1. ExorLive Help Centre
  2. Legal
  3. Legal

License Agreement (LA) including Data Processing Agreement (DPA)

Avatar
Print Friendly and PDF

The agreement on this page includes the License Agreement, License Terms and Data Processing Agreement for ExorLive AS.

Click here to go directly to the License Terms

Click here to go directly to the Data Processing Agreement.

Click here to read our Privacy Policy. 

Click here to read our API Terms of Service

License Agreement

Introduction

This License Agreement is entered into between ExorLive (“Licensor”) and you, hereinafter referred to as the "Licensee."

This Agreement is integrated with and used in conjunction with the associated Data Processing Agreement, Service Level Agreement, API Terms, and License Terms. Together, these documents constitute the complete agreement between the Parties and govern the use of the ExorLive system (hereinafter referred to as the “System”), including related features and integrations, as well as the processing of personal data. These documents are collectively referred to as the “Agreement.”

By installing, copying, accessing, or otherwise using the System, including via API access, you confirm that you have read, understood, and accepted all terms and conditions of this License Agreement as well as the associated Data Processing Agreement, License Terms, API Terms, and any applicable supplemental agreements.

The Licensee acknowledges and agrees that compliance with each of these agreements is a condition for using the System.

In the event of any inconsistencies between the documents, the terms of this License Agreement shall prevail, except for provisions concerning data protection, in which case the Data Processing Agreement shall take priority in matters related to personal data protection.

Scope of the License

ExorLive is a system that offers a comprehensive tool for training and health, aimed at coaches, physiotherapists, healthcare professionals, and end users. The platform provides users access to a large database of exercises that can be customized and compiled into individual training programs. ExorLive makes it easy to create and share personal training plans with clients and patients.

The Licensee has purchased a license to use the System via completed purchase through the order form on the Webshop, under the terms outlined in the Agreement and specified in the order confirmation.

Delivery

The System is made available to the Licensee as a Software as a Service solution. The software is license-based and hosted on a central server.

The Licensor provides system key(s) to the Licensee at the email address registered at the time of purchase.

Rights – Licensee

The Licensee has all rights to all data provided to the Licensor or generated or stored as part of the use of the System. The Licensor is only entitled to use the Licensee’s data for the purposes specified in the Agreement.

The Licensor acknowledges that data under this provision is considered the Licensee’s confidential information.

In the event of full or partial termination or cessation of the Agreement, regardless of the reason, the Licensor is obligated to assist the Licensee, where relevant and necessary, in transitioning all data to the Licensee, other suppliers, or authorities.

The Licensor is entitled to compensation for assistance with the transition. Compensation is provided according to applicable hourly rates.

Duration and Termination

Licenses take effect on the order date and thereafter run for the license period with automatic renewal.

The length of the license period is specified at the time of purchase.

The Licensee may terminate this License Agreement with written notice effective at the end of the license period.

If the Licensor has not received the Licensee’s written termination by the end date of the license period, the Licensee will be bound by the Agreement for an additional License Period.

License Fee

The license fee is described in the order form on the Webshop.

The applicable price for the delivery of the licensed product is adjusted annually, effective from the date the license takes effect.

The price adjustment is intended to address increased costs for the operation and development of the System and its features.

Notification of price changes may be given by sending an invoice before the end of the relevant subscription period. If the Licensee cannot accept the price changes, the Licensee has the right to withdraw from the Agreement at the end of the current subscription period by giving written notice to the Licensor within 14 days from the invoice date.

Invoicing and Payment Terms

The license becomes payable at the time of order or as stated on the issued invoice.

If the Licensee chooses to purchase an additional license service during the License Period, that license will be invoiced at the time of purchase. Invoicing will cover the period until the end of the original License Period.

Upon renewal of the License, the purchased add-on will be integrated with the submitted web order, which will then constitute the complete License.

Invoicing will then take place annually for one year at a time and will be payable as stated in the electronically issued invoice.

If the final due date is not a banking day, the payment date is postponed to the next banking day.

In case of late payment, the Licensor is entitled to charge interest in accordance with the provisions of the Norwegian Act relating to Interest on Overdue Payment.

Service

The Licensor’s service policy and service objectives regarding installation, use of, and access to the System for the Licensee, its employees, and contacts are governed by the Licensor’s Service Level Agreement.

Personal Data

The Licensor is obligated to ensure that the applicable Norwegian personal data legislation is observed for the processing carried out by the Licensor—especially the General Data Protection Regulation and the Data Protection Act.

As the delivery of the System by the Licensor involves the processing of personal data, the Parties commit to entering into a data processing agreement that complies with applicable data protection laws.

This data processing agreement is integrated into this agreement and is concluded by the Licensee’s use or acceptance of the agreement.

The Licensor is not responsible for ensuring that the Licensee complies with its own obligations under applicable law, including as data controller.

Warranty

The System is licensed, not sold. The Licensor makes no warranties of any kind, except those specifically stated in the Agreement or unless otherwise explicitly agreed between the Licensor and the Licensee.

Breach by the Licensor

A defect from the Licensor exists if the delivered product does not meet the stated warranties or otherwise fails to function according to the Licensor’s intended purpose and the content of the Agreement.

The Licensor is obligated, upon the Licensee’s request, to promptly remedy the identified defects. If remediation is not possible or if the Licensee has unsuccessfully attempted to remedy a defect several times, the Licensee may be entitled to compensation in the form of Service Credits, which will be credited to the invoice for the next license period. The amount is determined in dialogue with the Licensor or in accordance with the Service Level Objectives for availability, if the defect is covered thereby.

Confidentiality

The parties must observe confidentiality to the usual extent for matters not generally known. Confidentiality is especially emphasized in the data processing agreement for the matters covered therein.

However, the Licensor may list the Licensee on a reference list on its website once delivery has taken place. Any other marketing by the Licensor concerning the Licensee may only occur with the Licensee’s consent.

Breach by the Licensee

If the Licensee breaches its payment obligations under the Agreement, the Licensor is entitled to charge interest in accordance with the rules of the Norwegian Act relating to Interest on Overdue Payment.

Furthermore, the Licensor is entitled to terminate the Agreement if the Licensor has issued a written notice to the Licensee specifying the breach and stating that failure to comply within 14 working days will result in termination, and the Licensee fails to fulfill its obligations within the deadline.

Liability

The parties are liable for damages in accordance with the general rules of Norwegian law.

The parties are under no circumstances liable for loss of operations, consequential damages, or other indirect losses. Loss of data is considered an indirect loss.

The Licensor’s liability under the Agreement is limited to an amount corresponding to 3 months’ license fee for the specific module that gave rise to the claim.

However, the above limitations of liability do not apply to grossly negligent or intentional acts or omissions.

Insurance

Throughout the duration of the Agreement, the Licensor must maintain liability insurance covering damages that employees may cause in connection with the delivery of the license, and be insured against incorrect advice if the Agreement includes a consultancy service.

Assignment

The Licensee may not assign rights and/or obligations under this Agreement without specific prior written consent from the Licensor. Any such attempted assignment shall be considered invalid.

Notwithstanding the above, the Licensor has the right to assign any agreement, including obligations and performance, in whole or in part, to its partners or suppliers without further notice.

Force Majeure

Neither party shall be held liable to the other under the Agreement for circumstances beyond the party’s control which, at the time of entering into the Agreement, could not have been foreseen, avoided, or overcome, including but not limited to war and mobilization, civil unrest, natural disasters, strikes, lockouts, failure of raw material supplies, epidemics, pandemics or other outbreaks of serious human illness, fire, damage to production equipment, disruption of general transportation, including energy supply, and import and/or export bans. 

Conditions affecting a party’s supplier shall be considered force majeure for that party if the supplier faces a similar impediment and could not have avoided or overcome it, even by using an alternative supplier.

Sanctions and Export Control

The Licensor is obligated to ensure that implementation of the License Agreement at all times does not involve a breach of sanctions, export control rules, embargoes, and similar measures, including but not limited to EU Regulation 833/2014 as most recently amended by EU Regulation 576/2022, Article 1, no. 23, and any future amendments.

Throughout the agreement period, the Licensor is obligated to immediately give written notice of any changes to ownership, control of the Licensor or any subcontractors, and any other matters relevant to compliance with sanctions, export control rules, embargoes, and similar measures.

Governing Law and Jurisdiction

The Agreement is governed by Norwegian law.

If a dispute arises between the parties in connection with this Agreement, the parties must attempt to initiate negotiations with a positive, cooperative, and responsible attitude to resolve the dispute. If necessary, the negotiations should be escalated to the highest level within the parties’ organizations.

If the parties cannot find a resolution after attempted mediation, either party may initiate legal proceedings at its discretion.

Any dispute arising in connection with the Agreement, including disputes concerning the existence or validity of the Agreement, shall be settled by the Oslo City Court.

 

License Terms

The License Terms constitute an addendum to the license agreement and are intended to set out the legal terms and conditions under which a Licensee is entitled to use the ExorLive System.

1. Definitions

Agreement: The complete contractual terms governing all rights and obligations between the parties.

Licensor: ExorLive AS.

Licensee: The customer, including both individual and organizational users, who has entered into an agreement with the Licensor for delivery of the Licensed Material.

Licensed Material: The Licensor’s online products to which the Licensee has obtained access, subject to these License Terms. Also referred to as the “ExorLive System” or “the System.”

License Right: The Licensee’s right to use the Licensed Material, obtained by accepting the License Terms and paying the associated license fees.

License Terms: These license terms, any attached documents, and any subsequent additions or amendments.

License Fee: The fee paid by the Licensee for access to the Licensed Material.

License Period: The time during which the license is active and valid, and the Licensee has the right to use the Licensed Material.

Agreement Period: The period during which the Agreement between Licensee and Licensor is valid.

Account: The end-user’s account in the system, consisting of individual usernames, passwords, and other personal information for accessing and using the system.

Content: Media elements published in the System by the user and/or end-user.

User Content: Content uploaded or submitted to the System by the User or End-User, including drawings, photographs, videos, comments, exercise descriptions, and other media.

Media Elements: All content in the system, including but not limited to text, drawings, photos, videos, sounds, image elements, printed materials, and online electronic documentation.

ExorLive System / System: The ExorLive™ online software, including but not limited to user interfaces, API interfaces, software, media elements, and related information, whether presented in specific or non-specific formats, on websites owned by ExorLive or third parties, on mobile and tablet devices.

System Keys: The combination of username and password that grants the Licensee access to the System.

Users:

  • Professional Users: Healthcare professionals, physiotherapists, personal trainers, or other specialists using the System to create training or rehabilitation programs for clients or patients.
  • Organizations or Companies: Fitness centers, clinics, training facilities, or other organizations using the service for their members or employees.

End-Users: Patients, citizens, or clients accessing and using the System for personal or professional purposes, such as training or rehabilitation, with or without a user account.

2. Access

Only the User(s) whom the Licensor has granted to the Licensee in accordance with the Agreement are entitled to use the Licensed Product. A user may only log in to the Licensed Product from one device at a time, unless otherwise specifically agreed.

If the Licensee is a company, public or private institution, organization, etc., the Licensee may not, unless otherwise agreed, grant employees other than the User(s) to whom the Licensor has issued user access, access to the Licensed Product via online services, internet, or intranet, nor in any other way disclose the user access credentials issued by the Licensor to other employees.

3. Right of Use to the Licensed Product

By accepting the License Terms and by paying the license fees associated with the license, the Licensee obtains a time-limited, non-transferable, and non-exclusive right to use the Licensed Product as well as any later updates of the Licensed Product in accordance with the License Terms.

The license allows the user to, among other things, create, print, and use an unlimited number of copies of the contents of the ExorLive system (hereinafter "the System"), including documentation, provided that such copies are used exclusively for personal purposes and not published or distributed (either in paper form or electronic format).

The Licensed Product or any part thereof may not be disclosed or otherwise made available to any third party. However, the Licensee may grant end users access to ExorLive-Go, training programs, or similar programs, to which the Licensee holds a License under the Agreement.

4. Compliance with License Terms

The Licensee is obliged to ensure that its Users are informed about and comply with the License Terms and respect the Licensor's intellectual property rights, including copyrights.

The Licensor continuously monitors compliance with the License Terms. Should the Licensor have reasonable grounds to believe that the Licensee is violating the License Terms, the Licensee must, on request from the Licensor, provide a written explanation of matters relevant to assessing whether the License Terms have been breached. The Licensee is always responsible for ensuring that its Users use the Licensed Product in accordance with the License Terms. Use of the Licensed Product in violation of the License Terms shall be regarded as a material breach that may result in termination of the Agreement.

5. Right of Withdrawal

If the Licensee is a consumer, the Licensee generally has 14 days to withdraw from the purchase of the Licensed Product in accordance with the Consumer Contracts Act. The Licensee acknowledges that any right of withdrawal ceases when the Licensed Product is put into use. The Licensee thus agrees that the right of withdrawal can only be exercised up until the time when use of the Licensed Product is initiated. If the Licensee is not a consumer, the Licensee does not have the right to withdraw from the purchase of the Licensed Product.

6. Updating and Modification of the Licensed Product

The Licensor is entitled to continuously upgrade, maintain, and update the Licensed Product as deemed necessary. Such maintenance and updates do not entail any restrictions or changes to the Licensee’s obligations towards the Licensor, nor does it grant the Licensee the right to claim remedies against the Licensor.

The Licensor is also entitled to make changes to the functionality of the Licensed Product, including removing and/or changing features as deemed necessary for delivering the best possible service to its customers. Such changes to the functionality of the Licensed Product also do not entail any restrictions or changes to the Licensee’s obligations to the Licensor, nor do they grant the Licensee any right to claim remedies against the Licensor.

However, changes and updates in accordance with this clause do not preclude the Licensee from pursuing remedies if the changes/updates are of such a material nature that the Licensed Product can be considered to have fundamentally changed character.

7. Rights to the Licensed Product

The Licensor, or any third party from whom the Licensor derives its rights, retains all copyrights and any other rights to the Licensed Product, including HTML code, text, images, or other media elements published in the System, and which the Licensee may access via ExorLive.

The Licensee must respect the Licensor’s rights, and the Licensee is liable without monetary limitation for violation of these rights, including unauthorized sharing of the Licensed Product with third parties.

The Licensee may not disrupt or alter any security mechanisms, including security codes, nor change or remove notices in the Licensed Product relating to rights, trademarks, product information, or similar.

Unless otherwise specifically agreed, the License does not include the following rights or permissions:

  • Sale, sublicensing, rental, leasing, broadcasting, posting, or any other form of distribution of any part of the System, or as part of a collection, to any third party for either commercial or non-commercial purposes, unless otherwise stated in this Agreement or provided by the System.
     
  • Any derived or indirect use outside the intended purpose of the System, including, but not limited to, producing results from the System using third-party software and accessing the System outside normal startup routines.
     
  • Any other attempts to use, access, or copy the source code or databases in the System, including, but not limited to, actions such as reverse engineering, reprogramming, decompiling, or disassembling the software.
     
  • Direct or indirect association, reference to, or affiliation with any other system, service, device, or activity related to ExorLive or the System, including, but not limited to, any media element, trademark, or design, regardless of whether they are registered or not.
     
  • Creation of indecent or offensive works, content, or output.

Content Uploaded by Customer

The System allows the User and End User to submit their own content to the System, including drawings, photographs, videos, comments, and descriptions of exercises.

The User and End User retain ownership of this user content. Upon uploading, the user content will by default only be available to Contacts and Instructors within the same organization.

The User can choose to make the User Content available globally in the System. In doing so, ExorLive and other Users of the System are granted a non-exclusive, transferable license to use, host, store, reproduce, modify, create derivative works, communicate, publish, perform publicly, display publicly, and distribute such content. ExorLive remains the owner of all exercise programs created by and within the System.

The Licensee and each User are obliged to ensure that the uploaded user content does not infringe any rights and that all necessary permissions to share the user content have been obtained from third parties.

The Licensor is not liable for loss, damage, or expenses resulting from uploading or use of user content, and upon entering into this License Agreement, the Licensee agrees to indemnify the Licensor against any claim that may be made by third parties in relation to infringement of third-party rights in relation to the user content.

The Licensor reserves the right to remove any content without notice and without cause if it is deemed to infringe third-party rights or otherwise not be in accordance with ExorLive’s guidelines.

8. Remediation

The Licensed Product is provided as-is, without any kind of warranty. The Licensor thus makes no warranty that operation of the Licensed Product or connection to the Licensed Product will be uninterrupted or error-free. The Licensor continually tests the Licensed Product, but cannot rule out that the Licensed Product—as with any software provided online—contains errors or inconveniences.

Such errors do not justify termination and do not entitle the Licensee to remediation or other remedies for breach. The same applies to content errors. The Licensor strives to continuously correct all errors and inconveniences in the Licensed Product but does not guarantee that all errors and inconveniences will be corrected.

9. Modification of the General Terms and Conditions

The Licensor may amend the License Terms at any time, with such changes to be communicated to the Licensee no later than 30 (thirty) days before the change takes effect, unless the change is necessary for ExorLive to comply with applicable law and a shorter notice period is necessary to ensure compliance with the law. The Licensor’s notice to the Licensee must specify the changes made.

If the Licensee does not wish to be bound by the amended License Terms, the Licensee must, before the change takes effect, notify the Licensor that the amended License Terms are not accepted. The Licensee must specify the reasons why the License Terms cannot be accepted. The Licensor will then consider the Agreement terminated, unless otherwise agreed.

If the Licensee has not notified the Licensor within 30 (thirty) days after the notice of the change that the change of License Terms cannot be accepted, the Agreement will continue in accordance with the amended License Terms.

10. Information

Collection of Non-Identifiable Data

The Licensee agrees that the Licensor may collect, use, and store statistical, technical, and other non-identifiable information collected in connection with system monitoring, analysis, improvement, and support programs.

The Licensor may only use this information to improve ExorLive’s systems or to provide customized services or technologies to the Licensee.

Collection of Personally Identifiable Information

In connection with the delivery of the Licensed Product, the Licensor will collect and process information about the Licensee, the User, and their patients/citizens/clients.

Unless otherwise expressly specified, the Licensor acts as a data processor and processes personal information on behalf of the Licensee, who is the data controller.

The Licensor is only a data controller for personal data entered into the System for its own employees and for its own projects.

Personal information is processed only to the extent necessary to deliver the Licensed Product, and only the information entered into the System by the User or End User is processed.

How and when ExorLive collects and processes personal information appears in ExorLive’s privacy policy and/or any applicable data processing agreement.

11. Security

The Licensor ensures that user-generated content is stored in a data environment that meets security requirements equivalent to those applicable to the storage of personal data.

12. Confidentiality

The Licensor ensures that access to user-generated content is granted only to those of the Licensor's employees for whom such access is necessary for the performance of their job functions with the Licensor. The Licensor also ensures that employees who are given access to user-generated content sign a confidentiality clause regarding the non-disclosure of knowledge obtained in connection therewith.

13. Disclaimer and Limitation of Liability

The Licensor is liable for product liability in accordance with those provisions of product liability law that cannot be waived by agreement, but disclaims product liability on any other basis.

Under no circumstances shall the Licensor be liable to the Licensee for indirect losses or consequential damages arising from the use of the Licensed Product, including but not limited to loss of operations, loss of expected profit, loss and/or recovery of data, loss of goodwill, as well as other forms of consequential damages. Furthermore, the Licensor is not liable to the Licensee for errors in the Licensee’s advice to third parties caused by defects or shortcomings in the Licensed Product.

The Licensor’s liability for damages under the Agreement can at most amount to a sum equivalent to three (3) months of license fees for the specific module that is the cause of the claim for compensation.

The Licensor disclaims any liability for loss or damage that can be attributed to the Licensee’s own connection to the Licensor’s service, including lack of connection, system downtime, etc. The same applies with regard to the Licensee’s other IT equipment, browser, software, etc.

In case of the Licensee’s breach of the License Terms, the Licensor, in addition to any claim for remuneration for unauthorized use of the Licensed Product, is entitled to compensation in accordance with the general rules of Norwegian law.

Specific to the purchase of the module: Assistant

The Licensee, including its staff, has the ability through ExorLive Assistant to adapt or modify training programs for the End User.

It is the responsibility of the Licensee to ensure that any changes to training programs are made with due consideration for the End User’s health condition and with appropriate professional care. The Licensor always recommends that changes to training programs be made in consultation with relevant professional personnel.

The Licensor assumes no responsibility for any personal injury or other damages that may arise as a result of such changes, regardless of the reason for the change. Any liability for damages resulting from changes made by the Licensee or its personnel rests solely with the Licensee.

Specific to the purchase of the module: Assistant Plus

When using ExorLive Assistant Plus, training programs are generated based on information entered by the Licensee or its staff via an automatic screening of an End User’s specific needs and/or condition. The Licensor assumes responsibility for the functionality of the System.

However, the entire responsibility for correct and appropriate customization and use of training programs generated via ExorLive Assistant Plus rests solely with the Licensee. It is the Licensee’s obligation to ensure that all information entered into the screening is correct, and that the developed training program is suitable and safe for the individual End User. The Licensor recommends that training programs always be professionally assessed before being put to use.

The Licensor cannot be held liable for any personal injuries or other damages that may arise as a result of the use of such training programs.

14. Force Majeure

Neither party shall be considered liable to the other under the Agreement for circumstances beyond that party’s control which, at the time of entering into the Agreement, could not reasonably have been foreseen or avoided or overcome, including but not limited to war and mobilization, civil unrest, natural disasters, strikes, lockouts, failure in the supply of raw materials, epidemics, pandemics, or other outbreaks of serious human disease, fire, damage to production equipment, interruption of general transportation, including energy supply, and import and/or export bans.

Circumstances affecting a party’s supplier are considered force majeure for that party if the supplier faces a similar obstacle, and the supplier could not have avoided or overcome it, even by using an alternative supplier.

 

Data Processing Agreement

This Data Processing Agreement (“Data Processing Agreement”) governs ExorLive AS’s processing of personal data on behalf of the customer in accordance with Article 28 of the General Data Protection Regulation (GDPR).

Parties

This Data Processing Agreement is entered into between:

Controller

The legal entity (the customer) that has purchased a license to and accepted the terms of use for the ExorLive system.

Processor

ExorLive AS
Org. No.: 985 542 597
Address: Hovfaret 4, 0275 Oslo, Norway

The Controller and the Processor are hereinafter individually referred to as a “Party” and collectively as the “Parties”.

Validity and Acceptance

This Data Processing Agreement enters into force upon the customer’s acceptance of ExorLive’s terms of use in connection with registration or purchase of a license to the ExorLive system.

This Data Processing Agreement forms an integral part of the agreement between the Parties and remains in effect for as long as the Processor processes personal data on behalf of the Controller.

If the Parties have entered into a separate, written Data Processing Agreement, such agreement shall prevail.

Documentation

The current version of the Data Processing Agreement is available on ExorLive’s website at all times.

The Controller may download a copy of the agreement at any time. A signed version may be provided upon request if required.

 

0. Definitions

  • Processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Protection Legislation: All applicable laws and regulations relating to the protection of personal data and privacy, including but not limited to the EU General Data Protection Regulation (GDPR), national data protection laws and implementing legislation.
  • Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Instruction: The written instructions specifying the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and any special requirements relating to the processing.
  • Log: The result of logging.
  • Logging: The continuous recording of information about the processing of personal data carried out under this Agreement, which can be linked to an identified or identifiable natural person.
  • Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • Data Subject: The identified or identifiable natural person to whom the personal data relates.
  • Third Country: A country that is not a member of the European Union (EU) or not part of the European Economic Area (EEA).
  • Sub-processor: A natural or legal person, public authority, agency or other body engaged by the processor as a subcontractor to process personal data on behalf of the controller.

1. Purpose

The provisions of this Data Processing Agreement set out the rights and obligations of the Processor when processing personal data on behalf of the Controller.

These provisions are intended to ensure that the Parties comply with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

These provisions do not relieve the Processor of obligations imposed by the GDPR or other applicable legislation.

2. The Controller’s rights and obligations

The Controller is responsible for ensuring that the processing of personal data is carried out in accordance with the GDPR, other applicable EU law, national legislation, and this Data Processing Agreement.

The Controller determines the purposes and means of the processing of personal data.

The Controller is responsible for ensuring that a valid legal basis exists for the processing of personal data that the Processor is instructed to carry out.

3. The Processor acts on instructions

The Processor shall process personal data only on documented instructions from the Controller, unless processing is required by Union or Member State law to which the Processor is subject.

Instructions may also be provided subsequently by the Controller during the course of processing, but such instructions must always be documented and retained in writing – including in electronic form – together with these provisions.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable EU or national legislation.

At the time of entering into this Data Processing Agreement, clear instructions for the processing are in place, as described in Section 4.

4. The Processor’s processing of personal data

4.1 General

The Processor processes personal data on behalf of the Controller in connection with the provision of the ExorLive system under the license agreement.

The Processor shall only process personal data to the extent necessary to fulfill the license agreement and in accordance with the Controller’s documented instructions.

The Processor shall not process personal data for its own purposes unless required by applicable law or expressly agreed between the Parties.

4.2 Processing instructions and categories of personal data

The Processor processes personal data in accordance with the Controller’s documented instructions as set out in this Agreement and in Appendix 1 (Processing Instructions).

Appendix 1 further specifies the purpose of the processing, the nature of the processing, categories of personal data, categories of data subjects, and the duration of the processing, and constitutes the binding instructions pursuant to Article 28(3) GDPR.

The Controller’s use, configuration, and administration of the system (including selection of functionality, access control, and settings) shall also be considered documented instructions.

The Processor shall only process personal data that the Controller registers, uploads, or otherwise makes available in the system, and shall not determine the purposes or means of the processing.

The processing may include both ordinary personal data and, depending on the Controller’s use of the system, special categories of personal data, including health data.

Any changes to the scope or nature of the processing shall be documented and shall be considered instructions from the Controller when confirmed in writing.

4.3 Geographical scope of processing and transfers to third countries

Processing and storage of personal data shall, as a general rule, take place within the EU/EEA.

If, in connection with the provision of services, the Processor uses sub-processors or group structures that may involve transfers of or access to personal data from countries outside the EU/EEA, such transfers shall be carried out in accordance with Chapter V of the GDPR and based on the Controller’s documented instructions.

In such cases, the Processor shall ensure that a valid transfer mechanism is in place, including the European Commission’s Standard Contractual Clauses (SCC 2021), a valid adequacy decision, including the EU–US Data Privacy Framework where applicable, and any supplementary measures based on a completed Transfer Impact Assessment (TIA).

Documentation of transfer mechanisms and any risk assessments shall be made available upon request.

4.4 Use of sub-processors

The Processor may engage sub-processors in accordance with Article 28(2) and (4) GDPR to fulfill its obligations under the license agreement and this Data Processing Agreement.

Upon entering into this Agreement, the Controller provides a general prior authorization for the use of the sub-processors listed in Appendix 3 (Sub-processors).

Appendix 3 specifies which sub-processors are used, the processing they perform, and any transfer mechanisms applicable where access from third countries occurs.

In the event of intended changes concerning the addition or replacement of sub-processors, the Processor shall notify the Controller in writing at least 30 days before such changes take effect.

The Controller may, within this period, object on reasonable and justified grounds relating to data protection or information security. If such objection is raised, the Parties shall in good faith seek to resolve the matter.

The Processor shall ensure, through contract or other legal means, that any sub-processor is subject to the same data protection obligations as set out in this Data Processing Agreement, including requirements regarding confidentiality, security, assistance, and deletion.

The Processor remains fully liable to the Controller for the performance of the sub-processor’s obligations.

Temporary and limited access to personal data in connection with technical maintenance or support shall be considered processing on behalf of the Controller and shall be subject to equivalent confidentiality and security obligations.

4.5 Requests from Public Authorities

The Data Processor shall not disclose personal data to public authorities, including police, tax authorities, or other governmental bodies, without prior written notice to the Data Controller, unless the Data Processor is legally prohibited from providing such notice—for example, in the case of a criminal investigation.

If the Data Processor receives a legally binding request for access to personal data, the Data Processor shall:

  • Document the request and retain copies of all related correspondence

  • Immediately inform the Data Controller with details of the request and its legal basis, unless prohibited from doing so under applicable law

  • Implement appropriate technical and organizational measures to safeguard the data subjects’ personal data and to minimize access

The Data Processor shall ensure that equivalent obligations are contractually imposed on any sub-processors.

5. Obligations of the Data Processor

 5.1 Assistance to the Data Controller

The data processor shall assist, taking into account the nature of the processing and to the extent possible, the data controller by appropriate technical and organisational measures in fulfilling the data controller’s obligation to respond to requests for exercising the data subjects’ rights under Chapter III of the GDPR.

Such assistance shall be provided on the basis of the documented instructions of the data controller and within the framework of the parties’ agreement.

The data processor shall assist the data controller to the extent necessary and proportionate, and only with regard to personal data and processing activities that the data processor actually processes on behalf of the data controller.

Furthermore, the data processor shall assist, taking into account the nature of the processing and the information available to the data processor, the data controller in ensuring compliance with the obligations under Articles 32–36 of the GDPR, including:

  • handling and notification of personal data breaches
  • communication of personal data breaches to data subjects
  • carrying out data protection impact assessments (DPIA)
  • prior consultation with the supervisory authority

Assistance under this clause shall be provided to the extent that the data controller does not have access to the relevant information and may be subject to additional fees if such assistance goes beyond the data processor’s standard functionality or agreed services.

5.2 Technical and Organisational Measures

The data processor shall at all times implement and maintain appropriate technical and organisational measures to ensure and demonstrate that processing is carried out in accordance with data protection regulations and this data processing agreement.

The measures shall ensure a level of security appropriate to the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of data subjects, cf. GDPR Article 32. This includes, inter alia, measures to:

  • ensure the confidentiality, integrity, availability, and resilience of personal data
  • prevent and detect unauthorised access, alteration, deletion, or disclosure
  • restore availability and access to personal data in the event of incidents
  • regularly test, assess, and evaluate the effectiveness of the security measures

The data processor shall continuously assess and update the security measures in light of technological developments, identified risks, and industry standards.

Documentation of implemented measures shall be made available upon request within the framework of the licence agreement and audit provisions.

The data processor operates in accordance with recognised information security standards and has implemented principles of data protection by design and by default.

6. Notification of Personal Data Breaches

he Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.

The notification to the Data Controller must, where feasible, occur no later than 24 hours after the Data Processor becomes aware of the breach, to enable the Data Controller to comply with their obligation to report the breach to the competent supervisory authority pursuant to Article 33 of the GDPR.

The Data Processor shall assist the Data Controller in notifying the supervisory authority. This includes helping to compile the following information, which according to Article 33(3) must be included in the Data Controller’s report:

  1. the nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects and personal data records

  2. the likely consequences of the personal data breach

  3. the measures taken or proposed to be taken by the Data Controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

Immediately after having reported the breach, the Data Processor shall provide the Data Controller with further information, including:

  • all relevant aspects of the breach known to the Data Processor, including the nature of the breach, affected categories, and the amount of personal data involved. Any new information discovered after the initial notification shall be provided to the Data Controller without delay

  • measures taken or proposed to be taken to prevent consequences and limit the scope of the personal data breach

Additionally, the Data Processor shall assist the Data Controller in assessing the impact on data subjects and evaluating the severity of the personal data breach.

The Data Processor undertakes to inform the Data Controller if it becomes aware that it is not complying with, or anticipates being unable to comply with, the requirements of the GDPR or this Data Processing Agreement, regardless of the reason. In such cases, the Data Controller may suspend any further processing of personal data.

7. Liability for the Processing

The Data Controller is responsible for ensuring that the personal data accessed by the Data Processor has been lawfully collected and is supported by a valid legal basis for processing.

The Data Controller bears the primary responsibility for the processing of personal data and for notifying the Data Processor if assistance is needed in accordance with Article 28 of the GDPR.

The Data Controller shall indemnify and hold harmless the Data Processor from all costs, expenses, damages, losses (including consequential damages), liabilities, and claims arising from third parties, provided that such circumstances are the result of the Data Controller’s violation of the GDPR or any of its obligations under this Agreement.

Liability for material or non-material damages to one or more data subjects shall be governed by the terms and guidelines of Article 82 of the GDPR.

The processor shall be liable for damages, fines or losses that can be attributed to its own acts or omissions constituting a breach of this Agreement or of applicable data protection legislation, including negligence in the implementation of appropriate technical and organisational measures.

The maximum liability of the Data Processor shall be governed by the terms of the license agreement and its conditions.

No limitation of liability shall apply in the event that the damage is caused by willful misconduct or gross negligence by either Party.

8. Security Audit

The data processor shall make available the information necessary to demonstrate compliance with GDPR Article 28 and this agreement.

As a general rule, the audit obligation is fulfilled by the data processor annually obtaining a relevant audit report and/or certification from an independent third party, which is made available to the data controller. Such documentation is considered sufficient to meet the data controller’s oversight needs, unless special circumstances indicate otherwise.

The data controller may request additional documentation if there is a concrete and justified reason to suspect a material breach of data protection regulations or this agreement.

If audit reports and available documentation are not deemed sufficient, the data controller may require an additional audit. Before such an audit is carried out, the parties shall agree in writing on the scope, method, duration, timing, and practical implementation. The audit shall:

  • be notified with at least 30 days’ written notice

  • be conducted during normal business hours

  • not disrupt the data processor’s operations

  • be limited to matters relevant to the processing of personal data

  • be conducted by an independent and qualified third party bound by confidentiality

  • be carried out at the expense of the data controller

The audit shall not provide access to other customers’ data, trade secrets, or security-critical information not relevant to the processing in question.

The right of inspection does not include physical locations or data centers operated by third parties. Documentation for such environments is provided through available third-party documentation.

If an audit reveals material non-compliance with this agreement or applicable data protection laws, the data processor shall, without undue delay, implement necessary corrective measures.
Nothing in this provision limits the statutory rights of supervisory authorities.

9. Confidentiality

The Data Processor shall only grant access to personal data processed on behalf of the Data Controller to individuals under its authority who are subject to the Data Processor’s instructions and who are bound by confidentiality or subject to an appropriate statutory duty of confidentiality - and only to the extent necessary. The list of individuals granted access shall be reviewed regularly. Based on this review, access shall be removed if it is no longer necessary, and the personal data shall no longer be accessible to those individuals.

The Data Processor shall, upon request from the Data Controller, be able to demonstrate that the individuals under its authority are bound by the above confidentiality obligations.

The duty of confidentiality applies to employees of the Parties as well as to sub-processors acting on behalf of the Parties in connection with the performance of this Data Processing Agreement and the License Agreement. Confidential information may only be transferred to sub-processors or third parties to the extent necessary for fulfilling this Data Processing Agreement and the License Agreement, provided such parties are subject to confidentiality obligations equivalent to those in this clause.

The confidentiality obligation shall remain in effect even after the termination of this Data Processing Agreement and the License Agreement. Employees or other individuals who cease working with either Party shall continue to be bound by confidentiality, even after termination of their roles, in accordance with the terms above. The confidentiality obligation shall remain in force for ten (10) years after termination of this Data Processing Agreement and the License Agreement, unless otherwise required by law or regulation.

10. Duration and termination of processing

Personal data shall be stored by the Processor for as long as the license agreement remains active and shall be processed in accordance with the Controller’s documented instructions. The Processor shall not delete personal data on its own initiative unless required by law, security considerations, or explicit instruction from the Controller.

The Processor’s processing of personal data on behalf of the Controller shall cease upon termination of the license agreement.

Upon termination of the license agreement, the Processor shall, without undue delay and no later than 90 days after the termination of the license relationship, delete the personal data unless the Controller has, within the same period, provided written instructions for return in accordance with Section 11.

During the period prior to deletion or return, personal data shall not be actively processed unless necessary to complete the return or to comply with legal obligations.

Prior to deletion, the Processor may anonymize personal data, provided that the anonymization is irreversible and carried out in accordance with applicable data protection legislation, such that the data can no longer be linked to an identified or identifiable natural person. Fully anonymized data shall not be considered personal data and may be retained for statistical, security, or documentation purposes.

11. Return of personal data

If the Controller provides written instructions to the Processor to return personal data upon termination of the license agreement, such return shall take place within 30 days of receipt of the request, unless otherwise agreed.

The return shall be carried out in a structured, commonly used, and machine-readable format. The standard format shall be CSV unless otherwise agreed between the Parties.

The Processor shall be entitled to reasonable compensation for assistance related to the return or disclosure of personal data beyond standard system functionality. Such assistance shall be invoiced in accordance with applicable rates.

Requests for alternative file formats, specific structuring, migration assistance, or adaptations to third-party systems shall be considered additional services and invoiced separately.

The Processor may only return personal data directly to the Controller or to a third party designated in writing by the Controller.

Appendix 1 – Information on the processing

1. Purpose

The purpose of the processing is to provide access to and operate ExorLive’s digital training and rehabilitation platform.

The processing enables the Controller to:

  • create and manage training and rehabilitation programs
  • provide end users with access to digital training programs
  • document, monitor, and evaluate training processes
  • manage user accounts and access control
  • ensure logging and traceability

2. Nature of the processing

The processing consists of:

  • collection
  • registration
  • structuring
  • storage
  • making available
  • transfer
  • deletion
  • analysis

3. Categories of personal data

May include:

  • identification data (name, date of birth)
  • contact data (email, phone)
  • usage data and log data
  • training and rehabilitation data
  • health data (depending on customer use)
  • uploaded images and videos

The Processor only processes data that is registered by the Controller.

4. Categories of data subjects

  • employees
  • patients / clients / members / citizens
  • end users of training programs

5. Automated processing and AI functionality

The ExorLive platform may include features that use automated processing, including artificial intelligence (“AI features”), as support tools for users.

AI features generate suggestions or other supporting content based on information entered into the system by the Controller or its users. Outputs generated by AI features are for guidance only and must always be reviewed and, where necessary, adjusted by a qualified professional.

AI features process only information that the Controller or its users actively enter into the system (including free-text fields). The Processor has no control over the information entered, and the Controller is responsible for ensuring that personal data is not entered in violation of applicable data protection legislation.

The Processor processes personal data via AI features solely on behalf of and in accordance with the instructions of the Controller, in accordance with this Data Processing Agreement and Article 28 of the GDPR.

The Controller may disable AI features at any time in the system’s administrative settings.

Further information about ExorLive’s use of AI, including technical functionality, security measures, and compliance with applicable regulations, is available in ExorLive’s documentation:

ExorLive AI – General Information

Detailed documentation for individual AI features is available in ExorLive’s user documentation and support portal.

The Processor may introduce new AI features on an ongoing basis. Such features shall be subject to this Agreement and the Controller’s instructions unless otherwise specifically agreed.

6. Duration

The processing shall continue for as long as the license agreement remains active. The Controller may, if desired, configure settings for ongoing deletion directly in the administration panel.

Upon termination, the deletion rules set out in the main agreement shall apply.

Appendix 2 – Technical and organizational measures

1. Certifications and management system

The Processor maintains a management system for information security and data protection. The Processor is certified under ISO 27001 and ISO 13485. Certifications can be documented upon request.

2. Organization, roles, and policies

The Processor has defined roles, responsibilities, and authorities for information security and data protection. A Data Protection Officer (DPO) is involved in relevant matters and in the handling of security incidents. The Processor has established and management-approved policies and procedures for the processing of personal data, which are communicated to relevant employees.

3. Confidentiality and training

Employees and others acting under the Processor’s authority who have access to personal data are subject to confidentiality obligations.

The Processor provides training in information security and data protection upon onboarding and regularly thereafter, including training on current threats such as phishing and social engineering, as well as handling of security and personal data incidents.

4. Access control and authentication

Access to systems and personal data is granted based on role and need-to-know principles (least privilege). Access is based on individual authentication, and multi-factor authentication is used where relevant. Access rights are regularly reviewed and revoked when no longer needed.

5. Logging and traceability

The Processor maintains logs to the extent necessary to ensure traceability and security. Logging includes relevant events related to authentication, administrative actions, and changes to system configuration and/or processing of personal data.

Log data is protected against unauthorized modification and handled in accordance with internal retention and deletion policies.

6. Security of systems, devices, and networks

The Processor uses security mechanisms to prevent, detect, and manage unauthorized access and malicious activity, including update and patch management, malware protection, and network security.

Critical security updates are handled without undue delay. Remote access for administration or maintenance is conducted via secure connections and subject to access control.

7. Encryption

The Processor uses encryption where necessary to ensure an appropriate level of security, including when transferring confidential and/or special categories of personal data over external communication channels.

Encryption solutions and key management are governed by internal policies and updated as necessary.

8. Data separation

Customer data is logically separated from other customers’ data.

9. Development, testing, and change management

The Processor has established change management procedures to ensure that changes are authorized, tested, and approved before implementation.

Test and development environments are separated from production environments. The Processor follows the principles of privacy by design and privacy by default.

10. Backup, recovery, and continuity

The Processor performs regular backups and maintains recovery procedures.

The Processor has contingency procedures to restore availability and access in case of operational disruptions and regularly tests and evaluates these procedures.

11. Management of security and personal data incidents

The Processor has procedures to detect, manage, document, and follow up on security and personal data incidents, including procedures supporting notification obligations under GDPR Articles 33 and 34.

12. Sub-processors

The Processor assesses the security level and suitability of sub-processors prior to engagement and ensures that they are subject to equivalent obligations as set out in this Data Processing Agreement.

The Processor monitors sub-processors in accordance with internal procedures.

13. Changes to measures

The Processor may further develop and modify security measures during the term of the Agreement, provided that the overall level of security is not reduced.

Appendix 3 – Sub-processors

This Appendix constitutes the current list of sub-processors used by the Processor in accordance with Section 4.4 of the Data Processing Agreement.

The Controller grants a general prior authorization to the use of the sub-processors listed in this Appendix upon entering into the Data Processing Agreement.

1. Sub-processors

1.1 Microsoft Ireland Operations Ltd

Attn: Data Protection
Carmenhall Road
Sandyford, Dublin 18
Ireland

Purpose:

Provision of cloud infrastructure and storage of personal data.

Processing location:

EU/EEA

Third country transfers:

May occur due to group structure or remote support. Transfers shall be carried out in accordance with Chapter V of the GDPR based on a valid transfer mechanism, including the European Commission’s Standard Contractual Clauses and/or a valid adequacy decision.

1.2 Atlassian (used via cloud infrastructure in the EU/EEA)

Atlassian via Amazon Web Services
(Processing takes place via data centers located within the EU/EEA)

Purpose:

Support and ticketing system for handling customer inquiries.

Processing location:

EU/EEA

Third country transfers:

May occur due to group structure or support access. Transfers shall be carried out in accordance with Chapter V of the GDPR based on a valid transfer mechanism, including the European Commission’s Standard Contractual Clauses and/or a valid adequacy decision.

2. Transfer mechanisms for third country transfers

Where processing or access involves transfer of personal data to third countries, the Processor shall ensure that a valid transfer mechanism is in place in accordance with Chapter V of the GDPR.

This may include:

  • The European Commission’s Standard Contractual Clauses (SCC 2021)
  • A valid adequacy decision
  • The EU–US Data Privacy Framework (where applicable)

Documentation of transfer mechanisms shall be made available upon request.

3. Changes to sub-processors

In the event of planned changes to sub-processors, the procedure set out in Section 4.4 of the Data Processing Agreement shall apply.

An updated list of sub-processors will at all times be made available through written communication to customers.

 

***

Link to v1: Data Processing Agreement valid before 23.3.2026.

Articles in this section

See more