Kvanta

Terms

General Terms

Last updated 2024-04-17

Kvanta AB, company registration number 559232-2670, hereinafter “Kvanta”, terms for use of the service apply between Kvanta and the company that has uploaded its share ledger in Kvanta’s digital share ledger service, hereinafter the “Customer”. These terms apply together with the data processing agreement (see Appendix 1), which shall be deemed integrated with this agreement, and apply from the time the Customer has uploaded its share ledger to Kvanta until the Customer no longer has its share ledger with Kvanta (the “Period”).

Scope of the Service

Kvanta provides a digital share ledger service, hereinafter the “Service”. The Service is provided during the Period. The Service runs on a private blockchain and is therefore not part of a public blockchain. A representative of the Customer who is a board member of the Customer is added by Kvanta as a user in the Service. The board member may then add other users with different access levels as set out below. The access levels offered by the Service: Board Member - Board members can only be assigned and revoked by Kvanta and are identified via external APIs. A board member has full access to the Service. Administrator - Administrators can be assigned and revoked by board members. The administrator has the same permissions as the board member, except for adding and revoking board members’ permissions. Editor - Editors can update the share ledger preliminarily but cannot confirm an update to the share ledger. The editor has no other permissions. Reader - A reader can view the share ledger but cannot update it. The reader has no other permissions. At service start, Kvanta has read access to the Customer’s share ledger. If the Customer wishes to reduce or expand Kvanta’s access in the Service, the Customer can do so in the Service. The Customer is reminded, however, that Kvanta may need access to the Customer’s Service for support. The functionality of the Service may be developed during the Period. Kvanta reserves the right, however, to keep the Service in its current state throughout the Period. The Service is therefore provided by Kvanta as-is at the time of use throughout the Period. Kvanta does not guarantee full functionality of the Service during the Period. During the Period, the Customer is exclusively offered the opportunity to receive help from Kvanta in registering its company in the Service. If the Customer wishes, the Customer may also register the information in the Service independently. Kvanta is not responsible for the accuracy of information when submitted to Kvanta, but is responsible for registering it correctly in the system if Kvanta handles the onboarding of the Customer’s Service. Information provided by the Customer that is not personal data is stored on the blockchain. This means the information cannot be deleted from the blockchain, which the Customer accepts by signing the user agreement. Personal data is not stored on the blockchain and can therefore be deleted from the Service. The Customer is not bound to the Service during the Period and may terminate the Service at any time during the Period, in accordance with the terms agreed between the Customer and Kvanta.

Customer Commitments

The Customer is responsible for ensuring that the information provided to Kvanta at start and setup of the Service is correct and reflects actual conditions. If the Customer enters information in the Service itself, the Customer is responsible for entering information correctly and ensuring the information complies with the Swedish Companies Act rules for share ledgers. The Customer shall register data from the Customer’s share ledger. Kvanta is never responsible for whether information provided by the Customer and registered in the Service reflects actual conditions. Kvanta expects to receive feedback on the Service. The Customer provides contact details for the board member, who approves that Kvanta may contact the board member for service feedback. The Customer may not input code or other information that may violate, damage, or destroy the Service in any way, for example by accessing and using information from the Service in a harmful or fraudulent way, or by circumventing or attempting to circumvent Kvanta’s systems and security measures. The Customer is solely responsible for ensuring compliance with Swedish Companies Act rules regarding share ledgers. Kvanta is responsible for providing access to a digital share ledger service that enables maintenance of a correct share ledger.

Ownership Rights

The Customer owns the rights to information stored in the Service. Kvanta reserves the right to use the information for statistics and evaluation of the Service. If information is used for statistics, it will be anonymized. The Service constitutes a tool for the Customer to manage its share ledger. Kvanta owns the Service and all intellectual property rights related to the Service.

Personal Data

To provide the Service, Kvanta needs to store and process personal data provided by the Customer. The Customer is the data controller and Kvanta is the data processor regarding personal data in the share ledger. This means Kvanta stores personal data on behalf of the Customer and on the same legal basis as the Customer. This includes name, personal identity number, postal address, and any other personal data provided to Kvanta. The personal data is stored on servers provided by third parties. Third parties are and will always be located within the EU. By accepting this agreement, the Customer approves storage and processing of personal data provided by the Customer. A data processing agreement is established between Kvanta as data processor and the Customer as data controller. By accepting this agreement, the data processing agreement between the parties is also accepted. Kvanta is data controller for personal data registered for contact persons, other persons with access to the Service, and data for possible administration of future purchases of the service; see the Privacy Policy for details.

Notices, Changes and Additions

In the Service, the Customer shall provide contact details for the board member whom Kvanta representatives may contact for service evaluation. This is done for the purpose of evaluating the Service so Kvanta can improve its services. If the Customer needs to contact Kvanta, contact details are available in the Service. Kvanta may make changes and additions to these terms. Such changes or additions may relate to, for example, service offering, duration, or handling of personal data. Any changes and additions to this agreement shall be communicated in writing to the Customer via the board member’s contact details no later than 30 days before they enter into force.

At the End of the Period

This agreement governs terms for use of the Service during the Period. Before the end of the Period, the Customer will receive a notice with information about new general terms and a price list. The Customer will then be offered the option to remain a customer against payment according to the price list in force at that time. If the Customer has not notified Kvanta that it accepts the offer of the new service under the new terms no later than at the end of the Period, Kvanta will terminate the Service for the Customer. If the Customer thereafter wishes to enter into a new service agreement with Kvanta, the Customer is welcome to contact Kvanta.

Disputes

Swedish law shall apply to interpretation and application of this agreement. Any dispute shall be decided by Swedish courts, with the Stockholm District Court as first instance.

Data Processing Agreement

This data processing agreement has on this day been entered into between you as customer (the “Data Controller”) and Kvanta AB, reg. no. 559232-2670 (the “Data Processor”).

  • Background and scope

This Data Processing Agreement shall be considered part of the user agreement and the general terms, which together constitute the agreement for Kvanta AB’s digital share ledger service. The parties have entered into an agreement under which the Data Processor has undertaken to provide a digital share ledger on behalf of the Data Controller (the “Service Agreement”). In performing the services under the Service Agreement, the Data Processor will process personal data on behalf of the Data Controller. In performing those services, the Data Processor will therefore act as data processor for the Data Controller, who is data controller for the personal data to be processed. 2. Purpose of processing personal data The Data Processor may only process personal data for the purposes specified in the Service Agreement and for no other purpose than what is necessary to fulfill the Service Agreement. 3. Sub-processors The Data Processor may not, without the Data Controller’s written consent, transfer personal data for processing to a subcontractor (sub-processor). If general consent is provided, the Data Processor shall inform the Data Controller of any plans to engage new sub-processors or replace a sub-processor. The Data Controller shall promptly object to such changes, however no later than two (2) weeks from notification by the Data Processor that the change will take place. If the Data Controller objects to the changes, the personal data may not be transferred, and the services shall be performed by the Data Processor itself or by a previously approved sub-processor. The Data Processor is responsible for ensuring written agreements are entered into with subcontractors. 4. Conditions for processing personal data For the Data Processor’s processing, the following applies. The Data Processor

  • may only process personal data on documented instructions from the Data Controller, including transfers of personal data to a third country or an international organization, unless such processing is required by Union law or by a Member State’s national law to which the Data Processor is subject. In such case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless such information is prohibited for important public-interest reasons under that law,
  • shall ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory duty of confidentiality,
  • shall take all measures for security related to processing personal data pursuant to Article 32 of the GDPR,
  • shall comply with the conditions for engaging sub-processors under section 3 above,
  • shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, where possible, so the Data Controller can fulfill its obligation to respond to requests to exercise data-subject rights in accordance with Chapter III of the GDPR,
  • shall assist the Data Controller in ensuring compliance with obligations under Articles 32-36 of the GDPR (regarding information to the data subject about a personal data breach, notification of a personal data breach to the supervisory authority, and information to the data subject about a personal data breach), taking into account the type of processing and the information available to the Data Processor,
  • shall, depending on the Data Controller’s choice, delete or return all personal data to the Data Controller after completion of the processing services, and delete existing copies unless storage of personal data is required by Union law or national law, and
  • shall make available to the Data Controller all information necessary to demonstrate compliance with obligations set out in this article and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

Furthermore, the Data Processor undertakes to keep records of processing activities and cooperate with the supervisory authority and make such records available to the supervisory authority. The Data Processor shall, where required and upon request, assist the Data Controller in fulfilling obligations arising from data protection impact assessments and prior consultations with the supervisory authority. 5. Security measures The Data Processor shall limit access to personal data to persons who need such access to perform their work duties. The Data Processor shall ensure personal data is not processed in violation of applicable data protection legislation, including the GDPR and regulations from the Swedish Authority for Privacy Protection. The Data Processor shall implement appropriate technical and organizational measures to protect personal data from unauthorized access, destruction, and alteration. The Data Processor undertakes to immediately inform the Data Controller if an instruction conflicts with the GDPR or other personal data protection rules. The Data Processor and the Data Controller undertake, considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as risks of varying likelihood and severity for natural persons’ rights and freedoms, to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including where appropriate: a) pseudonymization and encryption of personal data, b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services, c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident, d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring processing security. When assessing the appropriate level of security, particular account shall be taken of the risks presented by processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or otherwise processed. The Data Controller and the Data Processor shall take measures to ensure that any natural person acting under the authority of the Data Controller or the Data Processor and having access to personal data does not process such data except on instructions from the Data Controller, unless required to do so by Union or Member State law. 6. Personal data incidents The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach. The notification shall describe the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. If and insofar as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Data Processor shall assist the Data Controller in documenting all personal data breaches, including the circumstances of the breach, its effects, and the remedial actions taken. 7. Compensation The Data Processor is entitled to charge the Data Controller for costs arising from security measures and costs related to personal data incidents beyond compensation under the Service Agreement only to the extent that the Data Controller, through negligence, has caused the costs. 8. Contacts with third parties If a third party (e.g., a data subject, authority, or other party) contacts the Data Processor with a request for information about processing of personal data, the Data Processor shall without delay forward such request to the Data Controller. The Data Processor is not entitled to represent the Data Controller vis-à-vis third parties in matters relating to processing of personal data unless the Data Controller has expressly consented. 9. Confidentiality The Data Processor and its employees and subcontractors are subject to confidentiality obligations regarding all personal data processed unless otherwise agreed in writing with the Data Controller. Confidentiality does not apply vis-à-vis the data subject or for information that is publicly known. 10. Intellectual property rights All intellectual property rights to personal data are held by the Data Controller or the data subject. The Data Processor receives a non-exclusive right to use personal data and any related intellectual property rights solely for fulfilling obligations under the Service Agreement. 11. Liability If a data subject or other third party asserts claims against the Data Controller due to the Data Processor’s processing of personal data, the Data Processor shall indemnify the Data Controller for claims resulting from the Data Processor’s failure to comply with this agreement. If a data subject or other third party asserts claims against the Data Processor due to the Data Controller’s instruction regarding personal data processing, the Data Controller shall indemnify the Data Processor, except where the Data Processor should have alerted the Data Controller that the processing violates applicable data protection rules. If multiple data controllers or data processors are involved in the same processing, each may be held liable for the entire damage. If they are joined in the same legal proceedings under Member State national law, compensation may be apportioned according to each party’s responsibility for damage caused by processing, provided that the data subject who suffered damage is ensured full and effective compensation. Any data controller or data processor that has paid full compensation may then seek recourse from other controllers or processors involved in the same processing. 12. Deletion After termination of the Service Agreement, the Data Processor shall, to the extent possible under law, delete all personal data processed on behalf of the Data Controller unless an earlier date has been agreed. In connection with termination of the Service Agreement, the Data Processor is obliged to return processed data to the Data Controller in an appropriate format. 13. Changes and additions Any changes or additions to this agreement must, to be valid, be in writing and signed by both parties. 14. Agreement term and termination This agreement enters into force when the Data Controller has accepted the Service Agreement. By accepting the Service Agreement, this agreement is therefore also accepted. The agreement ceases to apply when the Service Agreement ceases to apply. However, section 9 shall continue to apply for one year after termination.