing their customers with the required rights in the typical use of the Supplier’s service. An example of typical use is the inspection or removal of user data stored in the database of a WordPress website.
4. The rights of the data subjects
The Supplier does not handle any third-party GDPR or data protection related requests on behalf of the Customer. The requests are forwarded to the Customer as is, who must then verify their authenticity and take responsibility for the requests as the data controller.
5. Handling of security breaches
The Supplier is responsible for notifying the Customer of all security breaches without unnecessary delay, and at the latest 24 hours after the Supplier became aware of the breach. The notification must include the following:
- A description of the security breach, including the details of which groups of data subjects and personal data registries the breach affected, and the approximate number of the aforementioned;
- Name and contact information for the liaison of the Supplier’s employee or team handling the investigation into the security breach;
- A description of the consequences and/or likely consequences;
- A description of the measures taken by the Supplier due to the security breach and in order to suppress the adverse effects.
If it’s not possible to provide all the aforementioned information simultaneously, the information can be supplied in batches.
The Customer must inform the Supplier immediately in case of a suspected security breach. The Customer is also required to assist in the investigation of the security breach and to provide all the necessary information to the Supplier. The Supplier has the right to end an investigation into a security breach if the Customer is not responding to contact attempts or if the benefit of a continued investigation is clearly minor.
The supplier is responsible for the contractual confidentiality of its staff. The data stored in the service by the Customer is not read, accessed or handled unless deemed necessary by the Supplier for the continued ability to keep providing their services.
7. Subcontractor access to potential personal data
The Supplier is responsible to ensure that only their own staff and management have legal access to the Customer’s information. Subcontractors are not granted access on a level that would enable them to gain entry to possible personal data stored by the Customer in the service.
8. Storing of data
During the order process, the Customer has the option to choose the desired location for their web service and the data it contains from the Supplier’s provided list of locations available. The Supplier does not move the service or its data to another country without the Customer’s approval.
The Supplier is not permitted to transfer any personal data to a country that is not bound by the EU’s GDPR legislation. The Supplier is not permitted to share any personal data with third-parties without consent.
The Supplier does not store any of the information on a customer’s website indefinitely. All data that the Customer removes themselves or the Supplier removes after a contract ends is removed permanently.
The Supplier will provide the Customer the necessary information for conducting an audit when requested, and will assist in the audit to prove that the Supplier is adhering to the decrees of this data protection appendix.
The Supplier does not have to provide the Customer with information that have minor influence regarding data protection, or information that would potentially harm the Supplier’s trade secrets or cause harm to another customer or a third-party if it was disclosed.
If an audit reveals a Supplier related deficiency, the Supplier is required to fix the deficiency without delay at their own expense.
10. Costs related to data- and information protection
If the data processor is required to assist the data controller in fulfilling the GDPR legislation requirements related to security breaches, the rights of data subjects and/or the evaluation of the effect of data protection, the data processor is allowed to invoice a reasonable number of working hours that were carried out at a hourly rate agreed to by both the data controller and the data processor. The invoicing of said hours does require that the data controller has approved the spending of billable hours to these purposes.