-Aamu Partners Oy-

General terms and conditions for Consulting Services

Version: May 2, 2018

Applicability

These terms and conditions shall apply to all agreements regarding provision of consultancy services concluded by and between Aamu Partners Oy (“Aamu Partners”) and its customer (“Customer”) (together “party” or “parties”). An agreement between the parties is formed by (1) concluding a written or electronically signed agreement, (2) customer’s acceptance of an offer made by Aamu Partners, or (3) Aamu Partners’ acknowledgement of an order placed by customer. Offers, purchase orders and order acknowledgements require a written form, such as an email.

Offers and Orders

An offer provided by Aamu Partners is non-binding until accepted by customer. Unless otherwise agreed, changing or cancelling a service order requires mutual agreement.

Aamu Partners’s general obligations

Aamu Partners shall perform the agreed duties and tasks in a professional manner and in accordance with good business practice.

Customer’s general obligations

Customer shall provide Aamu Partners with such information and co-operation as Aamu Partners reasonably requires to perform its tasks and duties under an agreement, which may include for instance specifying business, financial, sales and marketing objectives, appointing a contact person from customer’s organization and providing information and access to data, systems and premises as well as making timely decisions. Specific customer responsibilities may be described in an agreement.

Customer warrants that the materials, and information it provides to Aamu Partners is lawful, doesn’t violate any third party rights and can be used for their intended purpose. Customer is liable to hold Aamu Partners harmless for any third party claims made against Aamu Partners based on Aamu Partners’s use of customer information and materials.

Scope of Services and Schedules

The scope of services provided by Aamu Partners as well as any associated deliverables are defined in the agreement, Aamu Partners’s offer, statement of work or some other mutually agreed document. Aamu Partners is not required to perform any other services or deliver any other deliverables than those specifically agreed.

If the parties have agreed on specific completion dates for the provision of Aamu Partners’s services and delivery of related deliverables, the parties understand and agree that such dates are only best estimates, unless specifically described as binding completion dates in the agreement. However, Aamu Partners agrees to use diligent efforts in estimating such completion dates as well as to meet such dates.

Changes

Changing an agreement or scope of services may become necessary due to various reasons. However, changing an agreement requires mutual acceptance. All changes must be agreed in a written form, at minimum by email and agreed by a person in each party’s organization who is authorized to conclude and change agreements. When agreeing on changes, the parties should at the same time agree on how the change affects prices, schedule and other terms of the agreement.

Prices, expenses and payment terms

Prices for Aamu Partners’s services are specified in an offer, agreement, statement of work or a price list attached to an agreement. The parties may agree fixed-fee projects, that services are provided on an hourly rate basis or make an agreement for monthly-fee services.

If the parties have not agreed prices in advance for the services, Aamu Partners shall invoice the time and materials spent for performing the services at an hourly rate specified in Aamu Partners’s price list effective at the date of agreement. Aamu Partners’s price lists are valid one calendar year at a time, whereafter Aamu Partners may update it’s price list by providing a new price list at least one (1) month prior to the ending of the then current calendar year. Any price increase made by Aamu Partners should be reasonable and reflect mainly increases in Aamu Partners’s labor and fixed costs as well as general inflation.

If Aamu Partners is required to travel or acquire materials or licenses for performing its obligations, it is entitled to invoice such reasonable costs to the factual expenses.

All prices for services are exclusive of value added tax and other public charges, which shall be added and payable by customer in accordance with applicable tax laws and regulations.

The parties may agree that services are invoiced in advance, in payments posts, monthly or after provision of the services. Unless otherwise agreed, fixed-fee projects are invoiced after they have been finished (when a project is shorter than 1 month), or, on a monthly basis (when a project is longer than 1 month). Monthly-fee services as well as services performed on hourly rate are invoiced monthly. The payment term is fourteen (14) days from the date of invoice. The interest rate for delayed payments is 11,5 % per annum. If Aamu Partners is required to conclude significant subcontracting agreements on customer’s behalf and the purchased services or products are invoiced through Aamu Partners, it is entitled to demand from customer a bank guarantee or equivalent security accepted by Aamu Partners to be given as security for full payment by customer for the subcontracting costs.

Intellectual property ownership and licenses

Intellectual property rights relating to materials created by Aamu Partners solely to customer’s specifications pursuant an agreement shall belong and transfer to customer upon payment.

To the extent that any materials delivered by Aamu Partners to customer pursuant an agreement contains materials that Aamu Partners (i) had created prior to an agreement; or (ii) has created outside an agreement, whether before or after entering into an agreement with customer, then customer shall receive a non-exclusive license to use, copy and modify such materials in its internal business use.

If the materials provided by Aamu Partners to customer contain third party materials, Aamu Partners shall make available the third party materials to customer subject to the third party licensor’s applicable licence terms.
Confidentiality

A party shall not disclose to anyone any confidential information received from the other party and may not use such information for any other purpose than for furthering its obligations under an agreement. A party shall limit access to the confidential information received from the other party to such of its employees or subcontractors as may be directly involved in the subject matter of an agreement and to no other employees. These confidentiality obligations shall remain valid for five (5) years after termination or expiration of an agreement.

Privacy

To the extent that customer is considered a data controller and Aamu Partners a data processor in the meaning as given in EU General Data Protection Regulation, the Aamu Partners Data Processing Terms shall also be applied and are considered an integral part of an agreement between the parties.

Limitation of liability

In no event is Aamu Partners liable to customer for any indirect, consequential, punitive or incidental damages, including without limitation any damages for business interruption, loss of use, data, revenue, profit or third party claims.

The liability of Aamu Partners to customer in respect of any claim for loss, damage, cost or expense that is attributable to a specific order or project, shall in no event exceed the amount paid by customer for the services (excluding media costs, if any) relating to the order or project.

Furthermore, in no event shall Aamu Partners’s aggregate liability arising out of or relating to breach of contract exceed the total sum paid by customer for the services within the four (4) month period prior to the cause of the claim.

Term and termination

If the parties conclude a framework agreement for provision of consultancy services, the framework agreement shall be in force and valid until terminated by a party by giving at least three (3) month’s written notice to the other party. Termination or expiration of a framework agreement does not affect unfinished service orders under the framework agreement, which shall remain in force and valid until completed.

Unless otherwise agreed, project-based agreements shall remain in force and valid until both parties have fulfilled their obligations.

Monthly-fee based services can be terminated by a party by giving at least three (3) month’s written notice to the other party and hourly-rate assignments can be terminated by one (1) month’s written notice to the other party.

Upon a party’s termination of an agreement Aamu Partners is entitled to invoice for (i) the services performed until termination; (ii) any direct expenses incurred prior to termination; and (iii) such costs and expenses that could not be cancelled prior to termination.

A party is also entitled to terminate an agreement in whole or in part in the event that the other party fails to comply with any material term of an agreement or these terms, provided that such failure is not remedied within fourteen (14) days after the notice of the breach.

Applicable law and dispute resolution

Any agreement between the parties and these terms are governed by the substantive laws of Finland, without regard to its conflict of law rules.

Any dispute arising between the parties will be settled by amicable settlement. Failing amicable settlement within thirty (30) days of the dispute being referred to the settlement, the dispute will be finally settled by arbitration in accordance with the Arbitration Rules of the Finnish Central Chamber of Commerce by one (1) sole arbitrator appointed in accordance with those Rules. The arbitration shall be held in Helsinki, Finland and the arbitration proceedings shall be conducted in English. The Parties agree to keep confidential all information, documents and material relating to the arbitral proceedings as well as the arbitration award.

Other terms

Aamu Partners is entitled to employ subcontractors to fulfill its obligations under an agreement and it is liable to customer for all acts of its subcontractors as for its own acts.

Aamu Partners shall not be deemed to be in breach of an agreement, or otherwise be liable to customer, for any failure to perform, or any delay in performance, caused by a reason beyond Aamu Partners’s control (force majeure events).

Unless otherwise agreed, a party does not have the right to transfer an agreement or rights and obligations related to it, entirely or partly, to a third party without the other party’s prior written acceptance. However, a party may assign an agreement or rights and obligations related to it without the other party’s acceptance in connection with any merger, sale of business or similar transaction.

These terms and the additional agreed upon terms in an agreement contain the entire agreement between the parties and supersede all prior communication, discussions and agreements relating to the subject matter.

Unless otherwise agreed in writing, the customer agrees not to actively recruit or solicit the services of any person of Aamu Partners who has participated in the performance of the services under an agreement between Aamu Partners and the customer. This restriction shall remain valid during the term of the Agreement and for a period of six (6) months after termination or expiration of the Agreement.

References

Aamu Partners is entitled to use customer as a reference in Aamu Partners’s marketing materials, such as website and social media channels, provided that customer’s confidential information is not disclosed to anyone. However, if Aamu Partners has reason to believe that customer would not want to be published as Aamu Partners’s reference or it would consider certain information confidential, it will seek customer’s prior approval for the reference.

DATA PROCESSING TERMS

Version: May 2, 2018

Applicability

These terms become applicable between Aamu Partners and a customer with whom Aamu Partners has concluded an agreement, if Aamu Partners is considered as data processor and customer data controller in the meaning as given in EU General Data Protection Regulation.

Definitions

The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”). Such terms include without limitation controller, processor, personal data, data subject, processing and personal data breach.

Purpose

With these terms, the parties agree that customer, the controller, appoints Aamu Partners as its processor to process customer’s personal data during the term of an agreement under the terms agreed herein.

Processor shall process the personal data only to further its obligations set forth in a consultancy services agreement and in accordance with the written instructions provided by controller.

The controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that the data is kept accurate. If and to the extent the legal basis for processing personal data is individual’s consent, the controller is liable for obtaining the consent and managing it as provided in the Regulation.

Processor is not entitled to process personal data for any other purpose or for anyone else. Processor is entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers. Processor must immediately notify controller, if it considers that the written instructions provided by controller for processing personal data are in violation of the Regulation or national data protection laws. In addition to the terms of this annex, the parties agree to comply with the Regulation as applicable to each party.

Additional details regarding processing may be described in the agreement or in a separate document.

Sub-processing

Processor is entitled to use sub-processors for processing personal data. Additional information about sub-processors can be provided at request. If the processor plans to make changes to its sub-processors, it will notify the controller by giving at least 5-days written notice. Processor’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, controller has the right to object the intended change in the use of a sub-processor. If the controller objects the intended change and the data processor cannot reasonably use another sub-processor or another method in processing the personal data, then the processor is not liable for damages or harm caused by such objection. In this situation the processor is entitled to terminate the agreement by giving at least 1-month’s written notice to the controller.

When using sub-processors for processing personal data, processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex. Processor is fully liable that its sub-processors comply with the requirements of this Annex.

Confidentiality

All personal data processed by processor on behalf of controller is considered controller’s confidential information and processor shall not disclose the personal data to anyone or use it for any other than agreed purpose. Processor ensures that only such people shall have access to the personal data that is necessary for furthering processor’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Agreement.

Security

Processor shall implement appropriate technical and organisational measures to to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms.

Such measures can include, as appropriate:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Personal data breaches

Processor must notify controller without undue delay about personal data breaches it becomes aware of, so that controller can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying controller, processor must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the controller. Processor must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.

Data protection impact assessment

If processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify controller about this and assist the controller, if necessary, in conducting a data protection impact assessment.

Data subject’s rights

Taking into consideration the nature of the data processing, processor must reasonably and without undue delay assist controller, including by applicable technical and organisational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability. If such requests are made directly to processor, it must notify controller about the request without undue delay.

Audits

Processor shall permit controller to audit processor’s compliance with these terms, and shall provide access and make available to controller all systems, premises, resources, information and staff as necessary for controller to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to processor’s business operation as reasonably possible. Controller must also provide reasonable advance notification of planned audits. Both parties are responsible for their own costs and expenses relating to an audit.

Other terms

If the processor must assist the controller in fulfilling the controller’s obligations related to data breaches, data subjects’ rights and data protection impact audits, are these assistance tasks performed within the scope and time limitations provided in the parties’ monthly services agreement. If the parties have not concluded a monthly services agreement or the time required exceeds what is included in the agreement, the processor is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with the hourly rates agreed between the parties. Invoicing the time used for the assistance tasks requires that the controller has accepted that the processor can use time to perform assistance tasks. Processor is not liable to the controller for any indirect or consequential loss or damage or third party claims.

Term and effects of termination

These terms into force on the same date as the agreement between the parties and shall thereafter remain in force until the agreement is terminated or expires under its terms.

Within a reasonable time after the termination or expiration of the agreement, processor shall delete or return all personal data to controller and delete also all copies of the personal data, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.

If the controller has not notified the processor about deletion or return of data within 12 months from the termination or expiration of the agreement, the processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.

DESCRIPTION OF THE PROCESSING

Nature of processing:

Provision of Aamu Partners’s services and related support to its customers. Aamu Partners collects, processes and stores personal data relating to its customers in accordance with the agreement, applicable laws and these terms. Personal data may include for instance the following categories of personal data: name, email address, job title and other data. The personal data mainly relates to such data subjects that are potential or existing clients of the customer, employees or job applicant’s of the customer, business partners of the customer or users of the customer’s digital services.

Aamu Partners Oy, Business ID: 2864997-9, Ratamestarinkatu 7b, 00520 Helsinki