General terms and conditions for the use of IDI Profiling’s services

These general terms and conditions, including the terms, policies, guidelines and instructions referred to herein, (“Terms”) is an agreement between IDI Profiling AB (556988-5196), (“IDI” “we”, “ourorus”) and you, the business entity or individual (“you” or “your”), governing your access to the IDI platform (the “Platform”) and use of our services and websites (the “Website” and together, the “Services”).

By accessing and using the Services in any way, you agree to be bound by the Terms. If you do not agree to the Terms, you shall not use the Services.

If you have any questions or concerns regarding the content of these Terms or would like to get a better understanding of how the Services work, please do not hesitate to contact us.

1. Registering for our Services

You may use our Services if you are (a) a business or organisation or contact person of a business or organisation (“Customer”), for the purpose of providing access to our services to current employees, and (b) a user, either consumer or an employee of a Customer, who gains access to our Services (“Users”). Specific terms applicable to Customers and Users, respectively, can be found at the end of these Terms.

As a User, you may use our Services by creating an account with us to save and reuse your results. 

2. Subscription plans

All available subscription plans are listed on our Website. You have the option of adding additional Services or scaling up the respective Service at the price stated on our Website applicable from time to time or according to a separate offer. 

You may at any point terminate or scale down the respective Service. However, a curing period may apply for some of our Services. In such case, the curing period is stated when registering for the Services or in the separate offer letter. You may cancel or scale down a Service that is provided with a curing period only at the end of such curing period.

If a Service is added and/or scaled up, the fee for such Service will be payable from the date on which such addition or increase is provided to you. In the event of removal of a Service or scaling down, the fee will be adjusted when the change has been implemented, unless otherwise specifically stated for a specific Service.

Additions, changes of scope or termination of a Service may be made by you directly in the control panel when logged in to the Platform unless agreed or stated otherwise.

3. Creating an account with us and accessing our Services

You may access our Services by creating an account with us (“Account”). To create an Account, you need to be either (a) a Customer and register by using a business email address, or (b) a User invited by a Customer to be assessed through the Platform. Users may only use and register one (1) Account to access the Services.

You must provide accurate and complete information when creating your Account and/or accessing the Platform. You must also make sure that all information that you provide is and remains accurate, complete and up to date. We are entitled to restrict your access to your Account and the Platform if you provide us with untrue, inaccurate, not current, or incomplete information.

By registering an Account and/or accessing our Services, you warrant that you, being an individual, are at least 18 years of age and have full legal capacity to accept these Terms in the manner prescribed by us. If you register on behalf of a Customer or under a business name, you represent that you are duly authorised to (a) create an Account in the name of that company or business entity, (b) provide any information about the business, and (c) accept these Terms on its behalf.

You are responsible for ensuring that your email address, password, and other personalised security features which you use to access your Account and the Services are kept safe and secure.

4. Use of the Services

While we want you to enjoy the Services, you may only use the Services for lawful purposes and in a manner consistent with the nature and purpose of the Services. You are responsible for all activities that occur under your Account. You agree to comply with all instructions and recommendations provided by us from time to time.

Only you, the person associated with an Account, or having received an invitation to the Platform, may have access to the Services through your Account and/or should perform the personality tests and other tests or access the information available in the Platform. You are strictly prohibited to allow any third-party to perform or access tests by sharing Account or other information necessary to access the Platform.

You are expected to use the Services responsibly and lawfully. When accessing or using the Services, you agree to abide by the following conduct standards and you may not:

  • publish, post or – in any other way express – any material or information that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, indecent or unlawful;
  • copy, reproduce, alter, modify, create derivative works, publicly display, republish, upload, post, transmit, resell, or distribute the Services, any part thereof or any material or information that you receive, or are granted access to, from us,
  • monitor the Services’ availability, performance or functionality for any competitive purpose or purpose beyond the intended purpose of the Services, meaning, for example that you agree not to access the Services for the purpose of developing or operating a competitive product or service or copying the Services’ features or user interface, or
  • violate the restrictions on the Services, work around, bypass or circumvent any of the technical limitations of the Services, use any tool to enable features or functionalities that are otherwise disabled in the Services, or decompile, disassemble, or otherwise reverse engineer the Services.

5. Customer service and complaints

We will provide you with regular customer services by email or telephone during normal business hours to help resolve any issues relating to your use of the Services

6. Intellectual property rights

You understand and acknowledge that we, or our licensors, own all rights, title, and interest in the Services, including but not limited to copyright, patent, trademark, design right, trade secret and any other intellectual property rights. In particular, the questions, content and other material that form part of the tests used for validating Users in the Platform, are to be considered as trade secrets and shall be treated as such by you. The Services, the Platform and any material therein may not be copied, reproduced, or distributed in any manner or medium, in whole or in part, by you without prior written consent from us.

You are solely granted a non-exclusive right to use the Services in accordance with these Terms. You understand that you do not receive any software license or any ownership rights by being granted access to the Services or for example by downloading material from or submitting material to the Services.

7. Personal data

For us to be able to offer you our Services, we need to collect certain personal data. You can read our Privacy Policy for a detailed description of how we process your personal data.

8. Service levels

Although we will use commercially reasonable efforts to provide the Services continuously and in accordance with the applicable service level agreement (“SLA”), we do not warrant that the Services will be free from interruptions, delays or errors caused by our systems or other third-party services providers, general Internet failures or force majeure. You must notify us without undue delay through our customer service if you experience any interruptions, delays, or errors in the Services.

From time to time we will perform maintenance and upgrades of the Services, which may result in interruptions, delays, or errors in the Services. Although we will use commercially reasonable efforts to notify you in advance of any planned maintenance, we cannot guarantee that such notification will always be provided.

9. No warranties

We provide the Services to you on an “as is” and “as available” basis. To the extent permitted by law, we make no warranty, express or implied, in relation to the Services. We hereby disclaim all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property, or other violation of rights. You acknowledge that we do not warrant that the Services will be uninterrupted, timely, secure, or error-free.

10. Amendments and changes

We have the right to amend, delete or add to these Terms or change, delete, discontinue, or impose conditions on any feature or aspect of the Services at any time. We will give you 3 months’ notice via e-mail or the Services of any change, however always at least in accordance with mandatory law, with the change taking effect once the 3-month notice period has passed. The 3-month notice period will not apply where a change is required by applicable law or relates to the addition of a new service, extra functionality to the existing Services or any other change which we believe in our reasonable opinion to neither reduce your rights nor increase your responsibilities. Under such circumstances, the change will be made without prior notice to you and will be effective immediately.

If you do not accept any change, you must close your Account. By continuing to use our Services, you will be deemed to have accepted a change.

All new functionalities, features and content introduced and added to the Services, or the Website will be subject to what is stipulated in the Terms.

11. Limitation of liability

In no event shall we, our subsidiaries, affiliates or any of our respective employees, officers, directors, agents, or partners be liable for:

  • loss of contracts;
  • loss of reputation and/or goodwill;
  • loss of profit, loss of revenue, loss of anticipated savings and/or loss of business; or
  • indirect, consequential, or special loss, damage or liability even if such loss or damage was reasonably foreseeable, arising out of or in connection with your use of the Services or the performance of our obligations under these Terms.

Our total liability to you for all other losses arising under or in connection with any contract between us, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be limited to the total sums paid by you for the Services during the three-month period immediately preceding the event giving rise to the claim for liability, or if you have not used the Services for three (3) months, your average monthly fee multiplied by three (3). We have no liability if you use the Services under a trial period or otherwise free of charge.

Nothing in these Terms will limit our liability resulting from our fraud or fraudulent misrepresentation, gross negligence, wilful misconduct, for death or personal injury resulting from our negligence or to the extent such limitation or exclusion is not permitted by applicable law.

12. Entire agreement

These Terms contain the entire agreement between the parties with respect to the Services and supersedes all previous and contemporaneous negotiations and understandings between the parties, whether written or oral.

13. Governing law and disputes

Swedish law with exception for its conflict of law principles shall apply to these Terms. Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination, or invalidity thereof, shall be settled by a general court in Sweden.

14. Term and termination

14.1 For users

These Terms are valid from the date when you create an Account or otherwise gain access to the Platform and until further notice. You may terminate the Services with the applicable notice period by ending your subscription through the control panel when logged in to the Platform.

Upon termination, your right to access the Services will be revoked. We will also delete or anonymise any personal information about you, with exception for any personal information that you have asked us to store further, we have a legitimate interest to store further or that we are required to keep by law.

Obligations arising from any breach of contract during the term of these Terms shall not be affected by termination.

14.2 For Customers

These Terms are valid from the date you create an Account and continue to be valid during the subscription period (“Subscription Period”). You may terminate your subscription through the control panel when logged in to the Platform. unless otherwise agreed between the Parties.

14.3 Termination from our side

We reserve the right to terminate or limit the Services if:

  • you breach or otherwise violate these Terms, or any other provisions set up by us,
  • you use the Services in any way that does not comply with the intended purpose, in violation of any applicable law or is otherwise harmful for us or any third person,
  • if in our reasonable opinion, your activities or actions are damaging to, or may damage, our image or reputation, or
  • you are late in payment.

Upon occurrence of any of these events, we may contact you and request that you remedy your breach of these Terms before terminating or limiting the Services.

If we have any reason to believe that you have used the Services in breach with these Terms, we have the right to, at our sole discretion and without prior written notice, terminate your Account and disable your access to the Service.

15. FEEs for users that are consumers and Customers

You may be offered to register to use the Services for a limited trial period. During the trial period, you will have access to all or parts of the Services (as further described on the Website) free of charge.

You shall pay all applicable fees as described on the Website for the Services you have selected or as separately agreed between you and us (the ”Fees”).If you have signed up for one of our recurring plans, the Fees will be payable either annually in advance or as agreed separately.

You can pay for the Services through any of the payment methods listed on the Website. For payments made through a third-party supplier, this third-party supplier’s terms and conditions apply.

You agree to pay within the set time for the applicable payment method. We have the right to close your Account until you have paid for all the charges incurred by you. Payment after the due date can entail late payment fees and interest.

We may increase the fees for the Services, which will be effective at the beginning of any renewal subscription period. We will notify you of any increase prior to it becoming effective via e-mail or through the Services.

16. Specific provisions limited to Customers

The provisions set out below specifically regulate the responsibilities between us and our Customers.

You warrant that the persons (for example, employees and representatives) you authorise to create an Account and use the Services have read and understand the Terms.

16.1 Your content

In connection with your Account and your use of the Services, you may be able to upload or provide materials or information (“Content”). You are responsible for the Content that you post to the Services, including its lawfulness, reliability, accuracy, and appropriateness and that the Content does not infringe any third party intellectual property rights.

16.2 Fees for Customers

The Fees exclude value added tax (VAT) or other fees and taxes.

We do not provide refunds, right to return for a purchased subscription, credits for any partially used subscription, credits for any unused Account or credits by reason of your dissatisfaction with the Services. This means that you will not be entitled to refunds of any Fees already paid. In the event you terminate these Terms in accordance with section 13, you will be entitled to use our Services until the end of the current term.

16.3 Indemnification

Notwithstanding the above or any other provision of these Terms, you agree to defend, indemnify, and hold us and our respective directors, agents, affiliates and representatives harmless from and against any claim (including all third-party claims), and expense (including without limitation reasonable attorneys’ fees) arising out of or relating to: (a) any actual or alleged breach by you of any provision of these Terms, (b) your wrongful or improper use of the Services, (c) your violation of any third party right, including without limitation any right of privacy, publicity rights or intellectual property rights, (d) third party indemnity obligations we incur as a direct or indirect result of your acts or omissions, (e) your violation of any applicable law, rule or regulation of your specific jurisdiction, and (f) errors made by you in providing information or instructions to us, whether through your Account or any other means of communication.

16.4 Third-party integrations

You may enable or otherwise allow integrations between us and certain third-party service providers contracted by you (each a “Third-Party Integration”). By enabling a Third-Party Integration, you expressly instruct IDI Labs to share data with, and access and use data from, such third-party service provider. You are responsible for providing any and all instructions to such third-party service provider about the use and protection of data. You acknowledge and agree that we are not a sub-processor for any such third-party service providers in relation to any personal data contained in the data or information transfer, nor are any such third-party service providers sub-processors of us in relation to any personal data contained in the data or information transfer.

We are not responsible or liable to your or any third-party service provider with respect to the functionality or availability of any Third-Party Integration or any data obtained through any Third-Party Integrations and further we make no representation or warranty with respect to any Third-Party Integration or any data obtained through a Third-Party Integration or with respect to any third-party service provider. You agree that you are solely responsible for complying with any agreement you may have with the third-party service provider with which you use the Third-Party Integration.

16.5 Personal data and privacy

You are the data controller and IDI is the processor for processing of personal data relating to the Service, as agreed upon and regulated by the Data Processing Agreement set out in Appendix 1.

Both parties undertake to comply with applicable laws and regulations as regards protection of personal data and to ensure that individuals are informed in a clear and transparent manner about how personal data is being processed.

17. Force Majeure

Any delay or non-performance of any provision of these Terms caused by conditions beyond the reasonable control of the performing Party (a ‘Force Majeure’ event) shall not constitute a breach of these Terms, and the time for performance of such provision, if any, shall be deemed to be extended for a period equal to the duration of the conditions preventing performance.

Appendix 1: Data Processing Agreement

This Data Processing Agreement with Annexes (the “DPA”) has been entered into between:

  • Data Controller: The Customer (as defined in the Terms and conditions for the use of IDI Profiling’s services (the “Terms”)), (“controller”); and
  • Data Processor: IDI Profiling AB (556988-5196) (“processor”)

Separately referred to as “Party” and jointly the “Parties“.

18. Background

The DPA forms part of the Terms and sets out the additional terms, requirements, and conditions on which the Processor will process Personal Data (as defined below) when providing services under the Terms. The DPA contains the mandatory clauses required by the General Data Protection Regulation (EU) 2016/679) (“GDPR”). The DPA includes the following Annexes:

  • Annex I – Contact details
  • Annex II – Description of the processing
  • Annex III – Technical and organisational measures

19. Purpose and scope

This DPA applies to the processing of personal data as specified in Annex II. This DPA is without prejudice to obligations to which the controller is subject by virtue of GDPR.

20. Interpretation

Where this DPA uses the terms defined in the GDPR, those terms shall have the same meaning as in the GDPR. This DPA shall be read and interpreted in the light of the provisions of the GDPR. This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.

21. Hierarchy

In the event of a contradiction between this DPA and the provisions of the Terms, this DPA shall prevail.

22. Obligations of the parties

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

23. Instructions

The processor shall process personal data only as stated by the Terms and this DPA, and only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe the GDPR or the applicable Union or Member State data protection provisions.

24. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

25. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

26. Security of processing

The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects. The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

27. Sensitive data

The processing shall not include the processing of sensitive data as pursuant to article 9 of the GDPR. However, if the controller or one of its employees, consultants or other persons related to the controller inputs such data, and as such, the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (sensitive data), the controller instructs the processor to apply restrictions and/or additional safeguards to be decided upon by the processer in its own discretion.

28. Documentation and compliance

The Parties shall be able to demonstrate compliance with this DPA.

The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with this DPA.

The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from the GDPR. The controller must give the processor at least ten (10) business days written notice of any planned audits or inspections. Any audit conducted in accordance with this clause may only be conducted:

  • during normal business hours;
  • after the controller has confirmed that any appointed representative, whether working for the controller or acting for an authorised third party, carrying out the audit is subject to a confidentiality agreement that is appropriate in relation to the information to be audited; and
  • in accordance with the processor’s internal policies and security-related procedures.

Each party shall bear its own costs incurred in relation to the audit. In the event that the controller is reasonably required to conduct more than one audit in accordance with this clause within any twelve (12) month period, the controller shall bear all costs reasonably incurred by the controller in conducting the audit.

The Parties shall make the information referred to in this section, including the results of any audits, available to the competent supervisory authority on request.

29. Use of sub-processors

The processor may only authorize a sub-processor to process personal data if:

  • the controller is provided with an opportunity to object to the appointment of each sub-processor within ten (10) working days after the processor supplies the controller with full details in writing regarding such sub-processor, in the absence of which the controller shall be deemed to have accepted the use of the sub-processor,
  • it does so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with this DPA. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to this DPA and the GDPR,
  • the processor maintains control over all the personal data it entrusts to the sub-processor, and
  • the sub-processor’s contract terminates automatically on termination of this DPA for any reason.

The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations. The processor shall keep an up-to-date list of all its approved sub-processors. The list must be made available to the controller upon request. The sub-processors approved are set out here. If the controller reasonably objects to the appointment of a sub-processor it must provide written details of the reasonable grounds for its objection and the processor will use commercially reasonable efforts to make a change to the services to avoid processing of personal data by the objected to sub-processor or to appoint an alternative sub-processor. If the processor is unable to make such a change to the services or appoint an alternative sub-processor within thirty (30) business days, either party shall have the right to terminate this DPA and (if applicable) the Terms.

30. International transfers

Any transfer of data to a third country or an international organisation by the processor shall be done only based on documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of the GDPR.

The controller agrees that where the processor engages a sub-processor in accordance with section 12 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the processor and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

31. Data subject requests

The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller. The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance this section 14 the processor shall comply with the controller’s instructions.

32. Additional assistance to the controller

In addition to the processor’s obligation to assist the controller pursuant to section 14, the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

  • the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons,
  • the obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk,
  • the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated, and
  • the obligations in Article 32 of the GDPR.

The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this section 15 as well as the scope and the extent of the assistance required.

33. Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to the processor.

34. Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

  • in notifying the personal data breach to the competent supervisory authority, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  • in obtaining the following information which, pursuant to Article 33(3) of the GDPR, shall be stated in the controller’s notification, and must at least include:
  • the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • in complying, pursuant to Article 34 of the GDPR, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

35. Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

  • a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
  • the details of a contact point where more information concerning the personal data breach can be obtained; and
  • its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of the GDPR.

36. Suspension of processing

Without prejudice to any provisions of the GDPR, in the event that the processor is in breach of its obligations under this DPA, the controller may instruct the processor to suspend the processing of personal data until the latter complies with this DPA or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with this DPA, for whatever reason.

37. Termination

The controller shall be entitled to terminate this DPA if:

  • the processing of personal data by the processor has been suspended by the controller pursuant to section 19 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
  • the processor is in substantial or persistent breach of this DPA or its obligations under The GDPR; or
  • the processor fails to comply with a binding decision of a competent court or the competent supervisory authority regarding its obligations pursuant to this DPA or to The GDPR.

The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under this DPA where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with section 6, the controller insists on compliance with the instructions. Following termination of the the Terms and this DPA, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so. If the controller has not requested destruction or return of the personal data concerned by the DPA within twelve (12) months from the date of which the DPA has terminated as agreed by the Parties, the processor must destroy the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with this DPA.

38. Liability and indemnity

The Parties are free from liability for obligations arising under the DPA in cases where performance is hindered by a circumstance of an extraordinary nature beyond the Party’s control which the Party could not reasonably be expected to have taken into account and whose consequences the Party could not reasonably have avoided. The processor’s liability arising out of or relating to this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise is subject to the “Limitation of Liability” section of the Terms, and any reference in such section to our total liability means our aggregate liability under the Terms and this DPA together. The processor agrees to indemnify the controller for any damages incurred by the controller as a direct result of the processor processing personal data against the controller’s instructions according to the DPA and applicable law. For the avoidance of doubt, processor shall not be liable for any loss of profit, or any indirect or consequential loss arising in connection with this DPA

ANNEX I – Contact details

Processor: IDI Profiling AB 

Alströmergatan 45

112 47 Stockholm, Sweden

E-mail: info@idi.se
Telephone: +46 8-756 70 35

ANNEX II – Description of the processing

Categories of data subjects whose personal data is processed

Employees and consultants, and suppliers/customers based on who is invited as respondent.

Categories of personal data processed

Name, contact details, personal life data (date of birth, age, language skills, etc), employment information, self-assessment answers and behaviour, test input and results – as well as additional information provided per the controller’s input. No sensitive data is processed except on specific instruction from the controller.

Nature of the processing

  1. By providing a platform with functions for analysing results from self-assessment tests, composing and conducting analysis, and functionality and material for education programs for people development.
  2. By providing a platform for comparing assessment results, between the employee’s self-assessment and the results from the respondents’ assessments. The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:
    1. collect answers from assessment tests,
    2. aggregate and analyse the personal data collected through the assessment tests,
    3. facilitate the structuring of the personal data for analysis,
    4. pseudonymize personal data, 
    5. deletion of personal data,
    6. storage of personal data, and
    7. further processing following instructions within the service.

Purpose(s) for which the personal data is processed on behalf of the controller

To provide structure and functions for the data controller’s context-driven people development for its employees, based on the result from self-assessment tests compared with assessments from respondents, and to provide educational material, tests, structure, and function for the use of IDI Academy.

Duration of the processing

Data controller can manage retention times and chose what personal data to keep or remove within the platform. Additional processing only in the form of back-up. 

ANNEX III – Technical and organisational measures

Data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate for the risk, in particular the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data transmitted, stored, or otherwise processed. In addition, data processor guarantees that systems and processes used for processing the personal data comply with any statutory requirements with regard to data protection by design and data protection by default.

Organizational measures

  • Access (physical as well as logical) to personal data and the systems processing personal data is limited to persons with a work-related need for access.
  • Employees authorised to access personal data have undertaken a confidentiality obligation or are subject to an appropriate statutory obligation of confidentiality.
  • Employees who handle personal data receive adequate instruction and training in the handling of personal data.
  • Employees who handle personal data receive adequate information on the security risks associated with the data processing activities and are made aware of the adapted security standards and the required security measures.
  • Procedures are in place to ensure appropriate removal of access to personal data in case of organizational restructuring, job changes, resignation, etc.
  • Personal passwords are required for equipment that gives access to personal data, including physical media such as USB sticks.
  • Personal data are deleted permanently so that the data cannot be retrieved when equipment or mobile devices with personal data are no longer used for data processing.
  • After use, personal data are deleted in accordance with specific instructions.

Technical measures

  • Applications that continuously identify and manage information security risks or other vulnerabilities in the IT systems are in use.
  • Personal data are encrypted in rest and when transmitted via open networks, including in website forms, and when stored on physical media.
  • Security measures, such as firewalls and antivirus protection programmes, are installed in relation to systems containing personal data, and such programmes are updated on a regular basis.
  • Personal data are backed up on frequent basis and copies are kept separately and securely so that the personal data can be restored.
  • The deletion of personal data is effective.
  • Relevant risk analyses are conducted before implementing any new IT solutions, including IT systems and applications.
  • Principles of privacy by design and privacy by default are implemented.
  • Procedures are in place to ensure that changes and updates to hardware and/or software are tested and approved prior to implementation.
  • Appropriate security measures are in place when employees authorised to access personal data are able to access the personal data from remote workplaces, including mobile devices.

Physical measures

  • Access control measures are in place to ensure that only authorised personnel enter the premises.
  • Backup power supply is in place in case of power failure.
  • Fire prevention controls are in place.
  • For the data centre: Controls are in place to ensure sufficient heating, ventilation, and air conditioning of the facilities in which servers etc. are located.
Scroll to Top