License Agreement (LA) including Data Processor Agreement (DPA)

Print Friendly and PDF

The agreement on this page includes the License Agreement and Data Processor Agreement for ExorLive AS.

Click here to get directly to the Data Processor Agreement.

Click here to read our Privacy Policy. 

 

EXORLIVETM LICENSING TERMS AND CONDITIONS

1             INTRODUCTION

1.1          The Agreement

This agreement constitutes a legally binding agreement between you as a Customer

and EXORLIVE AS as a provider of the System. 

At the time of ordering one or more license(s) to the System(s), you must simultaneously accept and enter into the applicable End User License Agreement and Data Processor Agreement with EXORLIVE. Customer who uses the ExorLive application interface must also accept our API Terms and policies.

The Agreement thus consists of three documents which jointly forms the Agreement between you and EXORLIVE AS:

Jointly, the above documents are hereby referred to as the “Agreement”.

The terms and conditions of the Agreement applies jointly and equally for all Versions, unless otherwise expressed in this Agreement.

The Agreement also applies to later Updates of the System, unless the contrary is expressed by EXORLIVE at the release of such Updates. This also applies to any Upgrades or changes to EXORLIVE done as part of a development agreement with a Customer. All changes to the System is the property of EXORLIVE AS.

The Agreement may from time to time be amended by EXORLIVE at its sole discretion, such updates will be announced to you. Furthermore, you warrant that you have, or have obtained, the necessary authority to accept this Agreement.

If you do not agree to the terms and conditions within this Agreement, you are not authorized to copy, download, access, use or install the System and you are under the obligation to immediately end all direct or indirect interaction with the System and to inform EXORLIVE promptly of your non-acceptance for a full refund in accordance with EXORLIVE’s refund policies.

1.2          Conflict of terms and application

In the event that there is any conflict or inconsistency between the terms and conditions of the Agreement, the terms and conditions of the DPA shall survive any other clause of the Agreement, and the EULA shall survive any other clause of the Agreement set forth in this document.

The DPA is non-applicable when this Agreement is solely entered into by and between EXORLIVE and a Customer directly, as EXORLIVE then will be a Controller of the End User’s Personal data.

1.3          Definitions

For the purposes of the interpretation and execution of this Agreement, unless expressly otherwise stated or evident in the context, the following terms in bold shall have the meanings as defined below. The singular, where appropriate, shall include the plural and vice versa.

“Account” shall mean the End User’s account on the System, consisting of inter alia individual username, password and other personal identifiable information to access and use the System.

Agreement” shall have the meaning as set forth in Clause 1.1.

Content” shall mean such Media Elements as published on the System by the Customer and/or the End User.

“Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data in accordance with the General Data Protection Regulation.

Customer” shall mean such organization, entity or person using the System as an End User or providing access to the System to the End User.

Custom System” shall mean a System or any part thereof that has been configured, amended or tailored by EXORLIVE specifically to the specifications of the Customer.

DPA” shall mean the Data Processor Agreement between the Customer and EXORLIVE as set forth in Annex 2 including any amendments as applicable at any given time.

End User” shall mean the actual ultimate user of the System as a private person, or the individual, private person being processed in the System.

“EXORLIVE” shall mean EXORLIVE AS, a Norwegian limited liability company duly registered with  organization number NO 985 542 597 and its registered business address at Hovfaret 4, 0275 Oslo, Norway, including any and all subsidiaries, branches and departments.

EULA” shall mean the End User License Agreement between the Customer and EXORLIVE as set forth in Annex 1 including any amendments as applicable at any given time.

Fees” shall mean any and all applicable fees of the Agreement in relation to the licensing and use of the System, whether recurrent or non-recurrent, to be paid by the Customer as invoiced by EXORLIVE pursuant to the applicable EULA.

Health Provider” shall mean such Customer that provides health care services to an End User.

Information” shall mean all System pricing, description and availability information provided by EXORLIVE to the Customer in any form, save such information made generally and publicly available by EXORLIVE on its web pages.

License” shall mean such license as granted to the Customer and the End User as set forth in the End User License Agreement Clause 2.1.

“License Agreement” shall mean these Licensing Terms and Conditions.

“Media Elements” shall mean all content present in the System, including but not limited to text, drawings, photographs, videos, sound and image elements, printed materials as well as online electronic documentation.

"Personal data", "processing", "data controller" and "data processor" shall have the meanings ascribed to them in the EU Regulation EU/2016/679 (General Data Protection Regulation).

PII" shall mean Personal Identifiable Information, as defined as “personal data” in the General Data Protection Regulation, and including any data, information, or combination of data and information that is provided by the Customer and/or the End User to EXORLIVE or through usage of the System, and which can be used to identify or locate an individual.

Processor” shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller in accordance with the General Data Protection Regulation.

Services” shall mean making available the System to the Customer and/or the End User enabling the Customer and/or the End User to use the System functionality, in addition to such additional services which are provided in connection with this, such as support services etc.

System” shall mean the online software application EXORLIVETM, which includes, but is not limited to, the user interface, the application program interface, software, Media Elements and associated information, whether presented in a tangible or non-tangible form on websites owned by EXORLIVE or third parties, as well as mobile and tablet device software applications.

System Key” shall mean the combination(s) of username(s) and password(s) which grants the Customer access to the System.

Updates” shall mean any and all updates, upgrades, changes, supplements, add-on components, or Internet-based services components to the System

Versions” shall mean the different versions, parts or applications of the System.

2             COMMERCIAL TERMS

2.1          Prices and ordering

All prices and Fees stated in the order forms, on the webshop and in the Agreement, are stated in the currency specified.

All prices and Fees are subject to change without prior notice. Customer shall bear any and all applicable local, federal, municipal, regional and other government taxes. Unless otherwise specified, prices and Fees do not include such taxes.

Order acceptance by EXORLIVE occurs at the delivery of the System or System Key(s) to the Customer.

Unless specifically agreed in writing between the Customer and EXORLIVE, no System(s) or System Key(s) are for resale.

EXORLIVE may cancel or refuse any order for any reason whatsoever and EXORLIVE has no obligation to sell such System(s) or System Key(s) if EXORLIVE deems it so.

EXORLIVE’s order confirmation is governed by the terms and conditions of the Agreement as presented by EXORLIVE in its entirety without addition, modification or exception.

All Information is the property of EXORLIVE, and the Customer agrees not to directly or indirectly use, reveal, report, publish, disclose or transfer to any other person or entity any of the Information or utilize the Information for any purpose except as permitted herein, save such cases where such Information already has been made publicly available by EXORLIVE.

2.2Payment terms

Unless specifically agreed otherwise in writing between EXORLIVE and the Customer, the payment for the System(s) including the applicable Fee(s) falls due at the time of order confirmation by EXORLIVE and otherwise with such intervals as set forth in the EULA.

2.3          Shipment and delivery

The System is made available to Customers and End Users as a Software as a Service solution in which the software is licensed to the Customer and the End User on a concurrent subscription basis which is centrally hosted.

EXORLIVE delivers the System Key(s) to the Customer electronically.and individually to each End User to the e-mail address registered by the Customer on the order form.

If the approval of any government or governing organization is required with respect to the Agreement or the intellectual property and other rights in the System(s) or compliance with exchange regulation, Customer shall, at its expense, immediately take whatever steps may be necessary to secure such approvals. If any such approval requires or results in the deletion or amendment of any provision of the Agreement, then EXORLIVE has a right to terminate the Agreement and cancel all outstanding and accepted orders with the Customer.

3             WARRANTY AND LIABILITY DISCLAIMER

3.1          Limited warranty

The System is licensed, not sold. The System is licensed as is and EXORLIVE makes no warranties whatsoever other than those specifically set forth in the Agreement or unless otherwise specifically and expressly are agreed in writing between EXORLIVE and the Customer.

Subject to the timely payment of the license Fee(s), EXORLIVE gives a limited functionality warranty in accordance with the System Level Agreement as applicable at any given time.

In no way, any other implied warranties shall be construed or interpreted as granted by EXORLIVE, its Partners or Suppliers, to the Customer.

EXORLIVE does not warrant the System’s fitness for any particular purpose and in no event, shall EXORLIVE be liable for any direct or consequential damages or damages of any kind or nature alleged to have resulted from any breach of warranty. The disclaimer set forth herein is supplied by the disclaimer set forth in the applicable EULA.

3.2          Limitation of liability

EXORLIVE shall not be liable to the Customer, including, but not limited, to its employees, agents, customers, family or any other party, for any loss, damage or injury that results from the ordering, use or other application of the System, whether for its intended or non-intended purpose, unless the loss or damage results directly from fraudulent acts or omissions of EXORLIVE.

In no event shall EXORLIVE be liable to Customer or any other party for loss, damage or injury of any kind or nature arising out of or in connection with the AGREEMENT, or any agreement into which they are incorporated, or any performance or nonperformance under the AGREEMENT by EXORLIVE, its employees, partners, agents or subcontractors, in excess of the highest amount of US$ 5 or 3 (three) months’ Fee already paid by the Customer to EXORLIVE.

In no event shall EXORLIVE be liable to Customer or any other party for indirect, special or consequential damages, including, but not limited to loss of good will, loss of anticipated profits or other benefit, or other economical loss arising out of or in connection with EXORLIVE’s breach of, or failure to perform in accordance with any of the AGREEMENT, or the furnishing, installation, servicing, use or performance of any System or information EXORLIVE shall provide hereunder, even if notification has been given as to the possibility of such damages. Customer hereby expressly waives any and all claims for such damages. In no event shall EXORLIVE have any liability for any System used directly or indirectly for, with or in connection with medical, lifesaving, life-sustaining or life-improving applications.

4             BREACH OF CONTRACT

4.1          Customer’s breach of contract

The Customer’s breach of the terms and conditions of the EULA shall be considered a breach of the Agreement in its entirety and gives EXORLIVE the unilateral right to cancel the Agreement without further notice.

If Customer fails to make timely payment of any amount invoiced by EXORLIVE, its Partner(s) or its Supplier(s), the Customer will be charged a reminder fee as well as the legal penalty interest, and EXORLIVE shall have the right, in addition to any and all other rights and remedies available to EXORLIVE at law or in equity, to immediately revoke any or all credit extended, to delay or cancel access to the System and/or to reduce or cancel any or all quantity discounts extended to Customer. Customer shall pay all costs of collection including reasonable attorneys’ fees.

Any obligation of EXORLIVE to deliver the System on credit terms shall terminate without notice if Customer files a voluntary petition under a bankruptcy statute, or makes an assignment for the benefit of creditors, or if an involuntary petition under a bankruptcy statute is filed against Purchaser, or if a receiver or trustee is appointed to take possession of the assets of Purchaser.

4.2          Indemnification

Customer agrees to indemnify, defend and to hold EXORLIVE harmless for any breach of the terms or conditions set forth herein, including EXORLIVE’s reasonable attorney’s fees and out-of-pocket expenses as a consequence of the Customer’s breach of the Agreement. EXORLIVE shall have no duty to defend, indemnify, or hold harmless the Customer from and against any or all damages and cost incurred by Customer arising from the infringement of patents or trademarks or the violation of copyrights by the System.

In such cases Customer is also a Health Provider, Customer agrees to indemnify, defend and to hold EXOLIVE harmless for any End User claims made by the End User towards EXORLIVE including EXORLIVE’s reasonable attorney’s fees and out-of-pocket expenses when such claims are made on basis on the System being made available to the End User through the Customer.

4.3          EXORLIVE’s breach of contract

The sole remedy for the Customer in the event of breach of any warranty shall be the repair or replacement of a defective System, alternatively such limited compensation as set forth in Clause 3.2.

5             COMPLIANCE AND CHOICE OF LAW

5.1          Compliance with applicable laws and restrictions

The Customer acknowledges that the System may be controlled under applicable laws of the final destination of the End User.

Customer agrees that it will not export, import, make available or otherwise distribute the System in violation of any applicable laws or regulations in force at the final destination of the System. Customer further warrants that it will not export or re-export, directly or indirectly, the System to embargoed countries or sell or in other ways make available the System to companies or individuals listed on the Denied Persons List published by the American Department of Commerce.

All System delivered to the Customer may have additional restrictions on their use required by the authorities at the final destination. Customer is solely responsible for ensuring its adherence to any and all such restrictions and requirements.

5.2.         Choice of law and jurisdiction

This Agreement shall be construed, interpreted and enforced under and in accordance with the laws of Norway, excluding any and all choice of law rule or principles which might refer to the law of another jurisdiction. At the date of the Agreement, the Customer hereby waives any and all rights to invoke any other choice of law rule or principles which might refer to the law of another jurisdiction. Customer agrees to exercise any right or remedy in connection with the Agreement exclusively in, and hereby submits to, the jurisdiction of Oslo City, Norway. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to the Agreement.

6             MISCELLANEOUS

6.1          Relationship

Customer agrees that it is and will remain an independent party towards EXORLIVE. Customer will not have, and will not represent that it has any power, right or authority to bind EXORLIVE or to assume or create any obligation or responsibility, express, implied or by appearances, on behalf of EXORLIVE or in EXORLIVE’s name except as specifically and expressly agreed upon between EXORLIVE and the Customer. Nothing stated in this Agreement will be construed as constituting the Customer and EXORLIVE as partners or as creating a relationship of employer/employee, franchisor/franchisee, or principal / agent between the parties. Customer will make no warranty, guarantee or representation, whether written or oral, on EXORLIVE’s behalf.

6.2          Notices

All notices, requests, demands and other communications that either party may desire to give the other party must be in writing and may be given by mailing the same by registered mail or –email or via nationally recognized carrier / courier services to the party at the registered address. Notices to EXORLIVE shall be sent to postal address or email listed on www.exorlive.com..

6.3.         Assignment

The Customer may not assign its rights and/or duties under the Agreement without the prior written consent of EXORLIVE given at its sole discretion. Any such attempted assignment shall be void. Notwithstanding the foregoing, EXORLIVE may assign any Agreement including the obligations of performance, fully or in part, to its Partners or Suppliers without further notice to the Customer.

6.4          Partial invalidity

If any provision of the Agreement shall be held to be invalid, illegal or unenforceable in any respect (and whether wholly or to any extent) in any competent jurisdiction, such provision shall be enforced to the fullest extent permitted by applicable law and the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired hereby.

6.5          No Waiver

Failure or delay of EXORLIVE to exercise a right or power under these terms and conditions shall not operate as a waiver thereof, nor shall any single or partial exercise of a right or power preclude any other future exercise thereof.

6.6          Captions

The captions / headlines used herein are for reference purposes only and shall have no effect upon the construction or interpretation of any provisions herein.

 

ANNEX 1 – END USER    LICENSE AGREEMENT

1             INTRODUCTION

1.1          Acceptance of End User License Agreement

This End User License Agreement (“EULA”) constitutes a legally binding agreement between an End-user (“End-user”) or a Customer (jointly referred to as “Customer” and/or “You”) and EXORLIVE AS (“EXORLIVE”) for a license (“License”) to the online software application EXORLIVE TM (the “System”).

By clicking “I Agree” for the desired Version on the user login of the System, or otherwise when copying, downloading, accessing, using or installing the System, you agree to and accept the terms and conditions within this Agreement in its entirety.

The License under this Agreement is applicable for professionals (“Customers” and “Health Providers”) as well as private customers (“End User”). If a License is fully or partly paid and/or provided by a third party, this third party will be considered as a Customer according to the Agreement’s definition and acting on behalf of the actual End- User, with joint and several rights and obligations with regard to the terms and conditions of the License.

The capitalized terms within this End User License Agreement shall have the same meaning to them as ascribed in the License Terms & Conditions Clause 1.2.

1.2          Acceptance of other agreements

The Agreement consists of three documents which jointly forms the agreement between Customer and EXORLIVE AS:

Jointly, the above documents are hereby referred to as the “Agreement”.

The terms and conditions of the Agreement applies jointly and equally for all Versions, unless otherwise expressed in this Agreement.

The Agreement also applies to later Updates of the System, unless the contrary is expressed by EXORLIVE at the release of such Updates. This also applies to any Upgrades or changes to EXORLIVE done as part of a development agreement with a Customer.

The Agreement may from time to time be amended by EXORLIVE at its sole discretion, such updates will be announced to you. Furthermore, you warrant that you have, or have obtained, the necessary authority to accept this Agreement.

If you do not agree to the terms and conditions within this Agreement, you are not authorized to copy, download, access, use or install the System and you are under the obligation to immediately end all direct or indirect interaction with the System and to inform EXORLIVE promptly of your non-acceptance for a full refund in accordance with EXORLIVE’s refund policies.

1.3          Conflict of terms

In the event that there is any conflict or inconsistency between the terms and conditions of the Agreement, the terms and conditions of the DPA shall survive any other clause of the Agreement, and the EULA shall survive any other clause of the Agreement set forth in this document.

 

1.4          Personal Data processing instruction when Agreement is with Customer as a Controller

Customer as a Controller acknowledges that it has chosen to have Personal Data processed by EXORLIVE as a Processor, and as part of the Services within the scope of the System capabilities, which are reflected in the Data Processor Agreement. Therefore, Customer hereby instructs EXORLIVE to provide the Services and Process End User personal data in accordance with the EXORLIVE Data Processor Agreement.

Customer agrees to protect the privacy of End Users by complying with a policy communicated to End Users which is no less protective than the EXORLIVE Privacy Policy Statement as referenced in this Agreement, and at all times present on the EXORLIVE webpage.

 

2             GRANT OF LICENSE

2.1          Scope of License

EXORLIVE hereby grants You a non-exclusive, limited and non-transferable License to access and use the System for its intended purpose on a single computer at a time. A more extensive License may be granted, subject to entering into a separate agreement.

You may under the License make, print and use an unlimited number of copies of any content of the System including documentation, provided that such copies shall be used only for your exclusive and personal purposes and are not republished or distributed (either in hard copy or electronic form).

You may under the License also permit a  third parties access and use your licensed copy of the System for the sole purpose of providing You with technical support and maintenance services. These remote desktop rights do not permit You to use the System on both the device hosting the remote desktop session and an access device at the same time.

EXORLIVE grants the You these License rights provided that You comply with all terms and conditions of this Agreement. Content, options and areas of application for the different Versions may vary from time to time.

2.2          Limitation of license

The System is licensed, not sold, and the above License grant shall not in any way, whether directly or indirectly, be determined to constitute a transfer of ownership of or other interest in any part of the System from EXORLIVE or its Partners and Suppliers to You.

Unless specifically agreed otherwise, the above License does not include any right to:

  1. a) Sale, sub-licensing, renting, leasing, broadcasting, posting or any other form of distribution of any part of the System as part of any collection, System or service to a third party, whether for commercial or non-commercial purposes, unless otherwise expressed in this Agreement or facilitated by the System.
  2. b) Any derivative or indirect use outside the intended purpose of the System, including, but not limited to producing results from the System by using third party software and gaining access to the System outside of the ordinary start up routines.
  3. c) Any other attempt to use, access or copying the source code or databases of the System, including, but not limited to, acts such as reverse engineering, reprogramming, decompilation, or disassembling of the Software.
  4. d) Express or implied endorsement, reference to or association with any System, service, entity or activity relating to EXORLIVE or the System, including, but not limited to any Media Elements, trademark or design, whether registered or non-registered.
  5. e) Creation of obscene or scandalous works.

2.3          Rights in the System

EXORLIVE reserves all rights not expressly granted to the Customer in this Agreement. The System is protected by copyright and other intellectual property laws and treaties.

EXORLIVE, its Partners and its Suppliers own all title, copyright, and other intellectual property rights in the System.

All changes to the System is the property of EXORLIVE AS, regardless whether such changes are initiated by the Customer or not.

 

3             YOUR CONTENT AND CONDUCT

3.1          Submission of Content

You may submit Content into the System, including drawings, images, videos comments and descriptions of exercises. You understand that EXORLIVE does not guarantee any confidentiality with respect to any Content you submit.

You shall be solely responsible for your own Content and the consequences of submitting and publishing your Content on the System.

3.2          Rights to Content

You affirm, represent, and warrant that you own or have the necessary intellectual property rights, including but not limited to licenses, rights, consents, and permissions, to publish any Content you submit.

You further warrant that Content you submit to the System will not contain third party copyrighted material, or material that is subject to other third party intellectual property rights, unless you have permission from the rightful owner of the material or you are otherwise legally entitled to post the material and to grant EXORLIVE all of the license rights granted herein.

You retain your ownership rights in your Content. However, EXORLIVE remains the owner of all exercise programs that are created by and within the System whether they are templates created by EXORLIVE or if they are created by the Customer. EXORLIVE is also the owner of all data output related to the use of the System.

By submitting Content on the System, you hereby grant EXORLIVE a worldwide, non-exclusive, royalty-free, sub licensable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content in connection with the System and EXORLIVE's (and its successors' and affiliates') business, including without limitation for promoting and redistributing part or all of the System (and derivative works thereof) in any media formats and through any media channels.

You also hereby grant each End User a non-exclusive license to access your Content through the System, and to use, reproduce, distribute, display and perform such Content as permitted through the functionality of the System.

The above licenses terminate within a commercially reasonable time after you remove or delete your Content from the System, except for user comments submitted which will remain perpetual and irrevocable.

However, you understand and agree that EXORLIVE may retain, but not display, distribute, or perform, server copies of your Content that have been removed or deleted.

You further agree that you will not submit to the System any Content or other material that is contrary to the EXORLIVE Community Guidelines, which may be updated from time to time, or contrary to applicable local, national, and international laws and regulations.

 

3.3          No Affiliation

EXORLIVE does not endorse any Content submitted to the System by any user or other licensor, or any opinion, recommendation, or advice expressed therein, and EXORLIVE expressly disclaims any and all liability in connection with the Content.

3.4          Removal of Content

EXORLIVE does not permit copyright infringing activities and infringement of intellectual property rights on the System, and EXORLIVE will remove all Content if properly notified that such Content infringes on another's intellectual property rights. EXORLIVE reserves the right to remove Content without prior notice and without reason.

4             License fee and termination

4.1License fee and period

In consideration for the License granted to the Customer, the Customer must pay an agreed license fee (“Fee”).

The License runs for consecutive periods of twelve (12) months (“Period”) with upfront invoicing for each Period.

All Fees are subject to change from time to time without further notice. However, Fees will not be changed within a Period already invoiced by EXORLIVE and paid by the Customer.

4.2          Termination of License
The License must be terminated in writing by the Customer before the next Period has started

No full or partial refund of the Fee may be granted without EXORLIVE’s express approval, such approval to be given or refused at EXORLIVE’s sole discretion and without any reason whatsoever.

In the event that EXORLIVE changes its invoicing routines, such termination will be valid at the time the termination has been received by EXORLIVE. The Customer will then be notified of such new routines well in advance of such change.

Upon any breach or threatened breach by the Customer of any of the terms and conditions set forth in this Agreement, EXORLIVE has the discretionary right to revoke the License and to terminate the System account with immediate effect and without further notice.

4.3          Support services

EXORLIVE may provide the Customer with System support services related to the System, including the automatic delivery of Updates. However, this Agreement does not obligate EXORLIVE to provide any support services or to support any software provided as part of those services.

The delivery and use of any such support services is governed by EXORLIVE’s policies and programs as applicable from time to time.

Any software EXORLIVE may provide the Customer as part of support services is governed by this Agreement, unless separate terms are provided.

 

5             Information and security

5.1          Usernames and passwords

The Customer is under the obligation to keep all usernames and passwords secret and not to divulge or share any part of it with any third party.

5.2          Collection of non-identifying information

The Customer hereby agrees that EXORLIVE and its Partners, Suppliers, and affiliates may collect, use and save statistical, technical and other non-identifying information gathered as part of EXORLIVE’s applicable System monitoring, analysis, enhancement and support programs.

EXORLIVE may use this information to improve EXORLIVE’s Systems or to provide customized services or technologies to the Customer, EXORLIVE or EXORLIVE’s Partners but will not disclose this information to any third party in a form that personally identifies the Customer as an individual.

5.3          Collection of personal identifiable information

To use the Services, you as a Customer or End User need to create a System account (“Account”).

When an Account is created, the System will collect certain Personal data, “PII”, that can be used to identify You. EXORLIVE will only use such PII for the purposes of providing the Services to You.

EXORLIVE may also collect other information about You which might not be PII. This information will only be used for purposes of providing the System services to You.

End Users that activate an Account may receive emails and messages from his Health Provider via EXORLIVE related to the exercise programs that are created. The Health Provider is a Controller of Personal data processed in the System when they are defining the purpose, may assemble and use the System to process Personal data and will be able to access the End User’s Personal data (for instance exercise logging). The Health Provider can also collect data of and from the End User when participating in questionnaires prepared by EXORLIVE or the Health Provider.

If you provide user feedback or contact us via email, we will collect the End-users name and email address as well as any other content included in the email or feedback, in order to send a reply or in order to improve the System services. For such purposes, EXORLIVE is a Controller of the End-user’s Personal data.

5.4          Audit

Furthermore, the Customer agrees that EXORLIVE may audit Customers use of the System for compliance with these terms at any time. In the event that such audit reveals any use of the System by the Customer other than in full compliance with the terms of this Agreement, the Customer shall reimburse EXORLIVE for all reasonable expenses related to such audit and Customer shall be liable for any Fee discrepancies.

 

6             Disclaimers and limitation of liability

6.1          Health disclaimer

The System is not a substitute for professional medical advice or a medical exam. Prior to participating in any exercise program or activity, you should seek the advice of your physician or other qualified health professional.

You agree that no health information provided by the System will be used to diagnose, treat, cure or prevent any medical condition without consulting a licensed physician. Application or reliance of the techniques, ideas, and suggestions accessed through the System is at your sole discretion and risk.

The System is only for informational purposes, and all output through the System is automated according to algorithms and program code. Your Health Provider may have customized the information for you at his / her own sole discretion and EXORLIVE makes no representations or warranties regarding the suitability or accuracy of such customization. You understand and agree that EXORLIVE makes no representations or warranties with regards to any desired or undesired health effect or other outcome or information through usage of and reliance on the System.

6.2          General disclaimer

EXORLIVE, including its Partners and Suppliers provides the System and support services (if any), as is, and with all faults and flaws, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, to the maximum extent permitted by applicable law, This shall include but not be limited to, any potentially implied warranties, duties or conditions of merchantability or fitness for particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses and malware, and of lack of negligence, all with regard to the System, and the provision of or failure to provide support or other services, information, software and related content through the System or otherwise arising out of the use of the System. Furthermore, there is no warranty or condition of title, quiet enjoyment, quiet possession, correspondence to description or non-infringement with regard to the System. The entire risk as to the quality or arising out of the use or performance of the System and any support services remains with the Customer.

6.3 Exclusion of damages etc.

To the maximum extent permitted by applicable law, in no event shall EXORLIVE or its Suppliers be liable for any special, incidental, punitive, indirect or consequential damages whatsoever (including, but not limited to, damages for loss of profits or confidential or other information, for business interruption, for personal injury, for loss of privacy, for failure to meet any duty, including of good faith or of reasonable care, for negligence, and for any other pecuniary or other loss whatsoever) arising out of or in any way related to the use of or inability to use the software, the provision of or failure to provide support or other services, information, software and related content through the System, or otherwise under or in connection with any provision of this Agreement, even in the event of the fault, tort (including negligence) misrepresentation, strict liability, breach of contract or breach of warranty of EXORLIVE or any supplier, and even if EXORLIVE or any supplier has been advised of the possibility of such damages. Furthermore, EXORLIVE will have no liability for any claim of breach or infringement based on any modification or unauthorized use of the System by other parties than EXORLIVE, including its Partners and Suppliers.

6.4 Limitation of liability

Notwithstanding any damages that the Customer might incur for any reason whatsoever (including, without limitation, all damaged references herein and all direct or general damages in contract or anything else), the entire liability of EXORLIVE and any of its Suppliers under any provision of this Agreement and your exclusive remedy hereunder shall be limited to the highest of US$ 5 or net Fee(s) earned by EXORLIVE during a period of 3 months under the relevant Agreement with this specific Costumer. The foregoing limitations, exclusions, and disclaimers (including Sections 5 and 6) shall apply to the maximum extent permitted by the applicable law, even if any remedy fails its essential purpose.

7             Choice of law

7.1          Applicable law

This Agreement shall be governed by and construed in accordance with the laws of Norway.


Each party irrevocably agrees to submit to the non-exclusive jurisdiction of the courts of Oslo City, Norway, over any claim or matter arising under or in connection with this Agreement or the legal relationships established by this Agreement.

 

 

 

Annex 2 – Data Processor Agreement

Data Processor Agreement

This Data Processor Agreement “DPA” shall be effective as from the date of signature between:

undersrift_jorgen_en_2023.png

In the following, the Controller and the Processor are collectively referred to as the “Parties” and separately as a “Party”.

The Parties have agreed on the following contractual clauses in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Controller to the Processor of the personal data specified in this DPA.

1          Definitions

The definitions below apply to this DPA:

Data Protection Legislation:

means the following legislation:

(a) National Legislation implementing the Data Protection Directive (95/46/EC) and the Directive on Privacy and Electronic Communications (2002/58/EC);

(b) the GDPR; short for the EU General Data Protection Regulation, repealing the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. Unless otherwise specified, all references to the GDPR include references to National Legislation implementing the GDPR;

(c) the E-Privacy Regulation, meaning proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, if or when implemented into National Legislation; and

(d) any other National Legislation regulating privacy and Personal Data, including, but not limited to, the Norwegian Personal Data Act and accompanying Personal Data Regulation entering into force from 2018.

Personal Data:

mean any personal data as defined in the Data Protection Legislation, including as defined in the GDPR art. 4 (1), “any information relating to an identified or identifiable natural person (data subject), and that the Processor processes on behalf of Controller.

Process/Processing:

means activities defined as Processing in the Data Protection Legislation, including as defined in GDPR art. 4 (2), as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data Breach:

means, as defined in GDPR art. 4 (12), a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

Controller:

means any natural and legal person which, alone, determines the purposes and means of the Processing of Personal Data.

Processor:

means any natural and legal person which processes Personal Data on behalf of the Controller.

Sub-processor(s):

means any other processor, or third parties, Processing Personal Data which the Processor engages, intentionally or unintentionally, for carrying out specific Processing activities on behalf of the Controller, including entities and affiliates.

Third Country or International Organization:

means a territory or an international organisation, which does not offer an adequate level of protection as required by the Data Protection Legislation, for example countries outside of the European Economic Area (“EEA”).

 

2          Appendices

There are no appendices.

3          Purpose

This DPA is an Appendix to the License Agreement (“License Agreement”) between the Parties, when this License Agreement involves Processing of Personal Data on behalf of the Controller. Capitalised terms used but not defined in this DPA shall have the same meaning ascribed to such term in the License Agreement, unless the context requires otherwise. In case of any conflicts or inconsistencies between this DPA and the License Agreement, the provisions in this DPA shall prevail.

This DPA shall regulate rights and obligations of the Processing between the Parties in accordance with relevant Data Protection Legislation.

The DPA shall ensure that Personal Data is not used unlawfully and does not come into the possession of any unauthorised party.

In addition to Processing Personal Data as part of the License Agreement, the Parties acknowledge that the Processor may also Process Personal Data as a Controller for the purpose of, or in connection with: (i) applicable legal or regulatory requirements; (ii) requests and communications from competent authorities; and (iii) administrative, financial accounting, risk analysis, and client relationship purposes.

Any amendments to this DPA, as well as any additions or deletions, must be agreed in writing by both Parties.

4          The Processing activities

4.1         Subject-matter and purpose of the Processing

The Processor will access Personal Data from the Controller for Processing purposes in connection with the License Agreement. This include: External hosting, management, support, and maintenance of the System and related services, and appurtenant deliveries by Processor to Controller. Provide relevant assistance, such as remotely accessing the Controllers Personal Data on the request of the Controller and in relation to support and other maintenance.

The duration of the data Processing activities is for the period which the License Agreement remains valid and in force.

Processors purpose for the collection, Processing and use of Personal Data from Controller is to provide the Services stated above. Processor will not store Personal Data in a greater extent than necessary in order to provide the Services. With reference to the General Data Protection Regulation article 20, Processor is no longer a data processor under this DPA in relation to the End User in question, when the End User asks to port his / her data to a new End User account or to a new Controller.

The Processor shall not use the Personal Data for any other purpose then as described in this DPA.

The Processing of the Personal Data by the Processor shall take place within the framework of this DPA and the Services as stated above, and only under documented instructions from the Controller by the Controller.

The Personal Data may be Processed by the Processor for the purpose or in connection with applicable legal or regulatory requirements, requests and communications from competent authorities. In such circumstances, the Processor shall provide prior notice to the Controller, unless the relevant law or regulatory authority prohibits the giving of notice on important grounds of public interest.

Each party shall comply with Data Protection Legislation when Processing Personal Data.

4.2         Type of data and data subjects

The Processor will access Personal Data from the Controller through the purposes of the License Agreement. The Processor does not have the right to process the Personal Data for any other purpose.

The categories of Personal Data may include general contact information, telecommunications data, open text fields, electronic identification, special categories of personal data, financial information, personal characteristics, behavioural data etc.

Name

              Title

              ID number, social security number

Health information

Professional address

Commercial address

Business address

Birth date

Telephone Number

Email address

IP addresses

Precise location data (GPS positions)

Customer will create their own internal policy which personal data that is to be allowed or entered into the System when activating the Account.  The System is used to create exercise programmes to people.

The Personal Data which will be Processed is mainly of data subjects such as: employees, customers, vendors, clients and prospective clients.

4.3         Geographic location

The Processing of the Personal Data shall predominately take place in a member state of the European Economic area. The Processor may only transfer Personal Data to Third Country or International Organization where it has a lawful basis for that transfer under Articles 44-49 of the GDPR, it is necessary for the performance of the License Agreement and if agreed upon in writing by the Controller. No Personal Data may be transferred outside the EEA before a written agreement is in place.

Under this DPA, the Parties have agreed that the Processor is entitled to process Personal Data in the following geographic locations;

  • The personal data is stored in Microsoft’s Azure cloud solution, and the data is accessed by ExorLive AS from head office address: Hovfaret 4, 0275 Oslo, Norway.
  • Address for Microsoft (sub-processor) is:

Microsoft Ireland Operations Ltd,

Att: Data Protection

Carmenhall Road

Sandyford, Dublin 18,

Irland

An exemption is where the transfer is required by National legislation to which the Processor is subject. In such cases, the Processor shall inform the Controller of that legal requirement before Processing takes place, unless that law prohibits such information on important grounds of public interest.

4.4         Sub-processing

Personal Data may be disclosed to, and processed by Sub-processors to the extent reasonably necessary. The Processing and disclosure of Personal Data referenced in this clause may involve the transfer of Personal Data to Third Countries or International Organizations: In this case, appropriate safeguards in accordance with relevant Data Protection Legislation must be applied.The Processor shall inform the Controller of its intention to engage a new Sub-processor, three months in advance. The Controller shall have the opportunity to reasonably object the appointment of a new Sub-processor. If the Controller objects, the Controller may terminate the License Agreement if the Controller cannot present sufficient documentation of the reasons of objection.

The Controller shall notify the Processor of such objections in writing within 30 days after receipt of the Processor’s notice relating to such use of Sub-processor.

The Controller has approved the Sub-processor(s) listed in Chapter 4.3 above.

The Controller shall be granted information from the Processor, upon written request, on the substance of the contract and the implementation of the data protection obligations within the sub-contract relationship.

The Processor shall ensure that it has a written contract with any Sub-processors it engages to Process Personal Data. In this contract, the Sub-processor(s) must acknowledge the Processor's contractual and legal obligations under this Data Processor Agreement and Personal Data Protection Legislation and comply with equivalent obligations as the Processor. The Processor shall disclose sufficient information regarding these contracts upon the Controllers request.

The Parties agree that The Processor is not required to obtain Controller’s authorisation under this Clause for involving, adding, or replacing Sub-processors or other third parties merely having incidental access to Personal Data (e.g., in the context of system maintenance), but not actively participating in the Processing of Personal Data or Processing the Personal Data for its own purposes.

5          Processor’s obligations

5.1         Processing on behalf of the Controller

The Processor Process Personal Data on behalf of the Controller. The Processor has the obligation to:

  1. Processes Personal Data only on documented instructions from the Controller;
  2. Only disclose Personal data to its personnel or Sub-Processor personnel as necessary to perform its obligations under the DPA and ensure that such personnel is subject to appropriate statutory or contractual confidentiality obligations;
  3. Takes all measures required pursuant to the GDPR article 32;
  4. Engages a Sub-processor only in accordance with this DPA;
  5. Assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III;
  6. Assists the Controller in ensuring their compliance with the obligations pursuant to the GDPR articles 32 to 36 taking into account the nature of Processing and the information available to the Processor;
  7. At the cost of the Processor, makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, as further regulated in section 7 of this DPA.
  8. The Processor shall immediately inform the controller if, in its opinion, an instruction from the Controller infringes Data Protection Legislation.

5.2         Technical and organisational measures

The Processor shall provide sufficient guarantees of implementation of appropriate technical and organisational measures in such a manner that Processing meet the requirements of this DPA.

The Processor shall maintain a record of Processing activities under its responsibility on behalf of the Controller, including maintaining a record of categories of Processing activities carried out on behalf of the Controller.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Processing. These measures shall also be able to demonstrate that Processing is performed in accordance with this DPA. The Processor can take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, but such account shall be in accordance with the requirements of the GDPR article 32.

The Processor has implemented, as appropriate, technical and organisational measures to ensure:

  1. The pseudonymisation and encryption of personal data where appropriate;
  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing, and amending where necessary;
  5. The ability to prevent Personal Data from being accessed or used, including read, copied, modified and deleted, without appropriate authorization.

The Processor shall implement, and if necessary update, technical and organisational measures according to all relevant Data Protection Legislation, including, but not limited to, the GDPR article 28 and 32.

Security in EXORLIVE is enforced by a strict security policy, and does not permit entities to be accessed or manipulated across organisations. Within the organisation, security is role based and users can be given administrative roles on a unit/department level.

The System is always accessed over SSL, safeguarding the information being exchanged between the client and the server. EXORLIVE store only a hash of the user’s password, and when authenticating through EXORLIVE’s regular interface, salt, hashing, and a short-lived challenge is used to ensure that message replay cannot be used to wrongfully gain access.

External services are required to use the SSL enabled endpoints to ensure transport security. The system provides integrity by ensuring that users are not able to insert or edit entities they are not authorized for.

Actions are logged.

Safety measures and procedures against external attacks: We are partners with Microsoft and keep our technical staff updated on the current system and security solutions. Through Azure as a sub-processor, we ensure with Microsoft that our services are always up to date on security and latest security patches; Always running the latest version of important software; Logging of all attempts at login; Performance of manual vulnerability tests.

EXORLIVE satisfies the requirement for built-in privacy.

EXORLIVE is classified as a medical software in risk Class 1. This is the lowest risk class.   ExorLive is CE certified.

 

5.3         Obligation to notify

The Processor shall notify the Controller without undue delay about:

  1. If, in its opinion, an instruction from the Controller infringes regulations and provisions on the Processing;
  2. Any request for disclosure of Personal Data by a law enforcement authority unless otherwise prohibited by law;
  • Accidental, unauthorised access, or other event that constitutes or may constitute a Personal Data Breach; and
  1. Any request received directly from the data subjects, and without responding to that request, unless it has been otherwise authorised to do so. There is no obligation to notify the Controller of requests received to and from the System itself, for example when the End-User enters requests not concerning the Customer or Health Provider, i.e asks for portability.
  2. The Processor obliges to assist the Controller in its contact with supervisory authority or data subjects after such notification is given. This service will be invoiced according to ExorLive price list.

After giving notice about a Personal Data Breach, the Processor has to give further description of:

  1. The nature of the breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. And describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Further, the Processor shall, if possible, assist the Controller in assessing the likely consequences of the personal data breach.

If the Processor cannot provide compliance or foresees that it cannot comply with its obligations as set out in this DPA or it’s obligations under the Data Protection Legislation, for whatever reasons, it agrees to promptly inform the Controller of its inability to comply, in which case the Controller is entitled to suspend the transfer and further Processing of Personal Data.

6          Liability

The Controller will ensure that any Personal Data provided to the Processor by, or on behalf of, the Controller has been collected lawfully, fairly, and in a transparent manner so as to enable Personal Data to be Processed by The Processor and Sub-processors.

Controller acknowledges that it has primary responsibility for the Processing of Personal Data as part of the License Agreement and shall notify Processor of any assistance it requires pursuant to GDPR Article 28(3) e and f. Controller shall pay The Processor for any reasonable costs incurred in providing such assistance within 30 days of receiving an invoice for such costs.

Controller indemnifies the Processor against all costs, expenses (including legal expenses), damages, losses (including loss of business or loss of profits), liabilities, demands, claims, actions, or proceedings, which Processor may incur arising out of:

  1. Processor compliance with any instruction given by the Controller to the Processor in relation to the Processing of Personal Data (including instructions in connection with requests from individuals exercising their rights under Data Protection Legislation and any instructions to retain, disclose, amend, or otherwise Process Personal Data);
  2. any breach by the Controller of the Data Protection Legislation; or
  • Personal Data Breach inflicted by the Controller.

Processors liability is regulated by the License Agreement.

No limitation of liability shall apply on any Parties in case of fraud, wilful intent, death and physical injury resulting from a Party’s negligence.

Liability for material or non-material damage upon a data subject shall be regulated according to the GDPR art. 82.

If the Processor infringes the Data Protection Legislation by determining the purposes and means of Processing in breach with this DPA, the Processor shall be considered to be a controller in respect of that Processing.

7          Security audits

The Processor undertakes to give the Controller access to all information necessary to demonstrate compliance with the obligations laid down in this DPA and to perform security audits.

Such security audits may include, where necessary, inspections and evaluations of systems, organisation, security measures and all use of communication partners and providers that are covered by this DPA.

Where additional audit and/or information to demonstrate the Processor’s compliance with this DPA is required by Controller as a result of a legal obligation, the Processor shall, on Controller’s written request, allow an independent auditor nominated by the Processor to carry out a security audit of that compliance on behalf of the Controller.

Nothing in this clause shall entitle the Controller, or any auditor, to access activities, records, information, or any other material in any form:

  1. relating to other clients of the Processor;
  2. not relevant to Processing of Personal Data;
  3. which is commercially-sensitive information; or
  4. which is legally privileged or subject to confidentiality obligations (either at law or contract) owed by the Processor to a third party.

Controller shall treat any records, information, or other materials in any form (together, the “Materials”) obtained by or accessible to the Controller arising from the security audit as the Processor’s confidential information and shall treat the Materials as strictly confidential and not disclose the Materials to any third party or use the Materials otherwise than in connection with the documentary audit.

The security audit may only be conducted following written agreement between the Controller and the Processor on the commencement, duration, and scope of such audit.

Controller shall pay the costs of the auditor and any reasonable costs incurred by The Processor in connection with any security audit and/or the making available of any information or materials to demonstrate the Processor compliance with this clause.

8          Confidentiality

Personal Data shall always be considered as confidential information. Personal Data that comes into the possession of the Parties in connection with the DPA and License Agreement shall be kept confidential, and shall not be disclosed to any third party without the consent of the Controller.

The Parties shall take all necessary precautions to prevent unauthorised persons from gaining access to, or knowledge of, confidential information.

The confidentiality obligation shall apply to the Parties’ employees and Sub-processors who act on behalf of the Parties in connection with the execution of the DPA and License Agreement. The Processor may only transmit confidential information to such Sub-processors to the extent necessary for the execution of the DPA and License Agreement, and provided that they are subjected to a contract as stipulated in this DPA section 4.4, and a confidentiality obligation corresponding to that stipulated in this DPA. Before any of its Sub-processors may be given access to confidential information, each Sub-processor shall agree to be bound by a confidentiality undertaking comparable to the terms of this DPA.

The confidentiality obligation shall continue to apply after the expiry of the DPA. Employees or others who resign from their positions with the Parties shall be subjected to a confidentiality obligation following their resignation as well, as far as factors mentioned above are concerned. The confidentiality obligation shall lapse ten (10) years after the DPA comes to an end, unless otherwise is stipulated by law or regulations.

9          Duration and termination

This DPA take effect from the date of signature by the Parties and shall continue in full force and effect until the termination of Processing on behalf of the Controller.

The Controller has the right to revise this DPA if necessary after the implementation of GDPR and the E-Privacy Regulation in Norwegian law, or if new Data Protection Legislation comes into force.

With reference to the General Data Protection Regulation article 20, the End User can give instructions to keep Personal data in the System, either under a new controller (EXORLIVE or a new Customer or Health Provider), or to continue having the Account in the System. This right shall include the right to port exercise programs, also in cases where these exercise programs do not including Personal data.

The Parties agree that on the termination of the provision of the License Agreement, the Processor and the Sub-processor shall, at the choice and instruction of the Controller,

  1. Either return all Personal Data, either transferred to the Processor and/or Processed on behalf of the Controller, or;
  2. Destroy all Personal Data and certify to the Controller that it has done so.
  • If the End User her/himself has given instructions to port his data to another Account, or created a new Account, these data can not be demanded returned or deleted.

At termination of Processing activities, the Controller is responsible that all access to the Controllers systems shall be closed for the Processor and its personnel.

If mandatory legislation imposed upon the Processor prevents it from returning or destroying all or part of Personal Data transferred, the Processor warrants that it will guarantee the confidentiality and Processing of Personal data in accordance with this DPA, and not actively Process the Personal Data anymore. The Controller shall be notified of such prevention of deletion and/or destruction of Personal Data.

The Processor is entitled to reasonable compensation for fulfilment of the obligations mentioned above in (i) and (ii).

For the avoidance of doubt, nothing in this clause shall require the Processor to delete copies of data that it holds on its own behalf as controller.

10       Choice of law and legal venue

This DPA shall be governed by and construed in accordance with Norwegian law and the Parties accept the Oslo Municipal Court, Norway, as the court of venue. This shall also apply after the DPA expires.

***

Last edited 26.10.2023