Updated as of 22 March 2023
1. Introduction
1.1. General Terms and DPA. This Agreement consists of the General Terms and Conditions (General Terms), and the Data Processing Agreement (DPA) attached as Appendix A. This is a contract between Panomio ApS (“Provider” or “we”) as the provider of remote access to and use of Panomio (“Services”) and the Customer. A Customer is any person or entity that creates a Panomio account and accepts these terms.
1.2. The Provider. Panomio ApS is a Danish SaaS company that provides a cloud-based software called Panomio (“Platform”) which enables registered subscribers and trial users (“Subscribers”, or “you”) to create, distribute, and use e-courses for training and learning. Panomio ApS is located at Amager Strandvej 392 DK-2770 Kastrup Denmark and is incorporated and existing under the laws of the Kingdom of Denmark.
1.3. Eligibility. You are eligible to use the Platform if you are over 18 years old and allowed by law to enter into a binding agreement.
1.4. Privacy. The Services are subject to the terms and conditions of the Panomio Privacy Policy at https://panomio.com/privacy-policy/ which governs any personal data or personally identifiable information you provide to us.
2. Use of Platform
2.1. Signing Up. You need to sign up for a Panomio user account by providing all required information. If you are representing an organisation, we recommend that you use your email address with your organisation. You agree to provide true, current and complete information about yourself, and maintain it to be so during your entire use of the Platform. If we have reasonable grounds to suspect that such information is untrue, outdated or incomplete, we may terminate your user account and refuse future use of any or all our Services.
2.2. Activation. You may be required to take certain steps to activate your subscription. If we determine the activation to be done fraudulently, we may reduce the availability of the Service or suspend or terminate the subscription.
2.3. Services. Subject to your compliance with these Terms and the law, we grant you limited, non-exclusive, non-transferable access to and use of our Platform for your or your organisation's internal business purposes for the duration of your free or paid subscription.
2.4. Restrictions. As the Provider and sole owner of all the rights, title, and interests in the Platform, and we reserve all rights not granted under these Terms. As the Customer, you are not allowed to perform any of the following either by yourself or through a third-party:
sub-host or let third parties use or gain access to our Services without prior written consent from us;
print, copy, translate, reverse engineer, decompile, disassemble, modify, create derivative works of or publicly display the Platform, in whole or in part, unless expressly authorized by us; and
use Panomio name, logo, trademarks, service marks, or other branding elements without our prior written consent on a case-by-case basis.
2.5. Free Subscription. We recommend you refer to the description of Free features before signing up. The Services will automatically terminate after one year of inactivity unless your trial subscription is converted into any paid subscription. Activity is considered any action performed under the account, including log in. In case of termination, we shall delete any content you uploaded to your free account.
2.6. Account Information. You are responsible for your account information and for all activity that occurs via your account. You must not share it to anyone other than your authorised Administrator/s. You are advised to notify us immediately if you discover any unauthorized use of your account.
2.7. Administrator. The Administrator is your designated and authorised user who is responsible for managing your account. He/she has access to the account as administrator and can manage the projects (create, edit, publish, download, delete), the users (register, enrol, delete), and the media library (upload, organise, delete), among others. The Administrator may be you or another person and can be more than one in certain instances such as when the account allows for multiple Administrator accounts.
2.8. Customer’s Users. The Service (if available) allows you to register users (Registered Users), and enrol them to the projects/courses you publish in the Platform (Enrolled Users). The Administrator registers users by simply providing their email addresses. The user will then receive an automated email with instructions to activate their account. We do not deal with your users directly, except for the automated email they receive from us for their account activation. You are solely responsible for your relationship with your users, and you are the controller of any personal data you obtain from them. Please refer to the DPA for more information on personal data.
2.9. Provider Contents. All Panomio-provided files in the Platform such as characters, images and illustrations, workspaces, or other pre-built content as part of the Services shall be referred to as Provider Contents. As such, ownership and all intellectual property rights belong to us, and you are not allowed to distribute our files on a stand-alone basis. You may only use, edit, display, or distribute our contents as part of your use of the Service.
2.10. Updates. The Platform may automatically download and install updates from time to time and you agree to receive this as part of Service. These updates may take the form of bug fixes, new features, or new versions.
2.11. Storage. We may create technical limits on your content (Customer Contents), such as limits on file size, storage space, processing capacity, and other technical limits. We may suspend Service until your content is within the storage space limit associated with your account.
3. Customer Contents
3.1. Ownership. All files you upload to the Platform are referred to as Customer Content. As such, ownership and all intellectual property rights belong to you. You can at any time delete your content.
3.2. Sharing within the Platform. The Service allows you to share contents to your Enrolled Users through the projects/courses you publish within the Platform, and if applicable, through the LMS. We do not monitor what your Enrolled Users do with your content outside of our Service. It is your responsibility to provide instructions or limitations on their use if you so desire. The Administrator can always restrict access by managing your Registered Users in the Platform, or if applicable, in the LMS.
3.3. Sharing outside the Platform.
You are entirely responsible for Customer Contents you share outside the Service. We recommend you take precaution when sharing your content to the public.
3.4. Provider’s License. By uploading Customer Contents, you grant us the license to your files for us to deliver, operate, and improve our Service. You grant us non-exclusive, worldwide, royalty free, sub-licensable, and transferable license to access, use, reproduce, distribute, and translate the content as necessary for the following purposes: a) providing, operating, or improving our Service; b) responding to your support requests; c) detecting, preventing, and addressing fraud, security, or technical issues; and d) enforcing these Terms.
3.5. Termination of Provider’s License. You can end our license to your contents at any time by removing your content from the Platform. Some copies may be retained as part of our routine backups but will eventually be deleted upon the next routine backup.
4. Warranty and Indemnification
4.1. Customer’s Warranty. By uploading Customer Contents, you warrant that you have all necessary licenses to use and share your contents, and the rights necessary to grant us the license to your contents under these Terms.
4.2. Indemnification by Customer. You will indemnify us and our subsidiaries, officers, agents, employees, and licensors from any claim, demand, loss, or damage, including reasonable attorney’s fees, arising out of or related to Customer Content, your use of the Services, or your violation of these Terms.
4.3. Provider’s Warranty. Provider does not provide any explicit or implied guarantees or warranties, including but not limited to warranty for fitness for a particular purpose, implied warranties or warranty that the Service will be without errors or defects. To the extent permitted by law Provider further disclaims any warranty that: a. the services will be constantly available, uninterrupted, timely, secure, or error-free; b. the result that may be obtained from the use of the Services will be effective, accurate, or reliable; or that c. any errors or defects in the Services will be corrected. Customer’s sole remedy in case of any losses caused by the Service, including non-delivery and delayed delivery, shall be refund of Customer’s subscription payment for the Service for the relevant period of up to 3 months, subject to an absolute maximum refund of EUR 3,000.
4.4. Limitation of Liability. Provider explicitly excludes any and all liability for any loss towards Customer, including but not limited to any indirect loss and/or consequential damages, including but not limited to loss of time and profits, damages related to procurement of substitute products/services, claim for damages raised by third parties, operating loss, loss of data etc., resulting from any act attributable to Provider, any third party providers or caused by errors in the Services. Provider limits its product liability to the maximum extent permitted under Danish law.
5. Term and Termination
5.1. Term. This Agreement commences when you sign up and accept these Terms, until the end of your subscription or deactivation of free subscription.
5.2. Termination by Customer. You may at any time terminate your subscription or free account. Such termination does not relieve you of any obligation to pay any outstanding fees, and neither does it grant you the right of refund for any prepaid fees.
5.3. Termination by Provider. We may terminate your access to the Service for any of the following reasons: a) your breach of these Terms or any other Service-related contract with us; b) your failure to timely pay your payment obligations with us; c) when we are required by law to discontinue the Service; d) when we elect to discontinue the Service such as when it has become impractical or impossible for us to continue its operation.
5.4. Effect of Termination. Upon termination of this Agreement for any reason, you are required to cease use of and to remove access to the Platform from all your devices. The Service will automatically end upon valid termination and we are entitled to delete any and all Customer Content without prior notice.
6. Miscellaneous
6.1. Notices. You may send notice to us via [email protected]. We, on the other hand, may send notices to you via the contact information you provided us.
6.2. Assignment. You may not assign any rights and/or obligations in this Agreement unless with our prior written approval. We may assign all rights and/or obligations under this Agreement without your written approval provided such assignment is part of a transfer of all activities and/or assets of our business.
6.3. Force Majeure. Neither party shall be deemed to be in default when performance of the obligations of such party is prevented or made unreasonably burdensome due to any cause which was beyond the reasonable control of such party and which such party could not reasonably be expected to have foreseen, avoided or overcome at the time of entering into the Agreement, including but not limited to any event attributable to natural disasters and severe weather; embargoes; faulty, lack of or delayed of deliveries from suppliers or third parties; interruption or other failure of power, water, internet connection or other utilities; war and acts of war; terrorism; general strikes and other similar events affecting the activities of a party, provided, however, that the party suffering the force majeure event as soon as possible informs the other party thereof giving details of the force majeure cause and its expected duration and implication for the party’s performance.
6.4. Entire Agreement. This Agreement constitutes the entire agreement between us regarding your use of the Services and the subject matter hereof, and this supersedes any prior agreements we have whether written or oral. However, should at any point we enter into a subscription contract with the Platform herein as the subject matter, such agreement shall supersede this Agreement, or if applicable, it shall constitute as the main contract and this Agreement becomes part and parcel of it.
6.5. Governing Law. Any and all disputes arising between us under this Agreement shall be governed by the laws of the Kingdom of Denmark. Danish private international law that appoints a foreign law, as well as the United Nations Convention on Contracts for International Sale of Goods (CISL) shall not apply.
6.6. Venue. In case a dispute cannot be settled amicably, the sole and proper venue shall be the Maritime and Commercial Court, or - if the Maritime and Commercial Court does not subject-matter jurisdiction to hear the case – the District Court of the City of Copenhagen.
7. Changes
7.1. This General Terms and Conditions may be revised from time to time, thus, we advise you to review this page periodically for any changes. We will notify you of any changes by posting the new General Terms and Conditions on this page. These changes are effective immediately after they are posted on this page.
Appendix A:
Data Processing Agreement
This Data Processing Agreement (DPA) is entered into by and between Panomio ApS (“Panomio” or “Processor”) and the Customer (“Subscriber” or “Controller”) agreeing to the General Terms and/or any prior or subsequent agreements requiring Panomio to provide Services (“Underlying Agreement/s”).
Customer is entering into this DPA on behalf of itself and its Authorised Affiliates. All references herein to Customer also apply to Customer’s Authorised Affiliates. The parties are hereinafter collectively referred to as “Parties” and individually “Party”.
WHEREAS, the Parties have entered, and may in the future enter into, one or more agreements that require Panomio to provide certain Services to Customer (Underlying Agreement/s);
WHEREAS, in providing Services to Customer pursuant to the Underlying Agreement/s, Panomio may process personal data on behalf of Customer;
WHEREAS, if and to the extent Panomio processes personal data on behalf of Customer, the parties will be subject to the General Data Protection Regulations (GDPR) and other applicable Data Protection Laws and Regulations (DPLR); and
WHEREAS, if and to the extent Panomio processes personal data on behalf on Customer, Customer will be acting in the capacity of Controller (data exporter), and Panomio will be acting in the capacity of Processor (data importer);
NOW, THEREFORE, in consideration of the foregoing, and in reliance on the mutual agreements contained herein, the Parties agree as follows:
Article 1. Definition of Terms.
1.1. Authorised Affiliate refers to any entity that directly or indirectly controls, is controlled by, or is under common control with the Customer entity agreeing to this DPA. The Customer’s Authorised Affiliate using the Panomio’s Services shall be deemed subject to this DPA.
1.2. Controller refers to the entity which determines the purpose and means of the processing of personal data.
1.3. Data Subject refers to the identified or identifiable person to whom the personal data relates.
1.4. DPA refers to the terms and conditions that govern data processing between the Customer as the Controller and Panomio as the Processor. DPA shall include Attachment 1 which is the Approved Sub-processor.
1.5. DPLR refers to all applicable laws and regulations, such as the GDPR and other EU laws, municipal laws of Denmark, and any other law applicable where data protection is the subject of regulation.
1.6. GDPR refers to the EU’s General Data Protection Regulation.
1.7. Personal Data refers to any Customer Data relating to a) an identified or identifiable natural person, and b) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable DPLR).
1.8. Processing refers any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.9. Processor refers to the entity which processes personal data on behalf of the Controller.
1.10. Services refers to the software-as-a-service (SaaS) provided by Panomio as well as other related services.
1.11. Sub-processor refers to any third-party Processor engaged by Panomio.
1.12. Supervisory Authority refers to an independent authority established by an EU Member State pursuant to the GDPR.
1.13. Underlying Agreement/s refer to the main contract such as a Cloud Service Agreement on the provision of Service by Panomio to the Customer, or any subsequent agreement or order form requiring Panomio to provide Services to the Customer.
Article 2. Responsibilities of the Controller
2.1. The Controller shall use the Services in compliance with DPLR with respect to its processing of personal data, and in giving instructions to the Processor regarding personal data processing.
2.2. The Controller shall be solely responsible for the accuracy, quality, and legality of personal data and the means by which it acquired Data Subjects’ personal data.
Article 3. Responsibilities of the Processor
3.1. The Processor shall process personal data in accordance with DPLR that are directly applicable to its provision of the Services, and only within the framework of the Underlying Agreement/s and this DPA, and for all such purposes as may be agreed to subsequently.
3.2. The Processor shall refrain from using the personal data for any purpose other than as specified by the Controller. The Controller shall inform the Processor of any such purposes which are not contemplated in this DPA.
3.3. The Processor shall take no unilateral decisions regarding the processing of personal data for other purposes, including decisions regarding the provision thereof to third parties and the duration of its storage of the data.
3.4. The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this DPA.
3.5. The Processor’s obligations under this DPA apply also to whomever processes personal data under the Processor’s instructions.
Article 4. Processing Objectives.
4.1. The Processor shall only process personal data on behalf of the Controller for the following objectives:
a) processing in accordance with the Underlying Agreement/s and other applicable order form/s;
b) processing initiated by the Controller in their use of the Services; and
c) processing to comply with other documented, reasonable instructions provided by the Controller.
4.2. The Processor shall not be required to comply with Customer’s instructions if such would violate the applicable DPLR.
Article 5. Transfer of Data
5.1. The Processor may process personal data in countries outside the European Union (EU). In addition, the Processor may also transfer personal data to a country outside the EU provided that such country guarantees an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this DPA and the GDPR.
5.2. Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in. See Appendix A.1 for Sub-processors.
Article 6. Allocation of Responsibility
6.1. The Processor shall only be responsible for processing personal data under this DPA, in accordance with the Controller’s instructions and under the ultimate responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and/or for other purposes.
6.2. The Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data from its Data Subjects. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this DPA.
Article 7. Engaging Third Parties or Subcontractors
7.1. The Processor is authorised within the framework of this DPA to engage third parties, without the prior approval of the Controller being required. The Processor shall at any time update the Controller of any third parties processing the data.
7.2. The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
Article 8. Duty to Report
8.1. In the event of a security and/or data leakage, the Processor shall, to the best of its ability, notify the Controller thereof without undue delay and within 72 hours, after which the Controller shall determine whether or not to inform the Data Subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor shall endeavour that the furnished information is complete, correct and accurate.
8.2. If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data Subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
8.3. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding the following:
- the (suspected) cause of the leak;
- the (currently known and/or anticipated) consequences thereof;
- the (proposed) solution; and if any,
- the measures that have already been taken
Article 9. Security
9.1. The Processor shall endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration, or disclosure of personal data) in connection with the performance of processing personal data under this DPA.
9.2. The Processor shall endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data, and the costs related to the security measures.
9.3. The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.
Article 10. Handling Requests from Data Subjects. Where a Data Subject submits a request to the Processor to inspect, improve, add, change or protect their personal data, the Processor shall forward the request to the Controller and the request shall then be dealt with by the Controller.
Article 11. Non-Disclosure and Confidentiality.
11.1. All personal data received and/or compiled by the Processor from the Controller within the framework of this DPA is subject to a duty of confidentiality vis-à-vis third parties.
11.2. The duty of confidentiality herein will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this DPA, or if there is a legal obligation to make the information available to a third party.
Article 12. Audit
12.1. In order to confirm compliance with this DPA, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit shall follow the Processor’s reasonable security requirements and shall not interfere unreasonably with the Processor’s business activities.
12.2. The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Controller has provided written notice to the Processor.
12.3. The findings in respect of the performed audit shall be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
12.4. The costs of the audit will be borne by the Controller.
Article 13. Term and Termination
13.1. This DPA is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
13.2. This DPA may not be terminated in the interim.
13.3. This DPA may only be amended by the Parties subject to mutual consent.
13.4. The Processor shall provide its full cooperation in amending and adjusting this DPA in the event of new privacy legislation.
Article 14. Miscellaneous.
14.1. This DPA and the implementation thereof shall be governed by Danish law.
14.2. Any dispute arising between the Parties in connection with and/or arising from this Data Processing Agreement will be referred to the competent Danish court in the district where the Processor has its registered office.
14.3. In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
a) the Underlying Agreement;
b) this Data Processing Agreement; and finally
c) additional conditions, where applicable.
14.4. Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.
Attachment 1. Approved Sub-processors
The Controller shall on commencement of this DPA approve the engagement of the following Sub-processors:
Microsoft Ireland Operations, Ltd.
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521
Azure hosting
Data Center Ireland
Hubspot,Inc.
25 First Street, 2nd Floor Cambridge, MA 02141 United States
CRM
Amazon Web Services in the Germany region
Stripe, Inc.
354 Oyster Point Blvd South San Francisco, CA 94080 United States
Payments
Amazon Web Services in the Germany region
Okta, Inc.
Okta Headquarters North America 100 First Street San Francisco, CA 94105, USA
Auth0 Authentication
Amazon Web Services in the Germany region
SendgridTwilio
375 Beale Street Suite 300 San Francisco, CA 94105 USA
Sengrid Email delivery service
Amazon Web Services in the Germany region
MixpanelOne
Front Street, 28th Floor, San Francisco, CA 94111
Product analytics
Europe, Netherlands
Hotjar
Dragonara Business Centre 5th Floor, Dragonara Road,Paceville St Julian's STJ 3141 Malta
Product experience insights
Amazon Web services in Ireland
The Controller shall on the commencement of this DPA specifically approve the use of the above Sub-processors and its instructions for the processing described for that party. The Processor shall not be entitled – without the Controller’s explicit written consent – to engage a Sub-processor for different processing than the one that has been agreed or have another Sub-processor perform the described processing.
*Acceptance of the General Terms and Conditions by the Customer/Subscriber shall mean acceptance of all its component parts: a) General Terms, b) Appendix A - DPA, and c) Attachment 1 to Appendix A - Approved Sub-processors.