Terms and Conditions
These general terms and conditions apply to customers of Heimdal Whistleblowing System.
Last updated: 2025
1Parties
These general terms and conditions (the "Terms") are concluded between:
The Supplier Heimdal Systems AB, a Swedish limited liability company, registered under number 559547-0906, with registered office at Kungsgatan 17, 3 tr, 111 43 Stockholm, Sweden (the "Supplier"), and any company or organization subscribing to the Service (the "Client").
The Supplier and the Client are hereinafter collectively referred to as the "Parties" and individually as a "Party".
2Definitions
- Service
- The Supplier's SaaS whistleblowing service (Heimdal Whistleblowing System), including associated modules, APIs, updates and user support.
- User
- Any authorized user of the Client, including recipients and handlers of reports.
- Data
- Any information processed in the Service, including personal data, reports and logs related to the Client's use of the Service.
- DPA
- The data processing agreement set out in Annex 1 below.
- SLA
- Service levels defined in Annex 2.
3Duration, Renewal and Termination
These Terms are concluded for an initial period of twelve (12) months from the date of order of the Service (the "Contractual Period").
The Contract is automatically renewed for successive periods of twelve (12) months, unless terminated in writing by the Client at least one (1) month before the expiration of the current Contractual Period.
Any termination must be notified in writing by email.
The Supplier reserves the right to terminate the Contract immediately in case of a material breach not remedied within thirty (30) days from a written notice.
4Object and License
The Supplier provides the Service in accordance with these Terms, the SLA (Annex 2) and the Service description on its website.
The Client is granted a non-exclusive, non-transferable and limited right to use the Service for its internal needs for the duration of the Contract.
5Pricing and Payment
The applicable prices are set out in the order confirmation or the current price list. Annual fees are invoiced in advance.
Invoices are payable within thirty (30) days of the invoice date. Late payment interest may be applied in accordance with applicable law. Prices are exclusive of taxes.
The Supplier reserves the right to adjust prices for any new Contractual Period, subject to at least sixty (60) days' notice.
6Regulatory Compliance
The Service is designed to meet the requirements of Directive (EU) 2019/1937 as well as applicable provisions of French law relating to whistleblowing, in particular Law No. 2016-1691 known as "Sapin II Law", as amended.
The Client remains solely responsible for the designation of internal referents, the adoption of internal procedures and the information of data subjects.
7Personal Data Protection
The Supplier acts as a processor within the meaning of the GDPR, and the Client as a controller. The Data Processing Agreement set out in Annex 1 is an integral part of these Terms.
8Information Security
The Supplier implements appropriate technical and organizational measures (encryption, access control, logging, backups, hosting within the EU/EEA) and immediately informs the Client of any security incident.
9Support and Availability
Support is provided in accordance with the SLA (Annex 2). Scheduled maintenance operations may be carried out with prior notice.
10Client Obligations
The Client is responsible for managing user access and undertakes to use the Service in accordance with the law and these Terms.
11Intellectual Property
All intellectual property rights relating to the Service belong to the Supplier. The Client retains full ownership of its Data.
12Confidentiality
The Supplier undertakes to treat all information, including Data, reports and content processed in the Service, in strict confidence. This obligation is valid without limitation of duration.
13Limitation of Liability
The Supplier's liability is limited to the total amount of sums paid by the Client during the last twelve (12) months. Indirect damages are excluded, except in case of gross negligence or willful misconduct.
14Applicable Law and Jurisdiction
These General Terms and Conditions are governed by Swedish law and interpreted in accordance therewith. Any dispute arising from these General Terms and Conditions or in relation thereto shall be submitted to the exclusive jurisdiction of the courts of Stockholm, Sweden, sitting in first instance. This clause does not prevent the application of mandatory provisions of European Union law or the national law applicable in the country of establishment of the Client.
15Acceptance
The Client accepts these Terms by checking the corresponding box when ordering and by payment of the invoice, which constitutes firm and final acceptance without handwritten signature.
Data Processing Agreement
Data Processing Agreement Relating to the Processing of Personal Data
This agreement constitutes an annex to the General Terms and Conditions of the Heimdal Whistleblowing Service.
1Roles of the Parties
The Client acts as Controller within the meaning of Regulation (EU) 2016/679 ("GDPR"). Heimdal Systems AB acts as Processor.
2Nature, Purposes and Duration of Processing
Purposes of processing: Operation of the whistleblowing system, including in particular the receipt, storage, analysis, processing and secure communication of reports.
Duration of processing: This Agreement applies for the entire duration of the main Contract and, where applicable, for a maximum period of two (2) years after the final closure of cases, unless otherwise required by law.
3Categories of Data and Data Subjects
Data subjects: Employees, consultants, suppliers and any other person authorized to use the Service, as a whistleblower or recipient of the report.
Categories of data: Identification data (name, contact details)
Professional data: Content of reports, which may include sensitive data or data relating to offenses, in accordance with Articles 9 and 10 of the GDPR
4Processor Obligations
The Processor undertakes to: (i) process personal data only on documented instructions from the Client; (ii) implement appropriate technical and organizational measures ensuring an adequate level of security; (iii) limit access to data to authorized persons only, subject to confidentiality obligations; (iv) notify the Client of any personal data breach as soon as possible; (v) assist the Client in complying with its GDPR obligations (data subject rights, impact assessments, authority consultations, etc.); (vi) delete or return personal data at the end of the Contract, unless there is a legal obligation to retain it.
5Sub-processors
The Processor is authorized to use sub-processors (in particular for hosting, operation or support), provided that they offer sufficient guarantees and are bound by equivalent obligations. The list of sub-processors is available to the Client.
6Transfers Outside EU/EEA
Data is processed within the European Union / European Economic Area. Any transfer outside the EU/EEA may only take place in accordance with the GDPR and after prior information to the Client.
7Audit and Control
The Processor undertakes to cooperate with any competent authority that may require an inspection relating to the processing of personal data. Reasonable costs incurred by the Processor in connection with such inspections may be invoiced to the Client.
8Liability
The Processor is liable for damages resulting from a breach of its obligations under this Agreement. Other limitations of liability are defined in the main Contract.
9Duration of Validity
This Agreement remains in force as long as the Processor processes personal data on behalf of the Client.
10Applicable Law and Jurisdiction
This Agreement is governed by French law. Any dispute relating to its interpretation or execution falls within the exclusive jurisdiction of the courts of Paris, unless otherwise required by mandatory provisions.
Service Level Agreement (SLA)
Service Levels
Support: Support is provided on business days (Monday to Friday) from 08:00 to 17:00 by email and/or telephone.
Availability: The Supplier commits to a Service availability target of 99.5% per month, excluding scheduled maintenance periods.
Incident Management – Classes and Response Times
Service credits may be granted in case of repeated failures to meet service levels, according to terms defined by the Supplier.
Heimdal Systems AB, 2025