Circulate

CIRCULATE SAAS TERMS AND CONDITIONS 

These SaaS Terms and Conditions (“Agreement”) govern Customer’s access to and use of the packaging management software services (“SaaS Services”) provided by Circulate AB (“Circulate”, “we”, “us”). The accompanying Order Form forms an integral part of this Agreement. 

1. Subscription and Access 

1.1 Circulate grants the Customer a non-exclusive, non-transferable right to access and use the SaaS Services as described in the Order Form during the Subscription Term. 

1.2 Access is limited to the number of authorized users specified in the Order Form. Customer is responsible for maintaining the confidentiality of login credentials and all activities under its accounts. 

2. Fees, Payment and Price Adjustments 

2.1 Customer agrees to pay the fees as outlined in the Order Form. 

2.2 All fees are exclusive of VAT and other applicable taxes. Invoices are payable according to the payment terms stated in the Order Form. 

2.3 Late payments may incur interest under the Swedish Interest Act. 

2.4 Annual price adjustment. Circulate may adjust list prices annually, effective upon renewal, to reflect changes in costs, inflation, or service enhancements. Upon renewal, fees shall be adjusted in line with the Swedish Services Producer Price Index (SPPI) or, if unavailable, a comparable index. Circulate may apply an increase above the applicable index where it can demonstrate, with supporting documentation, that its actual costs of providing the Services have increased by more than the index. Circulate will provide at least 60 days’ notice of any price adjustment, including documentation of the applicable index change and, where relevant, evidence of the underlying cost increases. 

2.5 Discounts. Any discounts set out in the Order Form apply only during the initial Subscription Term and only for so long as the qualifying conditions remain met (e.g. minimum site count, retainer in effect, prepayment term). The Order Form shall specify each discount, its qualifying conditions, and its duration. Unless the Order Form expressly provides otherwise, discounts shall not carry over to any Renewal Term; renewal pricing shall be based on then-current list prices, subject to clause 2.4. 

3. Use Restrictions and Customer Indemnification 

3.1 Customer agrees not to: 

  • share access with unauthorized users; 

  • reverse engineer, copy, or replicate the SaaS Services; 

  • use the platform for unlawful or competitive purposes; or 

  • upload malicious code, infringing content, or data that violates applicable laws. 

 

3.2 Customer Indemnity. Customer shall indemnify, defend, and hold harmless Circulate from and against any third-party claims, and any damages, losses, liabilities, costs and expenses (including reasonable legal fees) incurred in connection with such third-party claims, to the extent such claims arise from (i) Customer’s material breach of clause 3.1, (ii) unlawful use or misuse of the SaaS Services by Customer, its affiliates, suppliers, contractors or any users granted access to the platform by or on behalf of Customer, in breach of clause 3.1, or (iii) Customer Data or other data, materials, content or instructions uploaded to or provided to the platform by or on behalf of Customer, including by its affiliates, suppliers, contractors or users, that infringes third-party intellectual property rights or violates applicable laws, provided that Circulate (a) gives prompt written notice of the claim, (b) grants Customer control of the defence and settlement, provided that no settlement may admit fault by Circulate, impose obligations on Circulate, restrict Circulate’s business, or adversely affect Circulate’s rights without Circulate’s prior written consent (not to be unreasonably withheld), and (c) provides reasonable cooperation at Customer’s cost. Circulate may participate in the defence with its own counsel at its own cost. 

3.3 Supplier IP Indemnity. Circulate shall indemnify, defend, and hold harmless Customer from and against any third-party claims, and any damages, losses, liabilities, costs and expenses (including reasonable legal fees) incurred in connection with such third-party claims, alleging that the SaaS Services, as provided by Circulate and used by Customer in all material respects in accordance with this Agreement, infringe a third party’s intellectual property rights. 

If the SaaS Services are, or in Circulate’s reasonable opinion are likely to become, the subject of such a claim, Circulate may, at its option and expense: (a) procure for Customer the right to continue using the affected SaaS Services; (b) modify or replace the affected SaaS Services so they are non-infringing while remaining materially equivalent in function; or (c) if neither (a) nor (b) is commercially reasonable, terminate the affected SaaS Services and refund any prepaid fees pro rata for the unused portion of the affected Subscription Term. 

Circulate shall have no obligation or liability under this clause to the extent the claim arises from or would not have arisen but for: (i) Customer Data, supplier data, third-party data, or any other data, materials, instructions or specifications provided by or on behalf of Customer, including by its affiliates, suppliers, contractors or users; (ii) use of the SaaS Services outside the scope of this Agreement or contrary to Circulate’s instructions; (iii) modifications not made or authorised by Circulate; (iv) the combination of the SaaS Services with products, services, systems, data or materials not supplied by Circulate, where the claim would not have arisen absent such combination; or (v) Customer’s continued use after Circulate has made a non-infringing alternative available or instructed Customer to stop the allegedly infringing use. 

The procedural conditions in clause 3.2(a)–(c) apply mutatis mutandis, with the roles reversed, provided that no settlement may admit fault by Customer, impose obligations on Customer, restrict Customer’s business, or adversely affect Customer’s rights without Customer’s prior written consent, not to be unreasonably withheld. 

This clause 3.3 sets out Customer’s sole and exclusive remedy, and Circulate’s entire liability, in respect of any infringement of third-party intellectual property rights by the SaaS Services, and is subject to the limitation of liability in clause 11. 

4. Data Ownership and Usage 

4.1 Customer Data. Customer owns all raw data uploaded to the platform (“Customer Data”), which may include data sourced from Customer’s affiliates, suppliers, contractors and users. Customer is responsible for the accuracy, quality, integrity and lawfulness of Customer Data, and for obtaining all necessary rights and consents. During the Subscription Term, Customer accesses and uses Customer Data through the SaaS Services in accordance with the Order Form. 

4.2 Circulate’s data layers. The platform enriches Customer Data with: (a) Circulate’s methodologies, calculation logic, models, regulatory and material reference databases, benchmarks, supplier intelligence and other proprietary platform components (“Circulate Proprietary Data”), owned by Circulate and its licensors; and (b) third-party reference data such as LCA data and public statistics, licensed or sourced by Circulate (“Circulate-Sourced Reference Data”). Neither category may be provided to Customer as a raw dataset, master export, or in any form that would allow Customer to replicate or independently use them outside the platform. The accuracy of Circulate-Sourced Reference Data is governed by clause 5. 

4.3 Enriched Outputs. The reports, dashboards and data exports generated through Customer’s use of the platform (“Enriched Outputs”) combine Customer Data with Circulate Proprietary Data and/or Circulate-Sourced Reference Data. Their scope, frequency and format are as set out in the Order Form. Enriched Outputs are provided on an as-is, point-in-time basis, with no obligation on Circulate to refresh previously delivered or exported Enriched Outputs. 

Customer has a non-exclusive, irrevocable (except for Customer’s uncured material breach), worldwide, royalty-free right to retain and use Enriched Outputs validly received or exported, solely for: (i) regulatory and statutory reporting (including CSRD, EPR, PPWR and equivalent regimes); (ii) internal audit, record-keeping, historical comparison and management reporting; (iii) provision to auditors, group companies and competent authorities for purposes (i) and (ii); and (iv) contractual or regulatory reporting to Customer’s own customers. 

Customer shall not (a) use Enriched Outputs to develop, train or contribute to a competing service; (b) provide them to any third party other than as permitted above; or (c) reverse-engineer or attempt to derive Circulate Proprietary Data or Circulate-Sourced Reference Data from them. 

4.4 Termination. On termination or expiry, Circulate makes Customer Data and Enriched Outputs available for export for thirty (30) days. Following expiry of that export window, Circulate shall delete Customer Data within a further sixty (60) days, except: (i) data Circulate is entitled to retain under clause 4.5; (ii) routine encrypted back-ups retained up to ninety (90) days before being overwritten in the ordinary course; and (iii) data retained as required by law or for legal claims. Customer may continue to use Enriched Outputs received before termination for the purposes in clause 4.3 indefinitely, except where this Agreement is terminated for Customer’s uncured material breach. 

4.5 Anonymized and catalog data. Following expiry of the export window in clause 4.4, Circulate may retain and use: 

(a) anonymized and aggregated data derived from platform use for research, benchmarking, service improvement and commercial purposes, provided it cannot reasonably identify Customer or any individual; and 

(b) packaging item and supplier data describing products that exist independently of Customer’s specific commercial relationship with the supplier — for Circulate’s catalog and marketplace, in accordance with Circulate’s terms with the relevant suppliers — excluding Customer’s pricing, volumes, SKUs, usage data and other Customer-specific commercial information. 

Continued supplier participation in the platform after termination is at the supplier’s discretion under their own terms with Circulate. 

5. Third-Party Data Disclaimer 

5.1 Customer-Onboarded Data. Circulate makes no warranty regarding, and has no liability for, the accuracy, completeness or currency of data provided by Customer or its affiliates, suppliers, contractors or users (including specifications, certificates and sustainability information). Customer is responsible for ensuring its suppliers, contractors and users provide complete, accurate and timely data, and for validating it before relying on it. Circulate’s role is limited to providing tools (including AI-assisted extraction) and administrative support; it does not verify or curate such data. 

Customer acknowledges that Circulate’s ability to generate Enriched Outputs (including regulatory reports such as CSRD, EPR and PPWR) depends on Customer ensuring such data is provided. Where Customer-Onboarded Data is incomplete, delayed or missing, the corresponding Enriched Outputs may be incomplete, delayed or unavailable. Circulate may flag identified data gaps through the platform, but the responsibility for resolving such gaps rests with Customer. Such circumstances do not constitute a breach by Circulate, do not entitle Customer to any service credit, refund or fee reduction, and do not relieve Customer of its payment obligations under this Agreement. 

5.2 Suppliers sourced by Circulate. Where Circulate sources and onboards suppliers at Customer’s request: (a) Circulate’s onboarding terms require those suppliers to provide accurate and complete data; (b) Circulate applies commercially reasonable sanity checks and flags apparent anomalies; (c) such checks do not constitute verification, and Circulate does not warrant the accuracy of supplier data or supplier compliance with their data obligations; and (d) Customer’s commercial relationship with the supplier — including purchase orders, supply contracts, quality requirements and remedies — is between Customer and the supplier directly, and Circulate is not a party to it. 

5.3 Circulate-Sourced Reference Data. Circulate uses commercially reasonable efforts to source Circulate-Sourced Reference Data from reputable and reliable third-party sources (whether licensed databases, public statistics or other industry-recognised datasets) and to keep it reasonably up to date. Circulate does not warrant absolute accuracy or completeness, but will promptly notify Customer of material errors or omissions of which it becomes actually aware. Circulate’s liability under this clause is subject to clause 11. 

6. Service Levels and Remedies 

6.1 Circulate commits to a monthly uptime target of 99.5% for the SaaS Services, excluding scheduled maintenance windows (communicated at least 48 hours in advance) and factors outside Circulate’s reasonable control. 

6.2 “Uptime” is calculated as: ((Total minutes in month − Downtime minutes) / Total minutes in month) × 100%. 
Uptime and Downtime shall be measured by Circulate using its server-side monitoring, logs and incident records, acting reasonably. Customer-reported issues shall only be counted as Downtime once verified by Circulate. 

6.3 If Uptime falls below 99.5% in any calendar month, Customer may request a service credit as follows: 99.0%–99.5%: 5% of the monthly fee for the affected SaaS Services; 95.0%–99.0%: 10% of the monthly fee for the affected SaaS Services; below 95.0%: 25% of the monthly fee for the affected SaaS Services. Credits must be requested within thirty (30) days after the end of the affected month and are capped at 25% of the monthly fee for the affected SaaS Services. 

“Downtime” means the period during which substantially all authorised users of Customer are unable to access the core production SaaS Services due to causes within Circulate’s reasonable control, excluding: (i) scheduled maintenance notified at least 48 hours in advance; (ii) emergency maintenance reasonably required to protect the security, integrity or availability of the SaaS Services; (iii) Customer’s systems, networks, internet connectivity, devices, browsers, integrations, SSO or third-party tools; (iv) Customer Data, supplier data, third-party data, or delays or errors caused by Customer, its affiliates, suppliers, contractors or users; (v) third-party services, hosting providers or APIs outside Circulate’s reasonable control; (vi) Customer’s breach of this Agreement or misuse of the SaaS Services; (vii) Force Majeure Events (clause 13); and (viii) beta, trial, sandbox or non-production services. 

Service credits are Customer’s sole and exclusive financial remedy for failure to meet the uptime target. However, if Uptime for the production SaaS Services falls below 95.0% for two consecutive calendar months, or below 99.0% in three calendar months during any rolling six-month period, in each case due to causes within Circulate’s reasonable control and excluding the matters listed above, Customer may terminate the affected SaaS Services for cause under clause 8.3 and receive a pro-rata refund of prepaid fees for the unused portion of the affected Subscription Term. 

6.4 Support is provided via email at info@circulatepack.com during business hours (CET). Response times: Critical issues (platform unavailable): 4 business hours; High priority: 1 business day; Normal priority: 3 business days. Where the Order Form specifies different response times or service levels, the Order Form terms shall prevail. 
Response times are target times for Circulate’s initial response only and do not guarantee resolution within the stated period. “Business hours” means 09:00–17:00, Monday to Friday, excluding Swedish public holidays, Europe/Stockholm time. 

7. Professional Services 

7.1 The subscription fees cover access to the SaaS Services as described in the Order Form, including any Support package hours specified therein. Additional services such as custom integrations, historical data onboarding, data migration, manual data cleaning, supplier chasing or follow-up beyond standard platform workflows, bespoke reporting, training sessions, and dedicated consulting beyond the included Support hours are not included and will be quoted separately. 

7.2 Any Professional Services will be governed by a separate Statement of Work (SOW) specifying scope, deliverables, timeline, and fees. Work beyond the included Support package hours (as specified in the Order Form) shall be treated as Professional Services and billed at the agreed hourly rate or via a separate SOW. 

8. Term and Termination 

8.1 The Agreement begins on the Subscription Start Date and continues for the initial Subscription Term, after which it automatically renews for successive twelve (12) month Renewal Terms unless terminated in accordance with this clause 8. 

8.2 Either party may terminate by providing written notice at least 90 days prior to the end of the current term. 

8.3 Either party may terminate immediately upon written notice if the other party commits a material breach and fails to cure such breach within 30 days of receiving written notice specifying the breach. Material breach includes: (a) non-payment of fees for more than 30 days after due date; (b) unauthorized disclosure of confidential information; (c) use of the Services in violation of applicable laws; (d) insolvency or bankruptcy proceedings. 

8.4 Upon termination, Customer access will be revoked. Customer Data export, retention and deletion are governed by clauses 4.4 and 4.5, the DPA, and (in respect of previously received Enriched Outputs) clause 4.3. 

9. Confidentiality 

9.1 “Confidential Information” means any non-public information disclosed by one party (“Discloser”) to the other (“Recipient”), whether orally, in writing, or electronically, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure. Confidential Information includes, but is not limited to: business plans, pricing, customer data, technical specifications, product roadmaps, and proprietary methodologies. 

9.2 Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the Recipient; (b) was rightfully in the Recipient’s possession prior to disclosure; (c) is rightfully obtained from a third party without breach of confidentiality obligations; or (d) is independently developed by the Recipient without use of the Discloser’s Confidential Information. 

9.3 Each party agrees to: (a) protect the other’s Confidential Information using at least the same degree of care it uses to protect its own confidential information, but no less than reasonable care; (b) use Confidential Information only for purposes of performing under this Agreement; (c) not disclose Confidential Information to third parties except to employees, contractors, or advisors who need to know and are bound by confidentiality obligations at least as protective as these. 

9.4 A party may disclose Confidential Information if required by law, regulation, or court order, provided that the Recipient gives the Discloser prompt written notice (where legally permitted) to allow the Discloser to seek protective measures. 

9.5 Confidentiality obligations under this Section shall survive termination of this Agreement for a period of three (3) years. 

10. Warranties and Disclaimers 

10.1 Limited warranty. Circulate warrants that the SaaS Services will perform substantially in accordance with the documentation during the Subscription Term. Customer’s sole and exclusive remedy for breach of this warranty is the service credit regime set out in clause 6. 

10.2 Disclaimer. Except as expressly set out in this Agreement, the SaaS Services are provided “as is” and “as available”. To the maximum extent permitted by law, Circulate disclaims all other warranties, whether express, implied, statutory or otherwise, including warranties of merchantability, fitness for a particular purpose, non-infringement, title, quiet enjoyment, accuracy or completeness of data, achievement of any particular result, uninterrupted or error-free operation, and freedom from harmful components. 

10.3 No regulatory compliance warranty. Customer is solely responsible for determining whether the SaaS Services and Enriched Outputs meet Customer’s regulatory and compliance obligations. 

11. Limitation of Liability 

11.1 General cap. Subject to clause 11.2, each party’s aggregate liability under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed an amount equal to the fees paid or payable by Customer under this Agreement in the twelve (12) months preceding the event giving rise to the claim. 

11.2 Uncapped liability. Nothing in this Agreement shall limit or exclude either party’s liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) wilful misconduct or gross negligence; (d) Customer’s payment obligations under the Order Form; or (e) any liability that cannot be limited or excluded under applicable mandatory law. 

11.3 Excluded damages. Except for Customer’s payment obligations, neither party shall be liable for indirect, incidental, special, punitive or consequential damages, or for any indirect loss of profit, revenue, anticipated savings, goodwill, business opportunity, or business interruption. 

11.4 Essential basis. The parties acknowledge that the limitations of liability in this clause 11 are an essential basis of the bargain, and that they would not enter into this Agreement without them. 

12. Data Protection 

12.1 Where applicable, the parties agree to comply with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. 

12.2 The Data Processing Agreement (DPA) attached as Appendix A to this Agreement governs the processing of personal data by Circulate on behalf of Customer. The DPA forms an integral part of this Agreement. 

13. Force Majeure 

13.1 Neither party shall be liable for any failure or delay in performance (other than Customer’s payment obligations) caused by events beyond its reasonable control, including acts of God, war, terrorism, pandemic, government action, strikes, failures of internet, telecommunications, cloud, hosting or power infrastructure, or cyber-attacks (“Force Majeure Events”). 

13.2 The affected party shall promptly notify the other and use reasonable efforts to mitigate the impact of the Force Majeure Event. Service level commitments under clause 6 are suspended during the continuance of a Force Majeure Event. 

13.3 If a Force Majeure Event continues for more than ninety (90) consecutive days, either party may terminate the affected SaaS Services without liability and Customer shall receive a pro-rata refund of prepaid fees for the unused portion of the affected Subscription Term. 

14. Assignment and Change of Control 

14.1 Neither party may assign or transfer this Agreement, in whole or in part, without the prior written consent of the other party (such consent not to be unreasonably withheld), except that either party may assign this Agreement, on prior written notice, to (a) an affiliate under common control, or (b) a successor in connection with a merger, acquisition, reorganisation or sale of all or substantially all of its assets or business to which this Agreement relates. 

14.2 Customer may not assign or transfer this Agreement to a direct competitor of Circulate without Circulate’s express prior written consent. In the event of any change of control of Customer that results in Customer being controlled by a direct competitor of Circulate, Circulate may, on thirty (30) days’ written notice, terminate this Agreement without liability, and Customer shall pay any fees due up to the termination date. 

15. Notices 

15.1 All notices under this Agreement shall be in writing and delivered by email to the contact addresses specified in the Order Form (or to such other email address as a party may designate by written notice from time to time). 

15.2 Email notices shall be deemed received on the next business day after sending, provided the sender has not received a delivery failure notification. 

15.3 Each party shall ensure that the email address it specifies for notices is monitored regularly and shall promptly notify the other party of any change. 

16. Publicity and Reference Case 

16.1 Use of name and logo. Circulate may identify Customer as a customer of Circulate and use Customer’s name and logo for that purpose, without further approval, in Circulate’s marketing materials, website, customer lists, sales collateral, social media posts, conference presentations and similar communications, provided such use is consistent with any branding guidelines Customer provides in writing. Customer may, by written notice to Circulate at any time, withdraw such permission for future use, in which case Circulate shall remove Customer’s name and logo from forward-facing materials within a reasonable time. 

16.2 Press releases and joint announcements. Neither party shall issue a formal press release or joint media announcement specifically about this Agreement, the relationship between the parties, or the commercial terms thereof, without the other party’s prior written consent (not to be unreasonably withheld). For clarity, this clause 16.2 does not apply to routine marketing activity permitted under clause 16.1, including social media posts, blog content, sales materials, customer logos and lists, and case studies under clause 16.3. 

16.3 Reference case study. The parties agree to collaborate on a reference case study describing the deployment, outcomes and benefits of the SaaS Services for Customer, to be initiated at a mutually agreed time and no later than twelve (12) months after the Start Date. The case study shall be prepared by Circulate based on data and input from Customer, submitted to Customer for review and approval prior to publication (such approval not to be unreasonably withheld or delayed), and may thereafter be used by Circulate in its marketing materials, including website, sales collateral, conference presentations, social media and similar channels. Customer agrees to provide reasonable cooperation, access to relevant data and metrics, and the participation of an appropriate spokesperson for any quotes or interviews. Either party may withdraw a previously approved case study from forward-facing use on written request, where there is a material factual inaccuracy, regulatory issue, or change of control of either party. 

17. Governing Law and Jurisdiction 

This Agreement is governed by the laws of Sweden. Any dispute shall be settled by the District Court of Stockholm, Sweden. 

18. Severability 

If any provision of this Agreement is held by a court or other competent authority to be invalid, illegal or unenforceable, in whole or in part, the validity, legality and enforceability of the remaining provisions shall not be affected. The parties shall negotiate in good faith to replace any such provision with a valid and enforceable provision that achieves the parties’ original commercial intent as closely as possible. 

19. Waiver 

No failure or delay by either party in exercising any right, power or remedy under this Agreement shall operate as a waiver of that or any other right, power or remedy. No single or partial exercise of any right, power or remedy shall preclude any further exercise of it. A waiver of any breach or provision of this Agreement is effective only if in writing and signed by an authorised representative of the waiving party, and applies only to the specific breach or provision waived. 

20. Entire Agreement and Updates 

20.1 This Agreement, the Order Form, and any attached appendices (including the DPA) constitute the entire agreement between the parties and supersede all prior negotiations, representations, or agreements relating to this subject matter. 

20.2 Variations to Agreement. Any variation to the Order Form, pricing, Subscription Term, payment terms, liability provisions, data ownership provisions, or the DPA requires the prior written agreement of both parties. Continued use of the SaaS Services does not constitute acceptance of such variation. 

20.3 Product and operational updates. Circulate may update the SaaS Services, documentation, technical requirements, support processes, security measures, and operational policies from time to time, provided that such updates do not materially reduce the core functionality, security, service levels, or Customer’s rights under the Agreement. 

20.4 Materially adverse changes. If Circulate proposes a change to these Governing Terms that materially reduces Customer’s rights or Circulate’s obligations under this Agreement, Circulate shall provide reasonable prior notice. Customer may object in writing within thirty (30) days. If the parties cannot agree a reasonable solution, Customer may terminate the affected SaaS Services at the end of the then-current Subscription Term. If the change takes effect before the end of the then-current Subscription Term and materially prevents Customer from receiving the affected SaaS Services, Customer may terminate the affected SaaS Services and receive a pro-rata refund of prepaid fees for the unused portion of the affected Subscription Term. 

For questions regarding these terms, please contact info@circulatepack.com 

 

APPENDIX A: DATA PROCESSING AGREEMENT 

GDPR Data Processing Agreement (DPA) 

This Data Processing Agreement (“DPA”) forms part of the SaaS Agreement between Circulate AB (“Processor”) and the Customer (“Controller”) and governs the processing of personal data by the Processor on behalf of the Controller. 

1. Definitions 

1.1 “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR. 

1.2 “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion. 

1.3 “GDPR” means the General Data Protection Regulation (EU) 2016/679. 

2. Scope and Purpose of Processing 

2.1 The Processor shall process Personal Data only for the purpose of providing the SaaS Services as described in the Agreement. 

2.2 Categories of data subjects may include: Customer employees, Customer’s suppliers, and Customer’s business contacts. 

2.3 Types of Personal Data processed may include: names, email addresses, phone numbers, job titles, and business contact information. 

3. Processor Obligations 

3.1 Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. 

3.2 Ensure that persons authorized to process Personal Data have committed to confidentiality. 

3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. 

3.4 Subject to clause 4.1, not engage another processor without prior written authorization from the Controller. 

3.5 Assist the Controller in responding to data subject requests and ensuring compliance with GDPR obligations. 

4. Sub-processors 

4.1 The Controller provides general authorisation for the Processor to engage the sub-processors listed in the Processor’s sub-processor register as of the Effective Date, which shall be made available to Controller on request or via a maintained online register. 

The Processor shall give Controller at least thirty (30) days’ prior written notice of any intended addition or replacement of a sub-processor, together with information reasonably required for Controller to assess the change, including the sub-processor’s name, country of establishment, and nature of the processing activities. 

Controller may object to the proposed change on reasonable grounds relating to data protection, information security, or confidentiality within the notice period. The parties shall work in good faith to resolve any such objection. 

If Controller has made a reasonable objection based on a material unresolved data protection or information security risk, and the parties cannot agree on a commercially reasonable solution within thirty (30) days, Controller may terminate only the affected SaaS Services without penalty and receive a pro-rata refund of prepaid fees for the unused portion of the affected SaaS Services. 

4.2 Current sub-processors include cloud hosting providers within the EU/EEA. 

5. Data Transfers 

5.1 Personal Data shall be processed within the EU/EEA. Any transfer outside the EU/EEA shall only occur with appropriate safeguards in place as required by GDPR Chapter V. 

6. Security Measures 

The Processor implements the following security measures: encryption of data in transit and at rest, access controls and authentication, regular security assessments, incident response procedures, and employee training on data protection. 

7. Data Breach Notification 

7.1 The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. 

7.2 The notification shall include the nature of the breach, categories of data affected, and measures taken to address the breach. 

8. Data Retention and Deletion 

8.1 Upon termination of the Agreement, the Processor shall retain Personal Data for 30 days to allow the Controller to export its data (including raw data and enriched outputs as specified in clause 4 of the main Agreement). After this period, the Processor shall delete or return all Personal Data, unless retention is required by law or otherwise permitted under clause 4.4 or 4.5 of the main Agreement. 

8.2 The Processor shall provide certification of deletion upon request. 

8.3 For clarity, previously exported reports and enriched data outputs that the Controller has downloaded during the Subscription Term may be retained by the Controller indefinitely for the purposes specified in clause 4.3 of the main Agreement, and such retention does not constitute a breach of this DPA. 

9. Audit Rights 

9.1 Controller may, at its own cost, audit Processor’s compliance with this DPA no more than once per calendar year, on at least thirty (30) days’ prior written notice, during normal business hours, and in a manner that does not unreasonably interfere with Processor’s operations. Processor may satisfy audit requests by providing reasonable information about its security practices, technical and organisational measures, and any independent audit reports or certifications that Processor maintains from time to time. Where an audit identifies a material breach of this DPA, the costs of the audit shall be borne by Processor. 

10. Liability 

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR. Liability under this DPA is subject to the limitation of liability in clause 11 of the main Agreement. 

Data Protection Officer contact: dpo@circulatepack.com