This agreement ("Agreement") governs your use of the web-based solution Bård ("the Solution"). The Agreement is accepted by using the Solution. The Solution is developed and provided by Restack Software AS ("the Provider"). Companies using the Solution are considered "End Customers". The End Customer may grant access to multiple users ("End Users").

The Solution

The Solution is a web-based software solution made available to the Customer via a web browser. The Solution is provided as is.

End Users log in with a username and password. The End Customer can invite End Users to use the Solution by registering the End User to the End Customer's board in the Solution. The End Customer will then have access to the information stored by the End Customer.

Customer Responsibilities

The Customer is responsible for ensuring that documentation stored or generated in the Solution, and board work conducted, complies with applicable laws. Use of the Solution is at the End Customer’s own risk.

The End Customer may create multiple End Users who have access to the End Customer's information in the Solution. Username and password information must be stored securely and must not be shared with other individuals.

It is not permitted to copy the Solution (reverse engineering), attempt to gain unauthorized access to the Solution, or attempt to damage the Solution by uploading harmful files or similar.

Provider’s Responsibilities

The Solution is under continuous development, and errors may occur. The Provider shall correct any errors in the Solution as quickly as possible and at all times take reasonable measures to ensure high uptime for the Solution.

The Provider’s liability for errors in the system is limited to direct losses that the Customer can document as directly caused by negligence on the part of the Provider. In any case, the liability is limited to the amount equal to one year of subscription for the Customer, unless there is gross negligence or willful misconduct—in which case, the liability is limited to the amount equal to two years of subscription. The Provider is under no circumstances liable for indirect losses. The Provider is not responsible for the Customer’s execution of board duties or fulfillment of general board responsibilities.

Some End Customers may gain early access to new features in the Solution. These will be labeled "Beta", "Early Access", or similar to clearly indicate that the functionality is in testing. This is done to gradually test new features and collect feedback from End Users.

The Provider will ensure that satisfactory backup and disaster recovery routines are in place.

Ownership of the Solution

The End Customer owns the data they register or upload in the Solution. The Provider may access the End Customer’s data only if the End Customer explicitly grants the Provider access.

The Provider is granted permission to back up the End Customer’s data to ensure safe operation of the Solution.

The Provider retains ownership of all parts of the Solution—including trademarks, content, databases, source code, processes, and analytical models.

Confidentiality

The Provider will treat all information registered in the Solution, or otherwise obtained through communication with the End Customer, as confidential. The Provider takes necessary precautions to ensure that unauthorized persons do not gain access to the information.

Payment

The End Customer receives invoices annually or semi-annually (the Invoice Period). The Provider invoices the End Customer for the use of the Solution based on the current pricing, which is adjusted annually. Licenses are billed in advance at the beginning of the Invoice Period, while transactions are billed in arrears. The Invoice Period begins when the subscription is activated.

Transactions are normally invoiced together with the next license invoice, but if the total transaction cost exceeds half of the license price, the Provider may invoice transactions separately.

Invoices are sent via EHF to the End Customer’s organization number, or by email to the address provided by the End Customer. The payment term is 14 days.

Some features in the Solution may require separate agreements/subscriptions with third parties, e.g., accounting systems. These will be invoiced by the third party and are not part of this Agreement.

Termination

The Agreement is automatically renewed unless terminated by either Party before the next Invoice Period begins. Termination is done by ending the subscription under Settings in the Solution or by sending a written notice to the Provider.

Upon termination, the Agreement remains in effect until the end of the current Invoice Period. Accrued transaction costs will be invoiced upon termination after the current Invoice Period ends.

Changes to the Agreement

The Provider may change the Agreement. In such cases, the End Customer will be notified at their next login and must accept the updated terms to continue using the Solution.

Breach of Terms of Use

The Provider may suspend the End Customer’s access to the Solution in the event of a material breach of the Agreement. The Provider may also suspend access due to non-payment.

Dispute Resolution

Let’s first try to find a solution. If you are dissatisfied, let us know and we will try to resolve the issue amicably.

The Agreement is governed by Norwegian law, and any disputes that cannot be resolved through negotiation shall be settled by the ordinary courts, with Haugaland District Court as the legal venue.

Privacy

The Provider is the data controller for personal data related to the End Customer’s access to the Solution. The data is processed in accordance with the Provider’s Privacy Policy and applicable privacy laws.

If the End Customer stores personal data in the Solution, our Data Processing Agreement (Appendix 1) governs the Provider’s processing of such data on behalf of the End Customer. The Data Processing Agreement is an integral part of this Agreement.

Appendix 1: Data Processing Agreement

Data Processing Agreement – entered into between the End Customer (hereinafter the “Controller”) and Restack Software AS (hereinafter the “Processor”), as an appendix and integral part of Bård’s terms of use.

1. Background

The Controller uses the web-based solution Bård (“the Solution”), provided by the Processor, to store and manage documents and information related to board work. These may include personal data (e.g., names and contact details of board members, shareholders, or other involved parties). To the extent the Controller stores personal data in the Solution, the Processor will process such data on behalf of the Controller. The purpose of this Data Processing Agreement (“Agreement”) is to regulate the parties’ rights and obligations for such processing of personal data, in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR).

2. Definitions

Terms in this Agreement shall be understood as defined in Article 4 of the GDPR. “Personal data” means any information relating to an identified or identifiable natural person. “Processing,” “Controller,” “Processor,” etc., shall be interpreted in accordance with the definitions in data protection legislation.

3. Controller’s Responsibilities

The Controller determines the purposes and means of processing the personal data entered into the Solution. The Controller is responsible for ensuring that all use of the Solution and associated processing of personal data complies with applicable legislation. This includes, among other things, ensuring that there is a valid legal basis for processing the personal data (e.g., consent or other lawful grounds), and that data subjects' rights are protected. All inquiries from data subjects regarding access, correction, deletion, or other rights related to the personal data must be handled by the Controller. The Processor shall not respond to such inquiries directly but shall notify the Controller without undue delay of any received requests (cf. sections 8 and 10 below).

4. Processor’s Obligations

The Processor shall only process personal data to the extent necessary to deliver the Solution as agreed, and in accordance with documented instructions from the Controller. The terms of service and this Agreement together constitute the Controller’s instructions for processing. The Processor shall not use personal data for its own purposes or for purposes beyond what is specified in the instructions. The Processor shall also comply with the obligations of a data processor under data protection legislation. If the Processor believes that an instruction violates data protection law, the Processor shall notify the Controller.

5. Confidentiality and Security

The Processor shall ensure that only authorized personnel with a work-related need have access to personal data processed on behalf of the Controller. All persons granted access to the data (employees of the Processor or any sub-processors) shall be subject to a statutory or contractual duty of confidentiality. The duty of confidentiality also applies after termination of this Agreement.

The Processor is obligated to implement appropriate technical and organizational security measures to protect personal data, in accordance with the requirements of GDPR Article 32. This includes, among other things, appropriate access controls, encryption or equivalent protections where relevant, and procedures for maintaining confidentiality, integrity, and availability. The Processor shall document its security policies and measures and make such documentation available to the Controller upon request. The Processor shall regularly review and update the security measures to maintain an adequate level of protection.

6. Use of Sub-processors

The Processor uses subcontractors (“Sub-processors”) to deliver the Solution and related services (e.g., server hosting, email distribution, backups, etc.). An up-to-date list of approved Sub-processors is available in our Sub-processor Overview. By using the Solution, the Controller is deemed to have accepted the listed Sub-processors.

The Controller also gives general prior approval for the Processor to engage new or replace existing Sub-processors in the future, provided that prior notice is given. The Processor shall notify the Controller of planned changes in Sub-processors at least 4 weeks before they take effect. Notice may be given via email, website, or within the Solution.

The Controller has the right to object in writing to a new Sub-processor within 2 weeks of receiving notice, if there are legitimate grounds to do so. In such cases, the parties will attempt to find a solution. If the Controller does not accept the new Sub-processor and the Processor cannot offer an acceptable alternative, the Controller may terminate use of the Solution (and thus the Agreement) before the new Sub-processor is engaged.

The Processor is fully liable to the Controller for any processing of personal data by Sub-processors. The Processor shall ensure that all Sub-processors are subject to the same obligations under this Agreement, including requirements for confidentiality, security, and compliance with data protection regulations. The Processor shall enter into satisfactory data processing agreements with all Sub-processors.

7. Transfers of Personal Data Outside the EU/EEA

As a general rule, the Processor shall process and store personal data within the EU/EEA. If the Processor or approved Sub-processors process personal data in a third country (outside the EU/EEA), the Processor shall ensure that legal transfer mechanisms are in place. This may include the use of EU Standard Contractual Clauses or an adequacy decision from the European Commission. The Processor shall, upon request, disclose the basis for any such third-country transfers.

Unless the transfer is necessary to fulfill this Agreement (e.g., use of an approved Sub-processor in a third country as mentioned in section 6), the Processor shall not transfer personal data to countries outside the EU/EEA without the Controller’s prior written consent. In any case, all transfers shall comply with Chapter V of the GDPR to protect the rights and freedoms of the data subjects.

8. Assistance to the Controller

The Processor shall, as far as possible and considering the nature of the processing, assist the Controller in fulfilling their obligations under data protection law. This includes assisting the Controller with meeting requirements for information security, notifications and communication in the event of breaches (cf. section 9), conducting Data Protection Impact Assessments (DPIA), and any required prior consultation with supervisory authorities (GDPR Articles 32–36). The Processor shall also, upon request, assist with providing necessary information to enable the Controller to respond to data subject requests (cf. section 10).

If the Controller requires assistance beyond what is normally included in the use of the Solution, the Processor may agree on reasonable compensation for such additional assistance. Such assistance shall be provided based on separate agreement. The Processor shall in any case always provide necessary information and reasonable support without undue delay in the event of security breaches and inquiries as otherwise described in this Agreement.

9. Notification of Personal Data Breaches

If the Processor becomes aware of a personal data breach involving the Processor or a Sub-processor (e.g., unauthorized access to or loss of personal data), the Processor shall notify the Controller without undue delay. Notification shall occur no later than 48 hours after the Processor becomes aware of the breach. The notification shall include relevant available information, including a description of the nature of the breach, the estimated number of affected data subjects and records (if possible), potential consequences, and actions taken or proposed to address and mitigate the breach.

If not all information is immediately available, the Processor shall provide additional details as soon as they become available. The Controller is responsible for notifying the Data Protection Authority and/or affected individuals in accordance with GDPR Articles 33 and 34, but the Processor shall assist with information and support as needed to fulfill such obligations.

10. Handling Data Subject Requests

The Controller is responsible for handling requests from data subjects regarding access, rectification, deletion, data portability, objections to processing, etc. The Processor shall not respond to such requests unless instructed in writing by the Controller. However, the Processor shall support the Controller in meeting their obligations toward the data subject:

• Notification: If the Processor receives a request directly from a data subject regarding personal data covered by this Agreement, the Processor shall forward the request to the Controller without undue delay.
• Access and data portability: Upon request from the Controller, the Processor shall deliver or make available the personal data about a data subject stored in the Solution in a structured format so that the Controller can fulfill access or portability obligations.
• Correction and deletion: Upon request from the Controller, the Processor shall assist with the correction or deletion of personal data stored in the Solution so that the Controller can meet their obligations toward the data subject. Alternatively, the Controller may make such changes through the available features in the Solution.

The Processor may request compensation for extensive or repeated assistance that goes beyond ordinary expectations (cf. section 8, second paragraph). In all cases, assistance shall be provided within a reasonable timeframe and in compliance with applicable legal requirements.

11. Effective Date, Duration, and Termination

This Data Processing Agreement becomes effective when the Controller accepts it electronically. For new customers, the Agreement is presented for digital acceptance during registration or at first login to Bård. For existing customers, the Agreement may be made available for acceptance within the Solution (e.g., via pop-up notification or settings). Continued use of the Solution is considered acceptance of the updated terms.

The Agreement remains in effect for as long as the Processor processes personal data on behalf of the Controller in connection with the use of the Solution. Termination of the main agreement for use of the Solution (terms of service) also implies termination of this Data Processing Agreement. Nevertheless, this Agreement shall remain in effect as long as the Processor holds or processes personal data on behalf of the Controller.

Upon termination of the customer relationship, the Processor shall, upon the Controller’s request, either return all personal data received on behalf of the Controller or securely delete the data. Deletion (including anonymization) of personal data by the Processor and any Sub-processors shall occur within a reasonable timeframe, unless the Processor is legally obligated to retain the data longer. This also applies to any backups, but it is sufficient to overwrite them in accordance with established backup routines.

In the event of a breach of this Data Processing Agreement or applicable privacy laws, the Controller may instruct the Processor to cease further processing of personal data immediately until the breach is resolved. A breach of this Agreement is considered a breach of the terms of service. The liability limitations and other relevant provisions of the main agreement also apply to this Agreement. Obligations related to confidentiality and security remain in force after termination of the Agreement, for as long as the Processor handles data, and thereafter as long as required by law.

This translation is here to inform. In the event of disagreements only the current Norwegian version is legally applicable.