aftra
Aftra General Terms and Conditions
1. General
These General Terms and Conditions (the “T&Cs”) apply to all services provided by Aftra ehf. reg. no. 571023-2020, Borgartúni 37, 105 Reykjavík (hereinafter “Aftra” or the “Company”) to its customers.
These T&Cs apply to all agreements between Aftra and its customers concerning the purchase of services, including offers, work requests and job descriptions, unless otherwise agreed in writing.
In addition to these T&Cs (with subsequent amendments), special terms and conditions may apply to the relationship between Aftra and its customers, based on the parties’ agreements. If special terms and conditions deviate from the T&Cs, the former shall prevail over the latter.
2. Payment and terms of payment
2.1 Billing and invoices
Prices for services are listed in the Company’s price list, and special prices or other specified prices are stated in agreements. All prices are quoted without VAT, unless otherwise stated.
The due date of invoices is 14 days after their issuance and the date of maturity is 6 days after the due date. Comments concerning invoices must be made without delay and no later than their date of maturity. Otherwise, invoices are considered to be accepted by the customer.
If an invoice or other contractual obligations fall due on the date of maturity, the customer must pay penalty interests in accordance with Act no. 38/2001 on interest rates and indexation.
2.2 Outlay
The customer shall pay for all costs incurred by Aftra on behalf of the customer. If there are major expenses or costs, Aftra will seek the customer’s consent for such expenses beforehand.
2.3 Changes to price lists and agreed fees
Aftra’ price lists are updated every 12 months in accordance with the consumer price index. Aftra also reserves the unilateral right to revise the agreed fees with respect to changes in Aftra’s costs for servicing a customer, unless otherwise agreed upon between the parties.
In other respects, Aftra reserves the right to change the Company’s price lists as needed.
Changes to price lists and agreed fees must be notified to the customer 30 days in advance.
3. Customers’ obligations and responsibilities
The customer guarantees that it has the authority to entrust Aftra with providing the agreed service and that the rights of third parties are fully respected in relation to that service, whether it is copyright, property rights or any other rights.
The customer shall enable Aftra to provide the agreed services, including by providing access to necessary systems and, as the case may be, a place of business, or as is necessary at any given time in Aftra’ opinion.
Customers are responsible for the instructions and orders they give to Aftra, as well as for the validity of the information provided to the Company.
4. Aftra’ obligations and responsibilities
Aftra is responsible for the agreed service being adequate and in accordance with the parties’ agreement.
If a customer believes that Aftra’ service has a defect, it must notify Aftra as soon as it becomes aware of the defect, without undue delay.
5. Indemnity from third party claims
The customer shall hold Aftra fully harmless from any third-party claims on the basis that the agreed service has violated the rights of the relevant third party or others.
6. Limitations of liability
Aftra’ liability for damages shall be limited to customers’ direct loss and therefore does not cover the customers’ or third parties’ indirect or consequential loss, including operational losses, loss of profits or goodwill or the customers’ breach of an agreement with a third party.
Aftra is not liable for damage caused by the customer or a third party that does not act on behalf of Aftra.
Aftra’ liability for possible damages is limited to the amount that has been paid by the customer to Aftra in the last 6 months prior to the incurrence of the liability claim. Aftra total liability for damages can under no circumstances exceed ISK 15.000.000.
The provisions of this article shall survive the termination of the agreement.
7. Force Majeur
In the event that Aftra cannot fulfill its obligations towards a customer due to a force majeure event, Aftra shall be released from all its obligations during the period in which the force majeure events lasts, and the customer has no right to apply default remedies towards Aftra, including claims of refund, discount, damages, cancellation, and/or termination.
A force majeure event means an event or circumstances not within Aftra’ control, provided that Aftra could not overcome such an event by applying reasonable remedies. Without limiting the generality of the foregoing, such events and circumstances shall, e.g., include war, rebellion, sabotage, riots, epidemics, natural disasters, actions of administrative authorities in the field of foreign exchange or commercial matters, trade embargos, port embargoes, general transportation barriers, prohibition of import/export, energy shortage, and similar uncontrollable events in relations with subcontractors.
If a force majeure event lasts for a continuous 30 days or a longer period, Aftra may terminate or cancel an agreement with the customer without notice and without being held liable.
8. Intellectual property rights and licenses
8.1 Aftra’ products
All Aftra advice and any product arising from the agreed service is intended only for the customers in question. Other parties are not permitted to rely on the advice, or to use the product in any way, without the written consent of the Company.
8.2 Software license
The software license that Aftra grants to the customer covers the use of the relevant software while the agreement between the parties is in effect and the customer pays the agreed fees.
In cases where Aftra acts as a reseller, the person/entity who grants Aftra the right to resell a license is the owner of copyrights and any other intellectual property and identity rights, whether trademark rights, design rights, patent rights or other rights, related to the software, in accordance with the owner’s terms that apply to the software. A software license does not entail the transfer of such rights other than what is expressly stated in the agreement between the parties.
The customer undertakes to use the software in accordance with the parties’ agreement and the legally protected rights of Aftra and/or third parties.
The customer agrees to comply with Aftra’ instructions, and as the case may be of third parties, regarding the use of licensed software, and the customer shall ensure that the customer’s hardware and the necessary connections to the software meet Aftra’ requirements, as applicable.
8.3 Customer/third parties’ equipment, systems and materials
In relation to Aftra’ service to a customer, Aftra may gain access to any kind of equipment (hardware and software) and customer’s systems. All rights to such equipment and systems belong to the customer, or third parties, as the case may be.
The customer guarantees that all necessary licenses for such access by Aftra are in place. The customer shall hold Aftra harmless from any kind of third-party claims based on the fact that such access infringes that person’s/entity’s rights.
9. Confidentiality obligations
The parties must treat as confidential information they may obtain in the execution of the parties’ agreement, incl. on the agreement’s subject, the customer’s software system, related software, customers, business connections, operations, activities, financial matters and trade practices of the opposite party.
Employees, contractors and others who carry out assignments on behalf of Aftra are bound by a contractual confidentiality obligation. That confidentiality obligations shall survive the termination of the contract in question.
This provision shall survive the termination of the parties’ agreement.
10. Data protection
Aftra acts as a data controller within the meaning of Act No. 90/2018 on Data Protection and the Processing of Personal Data regarding the processing of personal data of contacts who act on behalf of companies and other customers of Aftra.
If Aftra processes personal data on behalf of a customer, e.g., in connection with the service that Aftra provides to customers, the customer acts as the controller for such processing within the meaning of the Data Protection Act and Aftra acts as the processor. Under such circumstances, Aftra Terms on the Processing of Personal Data apply. The terms are available on the Company’s website.
11. Defaults and default remedies
Any infringement of these T&Cs by the parties, including any delay in payment, is considered to be a default by the party in question. Aftra reserves the right to stop providing and, depending on the circumstances, terminate the service in the event of the customer’s default.
In accordance with general rules, both contracting parties may terminate the agreement without notice in the event of material default/infringement of the other party.
Furthermore, Aftra may exercise all default remedies, incl. termination, if:
- the customer does not pay invoices from Aftra within 30 days from the date of maturity,
- the customer does not fulfill its contractual obligations towards Aftra within 30 days from the date of a written notice from Aftra challenging the customer to fulfill its obligations, or
- the customer enters into bankruptcy proceedings, is granted an authorisation to enter into financial reorganization or to seek a composition of creditors.
If Aftra terminates an agreement, the customer must pay accrued fees and all Aftra’ costs in accordance with the agreement. The customer shall indemnify Aftra for any expenses and loss of income which Aftra may incur due to the customer’s infringement of the agreement.
Notification of termination must be in writing and sent in a verifiable manner.
12. Assignment of rights and subcontractors
Aftra may use contractors to carry out projects on behalf of the customer, in part or in whole, to the extent permitted by law and the conditions in Aftra’ Terms on the Processing of Personal Data. Aftra shall ensure that the customer is informed about such outsourcing.
Customers may not assign their rights and obligations without Aftra consent.
13. Termination of an agreement
Provided that a notice period is not stipulated in an agreement between the parties the notice period shall be three months. The termination shall take effect at the end of the month in which it is received, and then the termination period begins. Notification of termination must be in writing and delivered by a verifiable manner.
14. Rights and obligations upon termination
Upon termination of an agreement, for whatever reason, the customer shall pay Aftra outstanding debts, as applicable. Parties shall return to each other, within 10 days, any properties, materials, data, or confidential information which has been provided and is owned by the opposite party, or the opposite party is entitled to.
Any work that Aftra carries out upon termination is charged in accordance with the Company’s price list, unless otherwise agreed.
15. Governing law and jurisdiction
The contractual relationship between Aftra and its customers is governed by Icelandic law.
In the event of a dispute, the matter shall be resolved by the District Court of Reykjavík.
If any provisions of these T&Cs or an agreement conflict with applicable laws and regulations or if such provisions are deemed invalid by a court having jurisdiction over the parties, such provisions shall be reworded in such a way as to minimize the distortion of the original purpose of the parties within the framework of the respective laws and court rulings, and the provisions of the T&Cs and/or agreement shall otherwise remain in full force.
16. Amendments to the T&Cs
Aftra reserves the right to amend these T&Cs and the amendments will be announced with at least 30 days’ notice on the Company’s website.
Schedule 4 – Data Processing Terms
1. SUBJECT MATTER
1.1 These terms on the Processing of Personal Data (“Terms”) apply to all processing of personal data by Aftra ehf., company number 571023-2020, Borgartún 37, 105 Reykjavik (“Processor” or “Aftra”) where Aftra acts as a data processor when providing customer (“Controller”) service. A description of the processing activities undertaken by Aftra can be found in a service agreement entered into between the parties and/or in Annex I to these Terms (the “Data Processing Description”).
1.2 All reference to the “Data Protection Act” shall in these Terms mean the Act on Data Protection and the Processing of Personal Data No. 90/2018 and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data on the free movement of such data, which entered into force on 25 May 2018 (“GDPR”).
1.3 The terms “controller”, “personal data”, “data subject”, “processing”, “processor” and “personal data breach” shall have the meaning ascribed to them in the Data Protection Act.
1.4 These Terms apply to the Processor’s processing of personal data which is necessary to provide the Controller the requested services. If the parties have entered into a special processing agreement prior to these Terms entering into force, that agreement remains in force, unless otherwise agreed.
1.5 Any references to these Terms in a service agreement entered into between the parties, or in an offer made by Aftra which is accepted by the Controller, as applicable, shall include acceptance of the Terms.
2. PARTIES’ OBLIGATIONS
2.1 The Controller is fully responsible for fulfilling its legal obligation under the Data Protection Act, including providing adequate information to data subjects and making sure that all processing is lawful. The Controller shall also ensure that it is authorized to entrust the Processor with the processing of personal data and the Controller is solely responsible for the processing instructions provided to the Processor.
2.2 The Processor shall only process personal data to the extent necessary to provide the Controller the specified services and in accordance with the Controller’s written instructions. The Processor shall not process the personal data for any other purpose or in a way that does not comply with these Terms or the Data Protection Act. The Processor must promptly notify the Controller if, in its opinion, the Controller’s instructions do not comply with the Data Protection Act and in such events the Processor is not obliged to follow the Controller’s instructions.
2.3 The Processor shall maintain the confidentiality of all personal data and it shall not disclose personal data to third parties unless in accordance with these Terms, where such authorization is provided for in an agreement between the parties, the Controller provides special permission for dissemination of information, or the Processor is legally obliged to do so.
2.4 The Processor will ensure that its employees:
- are informed of the confidential nature of the personal data processed and that they are contractually bound by an obligation of confidentiality,
- are aware of their confidentiality obligations imposed by legislation, including the Act on Financial Undertakings, as applicable,
- have undertaken training on the Data Protection Act relating to the processing of personal data;
- are aware of the Processor’s obligations under the Data Protection Act and these Terms.
3. SECURITY OF PERSONAL DATA
3.1 The Processor shall implement appropriate technical and organizational measures, appropriate to the risk, to ensure level of security and to minimize the risk of unlawful or unauthorized processing of personal data. The measures shall seek to, as appropriate:
- ensure ongoing confidentiality, contiguity, and availability of personal data,
- ensure a process for testing and evaluating the effectiveness of measures safeguarding the processing, and
- ensure that adequate security measures are taken, having regards to the nature of the personal data processed, e.g. in terms of access control, the use of pseudo-identity and encryption.
3.2 The Processor is ISO 27001:2013 certified and has implemented security measures in accordance with the standard.
3.3 In the event a Controller deems it necessary to implement extra security measures, in addition to the measures the Processor has implemented in relation to specific services, the parties shall enter into specific agreement in relation to such additional service.
4. PERSONAL DATA BREACH
4.1 The Processor shall, without undue delay, notify the Controller after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed (“Personal Data Breach”)
4.2 The Processor’s notification shall include all information referred to in Article 33(3) of the GDPR.
The parties agree that the Controller is solely responsible for and has the sole right to determine:
- whether to provide notice of the Personal Data Breach to any data subjects, supervisory authorities, or others; and
- how such notices shall be sent.
5. SUBPROCESSORS
5.1 If the Processor appoints a third-party subcontractor to provide the services, or parts of it, and that requires the subcontractor’s processing of personal data, the subcontractor shall be considered as Sub-Processor in the meaning of the Data Protection Act
5.2 The Processor may only authorize a Sub-Processor to process personal data if the Processor has entered into a written agreement with the Sub-Processor that contains terms substantially the same as those set out in these Terms, in particular, in relation to the security of personal data.
5.3 Where the Sub-Processor fails to fulfill its obligations under such a written agreement, the Processor remains fully liable to the Controller.
5.4 The Sub-Processors used, in relation to each service provided by the Processor, are listed in the Data Processing Description. By accepting these Terms, the Controller agrees to the Processor’s use of the listed Sub-Processors.
5.5 If the Processor appoints a new Sub-Processor, it shall inform the Controller thereof and provide the Controller 14 days to object to such an appointment.
6. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
6.1 The Processor must not transfer personal data outside the European Economic Area (“EEA”) unless the provisions of Chapter V of the GDPR are complied with.
6.2 Where the Processor transfers personal data outside the EEA, in relation to certain services, information on such transfer shall be listed in the Data Processing Description. By consenting to these Terms, the Controller accepts such transfer. Additional transfer of personal data outside the EEA shall not take place unless the Controller is notified of such transfer and is provided with the opportunity to object to it, in accordance with Article 5.5 of these Terms.
7. DATA SUBJECT REQUESTS
7.1 The Processor shall assist the Controller, to the extent reasonable taking into consideration the nature of the processing, in responding to data subject requests. All work carried out by the Processor in relation to such assistance shall be subject to the parties’ Software Agreement and/or the Processor’s price list at any giving time.
7.2 The responsibility for responding to requests from data subjects shall always remain with the Controller.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 Upon prior written request of the Controller, the Processor shall assist the Controller to carry out data protection impact assessment (DPIA) and in conducting prior consultation with the Icelandic Data Protection Authority. Such assistance shall however always take into account the nature of processing and the information available to the Processor.
All assistance with DPIA or prior consultation shall be subject to service fees in accordance with the Processor’s price list at any given time.
9. AUDIT
9.1 At least once a year, the Processor shall conduct an audit to evaluate its compliance with these Terms. This includes obtaining an external audit of its ISO 27001 certification performed by a recognized certification body.
9.2 The Processor undertakes to promptly address any exceptions noted in audit reports and implement necessary improvements.
9.3 The Processor shall furthermore make all information available to the Controller that are necessary to demonstrate compliance with these Terms, and to the extent possible taking into consideration the nature of the service, allow for and contribute to audits by the Controller, or an auditor mandated by the Controller, for the purpose of verifying the Processor’s compliance with these Terms. The audits shall only relate to the services carried out by the Processor on behalf of the Controller and the scope of the audits shall take into account the Processor’s obligations, such as in relation to security. Auditors and scope of audits are thus subject to the Processor’s consent.
9.4 The Processor shall furthermore, in accordance with legal obligations thereof, ensure regulators’ access to the personal data processed by the Processor on behalf of Controllers which are classified as regulated entities.
9.5 All assistance in relation to audits shall be subject to service fees in accordance with the Processor’s price list at any given time.
10. DURATION, DATA RETURN AND DELETION
10.1 These Terms shall remain in full force and effect as long as:
- The parties’ Software Agreement remains in effect, or
- The Processor provides the Controller with one or more of the services listed in the Data Processing Description.
10.2 Upon termination of service, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies. If the return of data calls for substantive work on behalf of the Processor, such work shall be subject to service fee in accordance with the Processor’s price list at any given time.
11. NOTIFICATIONS TO THE CONTROLLER
11.1 Notifications to the Controller based on these Terms shall be sent to the Controller’s registered contact person. The Controller is responsible for providing the Processor with contact details of such a person. If contact persons are listed in the parties’ Software Agreement, a notification shall be sent to that contact person, unless parties have agreed otherwise.
11.2 The Controller is responsible for providing the Processor with updated contact details.
11.3 The Processor can also publish all notifications, subject to these Terms, on its websites, on the condition that the Controller’s contact persons shall be informed of such notifications and have the opportunity to register for such notifications.
12. MISCELLANEOUS
12.1 The parties’ Software Agreement and Aftra’s General Terms shall, in addition to these Terms, apply to the Processor’s processing of personal data on behalf of the Controller, including provisions regarding limitation of liability. In the event of any inconsistency between the provisions of these Terms and the provisions of Aftra’s General Terms or the parties’ Software Agreement, the provisions of these Terms shall prevail.
12.2 These Terms are governed by the laws of Iceland. Any disputes arising from or in connection with these Terms shall be brought exclusively before the District Court of Reykjavík.
12.3 The Processor reserves the right to amend these Terms in accordance with changes in relevant law or regulations or due to changes in how personal data is processed. The Processor shall inform the Controller of any changes made to these Terms. If changes, made to these Terms, materially affect the rights and obligations of the Controller, such changes shall not take effect until after a predetermined time, and if the Controller does not accept such changes after a notification is sent to the Controller, the Controller shall have the right to terminate the appropriate service.
Stay ahead, stay secure.
Book a demo
We use cookies to personalize your browsing experience, analyze site traffic, and improve your interaction with our site. By continuing to browse or interact with our website, you agree to our use of cookies. You can adjust your cookie settings in your browser at any time.