Terms of Service

• 3.4.1. use the Platform to send, upload, collect, transmit, store, use, disclose, process or ask Precoro to obtain from third parties or perform any of the above with respect to any Customer data:
  • 3.4.1.1. that contains any computer viruses, worms, malicious code, or any software intended to damage or alter a computer system or data;
  • 3.4.1.2. that the Customer or the applicable User does not have the lawful right to send, upload, collect, transmit, store, use, disclose, process, copy, transmit, distribute and display or process in any other way;
  • 3.4.1.3. that violates any applicable law or infringes violates, or otherwise embezzles the intellectual property or other rights of any third party (including any moral right, privacy right or right of publicity, etc.); or
• 3.4.2. disable, overly burden, impair or otherwise interfere with servers or networks connected to the Platform (e.g., a denial of a service attack, etc.);
• 3.4.3. attempt to gain unauthorized access to the Platform;
• 3.4.4. use any data mining, robots, or similar data gathering or extraction methods or copy, modify, reverse engineer, reverse assemble, disassemble or decompile the Platform or any part thereof or otherwise attempt to discover any source code; except as expressly provided for in these Terms, etc.;
• 3.4.5. use the Platform for the purpose of building a similar or competitive product or service; or
• 3.4.6. use the Platform other than permitted by these Terms.

• ● https://app.precoro.com/manage/company/balance/
• ● https://app.precoro.com/manage/company/withdrawal
• For US-based product:
• ● https://app.precoro.us/manage/company/balance/
• ● https://app.precoro.us/manage/company/withdrawal

• 5.2.1. reference this Section, and
• 5.2.2. submit a support request in writing asking to resolve a material decrease in functionality. If the material decrease in functionality persists without relief for more than thirty (30) days after a warranty claim has been provided to Precoro under this Section, then the Customer may receive a refund of any prepaid, unused Services' fees paid by the Customer for the unused period of any Services where the material decrease has taken place. Notwithstanding the foregoing, this warranty shall not apply to any deficiency due to any modification or defect made or caused by someone other than Precoro.

• 6.2.1. suspend, terminate, or limit the Customer's access to or use of the Precoro Account or the Platform or any component thereof; or
• 6.2.2. modify the Platform without notice or approval of Customers and/or Users.

• 1.1. comply with all applicable data protection laws in the processing of personal data; and
• 1.2. not process personal data other than on the relevant Data Controller’s documented instructions.

• a) Pseudonymisation and encryption of personal data;
• b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

• a) the right to be informed when collecting personal data from the data subject
• b) the right to be informed when personal data have not been obtained from the data subject
• c) the right of access by the data subject
• d) the right to rectification
• e) the right to erasure (‘the right to be forgotten’)
• f) the right to restriction of processing
• g) notification obligation regarding rectification or erasure of personal data or restriction of processing
• h) the right to data portability
• i) the right to object
• j) the right not to be subject to a decision based solely on automated processing, including profiling.

• (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
• (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

• (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
• (ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
• (iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
• (iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
• (v) Clause 13;
• (vi) Clause 15.1(c), (d) and (e);
• (vii) Clause 16(e);
• (viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

• (a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
• (b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

• The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

• On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

• If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

• Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

• (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
• (b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
• (d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

• Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

• The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
  • (i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
  • (ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
  • (iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  • (iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
  
  Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

• (a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
• (b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
• (c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
• (d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
• (e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

• (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
• (ii) refer the dispute to the competent courts within the meaning of Clause 18.

• (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
• (ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
• (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

• (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
  • (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
  • (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
• (b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
• (c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
• (d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
• (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

• (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
• (b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
• (c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

• (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
• (ii) the data importer is in substantial or persistent breach of these Clauses; or
• (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

• Data exporter(s): As per signed Service Agreement, Order Form or equivalent engagement agreement.
• Data importer(s): As per signed Service Agreement, Order Form or equivalent engagement agreement.

Categories of data subjects whose personal data is transferred

• • Controller’s employees
• • Controller’s suppliers

Categories of personal data transferred

• • Log files, which contain information about a users’ IT system, a user’s IP address, browser type, domain names, internet service provider (ISP), the pages viewed on our site, operating system, access times, and referring website addresses
• • Name, Surname
• • Job title
• • Phone number
• • Email address

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis

Nature of the processing

• • Monitoring activities
• • Support and Maintenance
• • Authorization and Authentication of system users
• • Analytics of system usage needed for analyzing the quality of services provisioning
• • Other technical activities needed to perform services as per the Purchase Order, Service Agreement, Order Form or other equivalent engagement agreement.

Purpose(s) of the data transfer and further processing

• • to provide, operate, and maintain services
• • to improve, analyze, personalize, and services
• • to contact Precoro for support
• • to store end-user data

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

One year after the end of the contract

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Lithuanian Supervisory Authority

• a) Security Ownership. The Data Processor has appointed an information security officer responsible for coordinating and monitoring the security rules and procedures.
• b) Security Roles and Responsibilities. The Data Processor personnel with access to personnel data are subject to confidentiality obligations.

• a) General. The Data Processor informs its personnel about relevant security procedures and their respective roles. The Data Processor also informs its personnel of the possible consequences of breaching its security policies and procedures. Employees who violate security policies may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker or contractor may result in the termination of his or her contract or assignment with the Data Processor.
• b) Training. The Data Processor personnel with access to personal data receive:
  • I. annual mandatory training regarding privacy and security procedures for the Services to aid in the prevention of unauthorized use (or inadvertent disclosure) of personal data;
  • II. annual training regarding effectively responding to security events;
  • III. training is regularly reinforced through refresher training courses, emails, posters, notice boards, and other training materials.

• a) Devices. Data Processor personnel use trusted devices/corporate desktops and laptops, and corresponding controls are applied to non-enrolled devices. A full suite of anti-malware products is operated in real-time on all Data Processor’s servers and computers.
• b) Removable Media. Where necessary, removable media ports are restricted from being connected to media without prior authorization.
• c) Software. New software is installed and tested on isolated systems to prevent the infection of live operating systems.
• d) Updating. All software including the operating system and the anti-malware software on the machines is updated and patched frequently.

• a) Access Policy. An access control policy is established, documented, and reviewed based on business and information security requirements.
• b) Access Recordkeeping. The Data Processor maintains a record of security privileges of its personnel that have access to personal data, networks, and network services.
• c) Access Authorization.
• d) Updating. All software including the operating system and the anti-malware software on the machines is updated and patched frequently.

• I. The Data Processor has data access policies that implement the following:
• i. Principles of least privilege and need to know basis access;
• ii. Regular access rights reviews;
• iii. Traceability of every login to a single person;
• iv. Lock-outs of accounts due to failed login attempts;
• v. Locking access of unattended laptops/devices after 10 minutes of inactivity;
• vi. Clean desk and clear screen controls;
• vii. Regular review of unauthorized access events (on a weekly or per need basis).


• II. The Data Processor has password policies that follow industry best practices with password length/complexity requirements.

• a. Cryptographic controls:
  • I. The Data Processor maintains policies on the use of cryptographic controls based on assessed risks.
  • II. The Data Processor ensures that the used cryptographic standards adhere to industry standards.
• b. Key management.

  There are measures for managing keys and digital certificates included in cryptographic controls policies.

• 2.1.6 Physical and Environmental Security
  • a. Physical Access to Facilities
    • I. The Data Processor limits access to its facilities where systems that process personal data are located to authorized individuals.
    • II. A security alarm system or other appropriate security measures are in place to provide alerts of security intrusions.
  • b. Protection from Disruptions.
    • I. Data Processor’s facilities are designed in a way that safeguards confidential information and assets;
    • II. Equipment is protected to reduce risks from unauthorized access, environmental threats, and hazards;
    • III. Equipment is protected from power supply interruption and other disruptions caused by failures in supporting utilities;
    • IV. Power and telecommunications cabling carrying data or supporting information services are protected from interception or damage; and
    • V. Equipment is correctly maintained to help ensure the availability and integrity of confidential information and assets.
  • 2.1.7 Operations Security
    • a. The Data Processor maintains policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data and to its systems and networks.
    • b. Timely update. The Data Processor continues to update its operational processes, procedures, and/or practices in a timely manner to ensure that they are effective against the latest threats discovered.
    • c. Mobile Devices. When mobile devices are used to access personal data, they are managed according to the Endpoint Protection Policy. In this case, Data Processors’ personnel follow the general code of conduct, recognizing the need to protect accessed data. Technical measures described in p.2.1.3 fully apply to mobile device protection.
    • d. Backup. Backup recovery media, where possible, is kept in an encrypted format.
    • 2.1.8 Communications Security and Data Transfer
      • a. Network policies. The Data Processor has network policies that implement the following:
        • I. Segregation and filtering of traffic between the Internet and Corporate Zones and between different Corporate Zones;
        • II. Intrusion detection capability;
        • III. Access control and password policies on network devices.
      • 2.1.9 System Acquisition, Development, and Maintenance
        • a) Security Requirements. The Data Processor has adopted security requirements for the purchase or development of information systems, including for application services delivered through public networks.
        • b) Change management. The Data Processor has a formal process for making changes in IT services and infrastructure systems that ensures that all changes are made in a thoughtful way to minimize negative impact to services and clients.
      • 2.1.10 Information Security Incident Management
        • a) Response Process. The Data Processor has a robust incident handling and response process that includes the containment of threats, investigation, recovery, and restoration of services. The Data Processor maintains a record of information security breaches with a description of the breach, the severity of the incident, the name of the reporter and to whom the breach was reported, and the procedure for recovering data.
        • b) Reporting. The Data Processor will report within 24 hours to the Data Controller any security incident that has resulted in a loss, misuse, or unauthorized acquisition of personal data processed under this agreement.
      • 2.1.11 Information Security Aspects of Business Continuity Management
        • a) Planning. The Data Processor maintains business continuity and disaster recovery plans for the facilities in which the Data Processor information systems that process personal data are located.
        • b) Data Recovery. The Data Processor’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct personal in its original state from before the time it was lost or destroyed.
      • 2.1.12 Annual Audit
        
        

        Data Processor maintains current independent verification of the effectiveness of its technical and organizational security measures (e.g., SOC2 Type 1 or Type 2, or other relevant industry-recognized independent security review report.) The independent information security review is performed at least annually.

        • 3. Data Retention Period/Data Erasure Procedures
          Personal data is being stored for the period of services provision and no longer than 1 year after termination of the contract unless otherwise required by applicable legislation.
        • 4. Instructions on Transfer of Personal Data to a Third Country or International Organisations
        
        

        The Data Processor shall only disclose the personal data to a third party on documented instructions from the Data Controller. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the Data Processor or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

        • I. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
        • II. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
        • III. the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
        • IV. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
        
        

        Any onward transfer is subject to compliance by the Data Processor with all the other safeguards under these Clauses, in particular purpose limitation.