Our Terms of Service was last updated on September 19, 2022.
These Terms of Service (Terms) govern your use of ElephantSQL (the Service) provided by 84codes AB. The Terms also incorporate 84codes’ Data Processing Agreement (Exhibit 1) and Program Policies (Exhibit 2).
All capitalized Terms used in these Terms of Service, but not defined in the ElephantSQL Customer Agreement or other agreement with us governing your use of the Services (the “Agreement”), shall have the meanings given to them below:
Application: means the Product/Service that is built by you by using the Service.
Content: means all information (such as data files, written text, computer software, music, audio files or other sounds, photographs, videos or other images) to which you may have access as part of, or through your use of, the Service.
Customer: means the individual or company using the Service provided by 84codes AB.
Customer Data: means the data that the Data Controller enters into the Service provided by the Data Processor.
Data Controller: means the entity which determines the purposes and means of the Processing of Personal Data.
Data Processor: means the entity which Processes Personal Data on behalf of the Data Controller.
GDPR: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Personal Data: means any Customer Data that relating to an identified or identifiable individual, to the extent that such information is protected as Personal Data under applicable Data Protection Laws.
Processing or Data Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Security Incident: means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the unauthorized or accidental destruction loss, alteration, unauthorized disclosure of or access to Personal Data.
Service or Service Offering: means the Service provided by 84codes AB that is the base of the Contract.
Subprocessor: means a third-party Data Processor engaged by the Data Processor, who has or potentially will have access to or process the Data Controller’s Data under this DPA for the provision of Services.
Terms: means the Terms of Service for the Service Offering.
Your/Yours: means the entity contracting for the Service.
Your use of the Service is governed by this agreement (the Terms). "84codes AB" means 84codes AB, with VAT number SE556898078201, and its subsidiaries or affiliates involved in providing the Service.
By using the Service, you agree to these Terms of Service and the Data Processing Agreement (Exhibit 1) and Program Policies (Exhibit 2), which are incorporated herein. Included is a link to our Privacy Policy, which addresses how we handle your information.
You may not use the Service if you are a person banned from receiving the Service under the laws of Sweden, or other countries including the country in which you are resident or from which you use the Service. You affirm that you are over the age of 13, as the Service is not intended for children under 13.
If you are accepting these Terms and use the Services on behalf of a company, organization, government, or other legal entity, you represent and warrant that you are authorized to do so and have the full legal capacity to bind such entity.
Additional instructions or Terms (if any) outside the scope of these Terms of Service require a prior written agreement between 84codes AB and the Customer. An agreement on any additional fees payable by the Customer to 84codes AB for carrying out further instructions and/or Terms must also be established.
You must provide accurate and complete registration information anytime you register to use the Service. You are responsible for the security of your passwords and for any use of your account. If you become aware of any unauthorized use of your password or your account, you agree to notify 84codes AB immediately.
Your use of the Service must comply with all applicable laws, regulations, and ordinances, including any laws regarding the export of data or software, including but not limited to GDPR. You agree not to use the Service in, including but not limited to, the design, development, production, or use of missiles or the design, development, production, stockpiling, or use of chemical or biological weapons.
You agree not to (a) access (or attempt to access) the administrative interface of the Service by any means other than through the interface that 84codes AB provides in connection with the Service, unless you have been specifically allowed to do so in a separate agreement with 84codes AB, or (b) engage in any activity that interferes with or disrupts the Service (or the servers and networks which are connected to the Service).
Notification(s) of information concerning the Data Processing or Security Incidents (if any) will be sent to the Customer’s registered team notification email address and GDPR responsible’s email address (if any). It is the Data Controller’s sole responsibility to ensure that it maintains accurate contact information on the Service’s management console and secure transmission at all times.
Notification(s) of information concerning the Customer’s account will be sent to the Customer’s registered team notification email address. It is the Customer’s sole responsibility to ensure that the Customer maintains accurate contact information on the service management console and secure transmission at all times.
You agree to comply with the Service’s Program Policies in Exhibit 2, attached hereto and which is incorporated herein by this reference and which may be updated from time to time.
For Personal Data, which is processed or stored through your use of the Service, you are the Data Controller (or the Data Processor, depending on the relationship you have with your customer). Concerning such Personal Data that is processed on your behalf, 84codes AB is responsible as the Data Processor (or the Subprocessor, depending on the relationship you have with your customer).
If you are a Data Controller (or a Data Processor, depending on the relationship you have with your customer) of data belonging to individuals within the European Union, Processing of Personal Data pursuant to Section 3.2 above shall be subject to the Data Processing Agreement (DPA), which is attached hereto, as Exhibit 1, and incorporated herein.
You agree that you will protect the privacy and legal rights of the users of your Application. You must provide a legally adequate privacy policy and protection for those users.
Subject to the Terms, the Service is provided to you without charge up to certain limits. Usage over this limit (overage usage) requires your purchase of additional resources or Services. 84codes AB may change its fees and payment policies for the Service by notifying you at least fifteen (15) days before the beginning of the billing cycle in which such change will take effect.
You are responsible for providing accurate payment details. For all purchased resources and Services, 84codes AB provides two main payment options: credit card and wire transfers (an administrative fee of $9/invoice is added to invoices paid with this payment option). If you need to purchase our service via a PO, please contact billing@elephantsql.com.
84codes AB’s billing is pro-rated, meaning that the Customer only pays for the time the Service has been available to them and that the payment is made the month after the delivery of the service. An invoice is generated at the beginning of each month and concerns the usage period of the previous month.
You acknowledge and agree that 84codes AB may share any credit card and related billing and payment information that you provide to 84codes AB with companies who work on 84codes AB’s behalf, such as payment processors and/or credit agencies, solely to check credit, and effecting payment to 84codes AB. Your credit card data will be shared with and stored by our PSP, BlueSnap. BlueSnap will act as a Data Controller of that data. Read more here: https://home.bluesnap.com/legal/#gdpr.
If the Customer has chosen to pay via credit card, 84codes AB will automatically charge the card after the invoice is generated. You are responsible for having a balance that covers the invoice amount when your credit card is charged. The payment is due within fifteen (15) days from the invoice date.
If the Customer has chosen to pay through wire transfers, the invoice shall be paid within fifteen (15) days from the invoice date, according to our payment term NET15.
Accounts with failed charges and outstanding invoices will receive an email about this matter to their registered billing email when an invoice has passed its due date. The Customer is therefore responsible for providing 84codes AB with correct and updated contact information. 84codes AB reserves the right to discontinue the provision of the Service to you for any late payments. Late payments may also bear interest at a rate of the Swedish base rate (Sw. referensränta) plus eight (8) percentage points.
Charges to customers within the EU are including taxes. Companies acting within the EU shall provide 84codes AB with their VAT number upon registration to get the VAT- fee deducted from their invoices in line with the reverse charge rule. For customers outside the EU, charges are exclusive of taxes. You are responsible for paying all taxes and government charges, and all reasonable expenses and attorney’s fees 84codes AB incurs collecting late amounts.
To the fullest extent permitted by law, refunds (if any) are at the discretion of 84codes AB, and only in the form of credit for the Service. Nothing in these Terms obligates 84codes AB to extend credit to any party.
To the fullest extent permitted by law, you waive all claims relating to charges unless claimed within sixty (60) days after the payment (this does not affect your credit card issuer rights). Charges are solely based on 84codes AB's measurements of your use of the Service unless otherwise agreed to in writing.
You may not create multiple accounts to simulate or act as a single account or otherwise access the Service in a manner intended to avoid incurring fees.
You understand that all information (such as data files, written text, computer software, music, audio files or other sounds, photographs, videos, or other images) to which you may have access as part of, or through your use of, the Service are the sole responsibility of the person from which such Content originated. All such information is referred to below as the "Content". The term Content shall specifically exclude the Application that you create by using the Service and any source code written by you to be used with the Service (collectively, the "Application").
84codes AB reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from the Service. You agree to immediately take down any Content that violates the Program Policies, including pursuant to a take-down request from 84codes AB. If you elect not to comply with a request from 84codes AB to take down certain Content, 84codes AB reserves the right to take down such Content directly or to disable the Service.
If you become aware of any violation of the Program Policies by an end-user of the Application, you shall immediately terminate such end-user's account on your Application. 84codes AB reserves the right to terminate end-users of 84codes AB accounts or disable the Service in response to a violation or suspected violation of the Program Policies, as outlined in Section 5.2.
You agree that you are solely responsible for (and that 84codes AB has no responsibility to you or any third party for) the Application or any Content that you create, transmit, or display while using the Service and for the consequences of your actions (including any loss or damage which 84codes AB may suffer) by doing so.
You agree that 84codes AB has no responsibility or liability for the deletion or failure to store any Content and other communications maintained or transmitted through the use of the Service. You further acknowledge that you are solely responsible for securing and backing up your Application and any Content.
You acknowledge and agree that 84codes AB (or 84codes AB's licensors) owns all legal right, title and interest in and to the Service, including any intellectual property rights which exists in the Service (whether those rights happen to be registered or not, and wherever in the world those rights may exist).
Unless you have agreed otherwise in writing with 84codes AB, nothing in the Terms gives you a right to use any of 84codes AB's trade names, trademarks, Service marks, logos, domain names, and other distinctive brand features.
Except as provided in Section 8, 84codes AB acknowledges and agrees that it obtains no right, title, or interest from you (or your licensors) under these Terms in or to any Content or the Application that you create, submit, post, transmit or display on, or through, the Service, including any intellectual property rights which subsist in that Content and the Application (whether those rights happen to be registered or not, and wherever in the world those rights may exist). Unless you have agreed otherwise in writing with 84codes AB, you agree that you are responsible for protecting and enforcing those rights and that 84codes AB has no obligation to do so on your behalf.
During the term of this Agreement, Customer may access and use 84codes AB's Service. 84codes AB retains all right, title, and interest in and to the Service, including without limitation all software included in and used to provide the Service and all logos an trademarks reproduced through the Service. This Agreement does not grant Customer (a) any right to reproduce, modify, distribute, or publicly display or perform the software included in the Service or (b), any other right to the Service not specifically set forth herein.
Open-source software licenses for components of the Service released under an open-source license constitute separate written agreements. To the limited extent that the open-source software licenses expressly supersede these Terms, the open-source licenses govern your agreement with 84codes AB to use the components of the Service released under an open-source license.
84codes AB claims no ownership or control over any Content or Application. You retain copyright and any other rights you already hold in the Content and/or Application, and you are responsible for protecting those rights, as appropriate. By submitting, posting or displaying the Content on or through the Service you give 84codes AB a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute such Content for the sole purpose of enabling 84codes AB to provide you with the Service in accordance with its Privacy Policy. Furthermore, by creating an Application through use of the Service, you give 84codes AB a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute such Application for the sole purpose of enabling 84codes AB to provide you with the Service in accordance with its Privacy Policy.
You agree that 84codes AB, in its sole discretion and with a prior written notice, may use your trade names, trademarks, Service marks, logos, domain names, and other distinctive brand features in presentations, marketing materials, customer lists, financial reports, and website listings (including links to your website) for the purpose of advertising or publicizing your use of the Service.
84codes AB is continuously innovating to provide the best possible experience for its users. You acknowledge and agree that the form and nature of the Service which 84codes AB provides may change from time to time without prior notice to you. Changes to the form and nature of the Service will be effective with respect to all versions of the Service; examples of changes to the form and nature of the Service include without limitation changes to fee and payment policies, security patches, added functionality, and other enhancements.
You may terminate these Terms at any time by canceling your account of the Service. You will not receive any refunds if you cancel your account.
You agree that 84codes, in its sole discretion, may terminate these Terms or suspend your access to your account at any time, for any or no reason, including in the event of your actual or suspected unauthorized use or overage usage of the Service, or non- compliance with these Terms. If 84codes AB terminates your use of the Services for reasons other than unauthorized use or non-compliance with these Terms (including the Program Policies) 84codes AB will notify you in advance. You agree that any termination of your access to the Service may be without prior notice, when and if 84codes AB, in its sole discretion deem it to be unauthorized use or non-compliance with these Terms (including the Program Policies), and you agree that 84codes AB will not be liable to you or any third party for such termination.
You are solely responsible for exporting your Customer Data and Content from the Service prior to termination of your account for any reason, provided that if we terminate your account, we will make reasonable efforts to permit you to retrieve your Service(s) for a reasonable period of time.
Upon any termination of the Service or your account these Terms will also terminate, but Sections 6.1, 10, 11, 12, 14, and 15 shall continue to be effective after these Terms are terminated.
YOU EXPRESSLY UNDERSTAND AND AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK AND THAT THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." 84CODES AB, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS MAKE NO EXPRESS WARRANTIES AND DISCLAIM ALL IMPLIED WARRANTIES REGARDING THE SERVICE INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, 84CODES AB, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO YOU THAT: (A) YOUR USE OF THE SERVICE WILL MEET YOUR REQUIREMENTS, (B) YOUR USE OF THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR, AND (C) USAGE DATA PROVIDED THROUGH THE SERVICE WILL BE ACCURATE.
SUBJECT TO SECTION 10.1 ABOVE, YOU EXPRESSLY UNDERSTAND AND AGREE THAT 84CODES AB, ITS SUBSIDIARIES, AND AFFILIATES, AND ITS LICENSORS SHALL NOT BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE. THIS SHALL INCLUDE, BUT NOT BE LIMITED TO, ANY LOSS OF PROFIT OR REVENUE (WHETHER INCURRED DIRECTLY OR INDIRECTLY), LOSS OF ANTICIPATED SAVINGS, ANY LOSS OF GOODWILL OR BUSINESS REPUTATION, ANY LOSS OF DATA SUFFERED, INTERRUPTION OF BUSINESS, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSS. THE FOREGOING DISCLAIMER IN THIS PARAGRAPH SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY LAW IN THE APPLICABLE JURISDICTION.
THE LIMITATION OF LIABILITY IN PARAGRAPH 11.1 ABOVE SHALL APPLY WHETHER OR NOT 84CODES AB HAS BEEN ADVISED OF OR SHOULD HAVE BEEN AWARE OF THE POSSIBILITY OF ANY SUCH DAMAGES.
IN THE EVENT THAT, NOTWITHSTANDING THE FOREGOING, 84CODES AB OR ITS AFFILIATES IS FOUND LIABLE TO YOU FOR DAMAGES FROM ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, IN NO EVENT WILL 84CODES AB’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE LESSER OF: SUPPLYING OF THE SERVICES AGAIN, OR THE PAYMENT OF THE COST OF HAVING THE SERVICES SUPPLIED AGAIN, OR REFUND OF 50% OF FEES ACTUALLY PAID FOR THE SERVICE IN THE MONTH PRECEDING THE APPLICABLE CLAIM GIVING RISE TO LIABILITY. MULTIPLE CLAIMS WILL NOT EXPAND THIS LIMITATION. THE FOREGOING DISCLAIMER SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY LAW IN THE APPLICABLE JURISDICTION. YOU AGREE THAT 84CODES AB’S LIABILITY TO YOU AT LAW WILL BE REDUCED BY THE EXTENT, IF ANY, TO WHICH YOU CONTRIBUTED TO THE DAMAGE OR LOSS. THE PARTIES ACKNOWLEDGE THAT THE LIMITATIONS SET FORTH IN THIS SECTION ARE INTEGRAL TO THE AMOUNT OF FEES CHARGED IN CONNECTION WITH PROVIDING THE SERVICES TO YOU, AND THAT IF 84CODES WERE TO ASSUME ANY FURTHER LIABILITY OTHER THAN AS SET FORTH HEREIN, SUCH FEES WOULD OF NECESSITY BE SET SUBSTANTIALLY HIGHER.
You agree to hold harmless and indemnify 84codes AB, and its subsidiaries, affiliates, officers, agents, employees, advertisers, licensors, suppliers, or partners, (collectively "84codes AB and Partners") from and against any third party claim arising from or in any way related to (a) your breach of the Terms, (b) your use of the Service, (c) your violation of applicable laws, rules or regulations in connection with the Service, or (d) your Content or your Application, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys' fees, of every kind and nature. In such a case, 84codes AB will provide you with a written notice of such claim, suit or action.
The Service may include hyperlinks to other websites or Content or resources or email Content. 84codes AB may have no control over any web sites or resources which are provided by companies or persons other than 84codes AB.
You acknowledge and agree that 84codes AB is not responsible for the availability of any such external sites or resources, and does not endorse any advertising, products or other materials on or available from such websites or resources.
You acknowledge and agree that 84codes AB is not liable for any loss or damage which may be incurred by you or users of your Application as a result of the availability of those external sites or resources, or as a result of any reliance placed by you on the completeness, accuracy or existence of any advertising, products, or other materials on, or available from, such websites or resources.
84codes AB may make changes to the Terms from time to time. If we change the Terms in any substantial way, we will give you at least thirty (30) days’ notice before the changes take effect, during which period of time you may reject the changes by terminating your account.
You understand and agree that if you use the Service after the date on which the Terms have changed, 84codes AB will treat your use as acceptance of the updated Terms.
On May 25, 2018, new legislation regarding the collection and use of Personal Data entered into force. The Swedish Personal Data Act and the Directive 95/46/EC was replaced by Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 (GDPR).
The Terms constitute the legal agreement between you and 84codes AB and govern your use of the Service (but excluding any Services which 84codes AB may provide to you under a separate written agreement), and completely replace any prior agreements between you and 84codes AB in relation to the Service.
There are no third-party beneficiaries to these Terms. The parties are independent contractors, and nothing in these Terms creates an agency, partnership or joint venture.
If 84codes AB provides you with a translation of the English language version of these Terms, the English language version of these Terms will control if there is any conflict.
You agree that 84codes AB may provide you with notices, including those regarding changes to the Terms, by email, regular mail, or postings on the Service on the sole ground of providing you with the Service.
You agree that if 84codes AB does not exercise or enforce any legal right or remedy which is contained in the Terms (or which 84codes AB has the benefit of under any applicable law), this will not be taken to be a formal waiver of 84codes AB's rights and that those rights or remedies will still be available to 84codes AB.
You acknowledge and agree that 84codes AB may provide information to third parties in response to valid legal processes, such as subpoenas, search warrants, and court orders, or to establish or exercise its legal rights or defend against legal claims. 84codes AB shall not be liable for any use or disclosure of such information by such third parties.
84codes AB shall not be liable for failing or delaying performance of its obligations resulting from any condition beyond its reasonable control, including but not limited to governmental action, acts of terrorism, earthquake, fire, flood, or other cases of force majeure, labor conditions, power failures, and Internet disturbances.
The Terms, and your relationship with 84codes AB under the Terms shall be governed by the laws of Sweden without regard to its conflict-of-law provisions. You and 84codes AB agree to submit to the exclusive jurisdiction of the courts located within Sweden to resolve any legal matter arising from the Terms. Notwithstanding this, you agree that 84codes AB shall still be allowed to apply for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction.
This Data Processing Agreement (the "DPA") is an exhibit to the Terms of Service (hereinafter referred to as Contract). It is incorporated therein, agreed between the Data Controller and the Data Processor in connection with registration for the Service. It regulates in detail the measures for processing personal related data under commission.
Our DPA was last updated on September 19, 2022.
Unless otherwise defined in the Terms, all capitalized terms used in this DPA shall have the meaning given to them below:
Additional Instructions: means any instructions from Data Controller to the Data Processor which have not been fixed in this DPA upon its execution.
Applicable Data Protection Law: means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) which is incorporated into the Swedish law.
Data Controller: means the entity which determines the purposes and means of the Processing of Personal Data.
Data Processor: means 84codes AB, reg.no. 556898-0782 and its wholly-owned affiliates, which is the entity that Processes Personal Data on behalf of the Data Controller.
Data Subject: means an identified or identifiable individual, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, an online ID, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data: means any information relating to an identified or identifiable individual, to the extent that such information is protected as Personal Data under Applicable Data Protection Law.
Process or Processing: means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Security Incident: means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the unauthorized or accidental destruction loss, alteration, unauthorized disclosure of or access to Personal Data.
Service or Service Offering: means the Service provided by 84codes AB that is the base of the Terms and this DPA.
Standard Contractual Clauses: means the standard contractual clauses issued pursuant to the European Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of data to processors established in third countries under Directive 95/46/EC.
Subprocessor: means a third-party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will Process Personal Data on behalf of the Data Controller.
Supervisory Authority: means an independent public authority that is established pursuant to GDPR Article 51. For example, Swedish Authority for Privacy Protection (IMY) "(Integritetsskyddsmyndigheten)", in Sweden.
Terms: The Terms of Service for the Service Offering.
Third Country: means a country or region outside the European Union ("EU") or the European Economic Area ("EEA").
You/Yours: means the entity contracting for the Service.
This DPA applies to the Data Processor’s Processing of Personal Data on behalf of the Data Controller. The Data Processor shall Process Personal Data as necessary to perform the Service pursuant to the Terms and as further instructed by the Data Controller in its use of the Service. This DPA regulates the measures to protect Personal Data according to Art. 28 of the GDPR.
The Personal Data Processed by the Data Processor under this DPA and details of the Processing is described in Appendix 1 ("Data Processing Instructions") attached to this DPA.
Additional Instructions or terms (if any) outside the scope of this DPA requires a prior written agreement between Data Processor and the Data Controller. An agreement on any additional fees payable by Data Controller to the Data Processor for carrying out further instructions and/or terms must also be established.
The Data Controller shall be responsible within the framework of this DPA for complying with the Applicable Data Protection Law's legal provisions, particularly in relation to the allocation of Processing with respect to the Data Processor, and for the Processing itself.
The Data Controller has the right to give instructions to the Data Processor in the following subjects:
The instructions shall be written and at first be fixed in this DPA and Appendix 1. These instructions may subsequently be amended, supplemented, or replaced by written Additional Instructions of the Data Controller to the Data Processor. Additional Instructions (if any) need to be agreed upon beforehand as per section 1.3. 84codes will attempt to accommodate eventual Additional Instructions; however, nothing in this DPA shall require 84codes to change the terms of this DPA.
The Data Controller shall ensure that its instructions and usage of the Service comply with the Applicable Data Protection Law. The Data Controller’s instructions shall not cause the Data Processor to breach the Applicable Data Protection Law.
Notification(s) of information concerning the Processing or Security Incident (if any), will be delivered to the Data Controller’s registered team notification email address and GDPR responsible’s email address (if registered). It is the Data Controller’s sole responsibility to ensure that it maintains accurate contact information on the service management console and secure transmission at all times.
The Data Controller has the right to perform controls of the Data Processor's technical and organizational measures according to section 9 and as further described in Appendix 2 ("Technical and Organizational Measures") before starting the Processing, and to check them afterward in regular intervals. An independent auditor could also perform these controls on behalf of the Data Controller.
The Data Controller shall inform the Data Processor without delay when it notices any mistakes or irregularities while performing controls according to section 2.6. The Data Processor shall correct such errors or irregularities without delay.
If claims are placed on one of the contracting parties by a Data Subject in connection with any claim as per Art. 82 of the GDPR, the contracting party concerned shall notify the other party without undue delay. The contracting parties shall support one another in defending the claim.
The Data Processor ensures that, during the term of this DPA, it has implemented and further undertakes to comply with appropriate technical and organizational measures in such a manner that its Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject.
The Data Controller ensures that, during the term of this DPA, it has the proper legal basis for the Processing of Personal Data.
The Data Processor undertakes to only Process the Personal Data pursuant to the Data Controller's documented instructions and within the Service Offering's framework, unless in exceptional cases as per Applicable Data Protection Law. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects are set forth in this DPA and Appendix 1.
The Data Processor shall inform the Data Controller without undue delay if it would discover that an instruction of the Data Controller would violate the Applicable Data Protection Law. The Data Processor shall be authorized to interrupt this instruction's performance until it is confirmed or changed by the responsible person of the Data Controller.
For the Processing of Personal Data, the Data Processor shall apply all measures defined in this DPA.
The Data Processor shall produce and update a list of all categories of activities which it carries out on behalf of the Data Controller, including the compulsory specifications according to Art. 30 para. 2 of the GDPR as set out in Appendix 1.
The Data Processor shall not use the data for other purposes than specified by the Data Controller and shall not keep them any longer than the Data Controller has determined. The Data Processor may not generate copies or duplicates without knowledge of the Data Controller.
The Data Processor shall not view, access, edit, or use the Personal Data without specific permission, or when required to maintain the Service, or as necessary to comply with the law or binding order of the Supervisory Authority.
Processing by telecommuting is allowed for employees of the Data Processor. The Data Processor ensures that the Processing by telecommuting complies with required data protection measures, meaning that the data is protected against unauthorized access. This means, e.g., safe and encrypted end-to-end communication and no access possibility to IT-Systems for an unauthorized person in the home office.
Data for testing purposes will be kept closed until the Data Controller instructs the Data Processor to destroy, erase or block it in accordance with the data protection law or to return it to the Data Controller.
The Data Processor shall appoint the contact partner for the Data Controller for data protection questions arising within the framework of the Terms and this DPA.
The Data Processor is obliged to ensure that the persons authorized to Process the Personal Data have committed themselves to confidentiality in writing before taking up the activity. Furthermore, the Data Processor shall ensure that its associates are sufficiently informed on the regulations of the GDPR as well as on further relevant data protection requirements and are familiar with the instructions of the Data Controller. The Data Processor shall supervise the compliance of the data protection regulations.
The Data Controller shall be obliged to respect the confidentiality of all business secrets and data protection measures of the Data Processor which may be disclosed within the framework of the contractual relationship.
The confidentiality and integrity obligation shall continue to apply also after termination of the contractual relationship for a period of five (5) years.
The Data Processor shall without undue delay forward any request to the Data Controller from a Data Subject, Supervisory Authority or any other third party, who is requesting receipt of information regarding Personal Data that the Data Processor is Processing under this DPA. The Data Processor, or anyone working under the Data Processor’s supervision, shall not disclose Personal Data, or information about the Processing of Personal Data, without the Data Controller’s expressed instruction or as provided in this DPA, unless required by Applicable Data Protection Law. If the Data Processor is obliged to disclose Personal Data according to Applicable Data Protection Law, the Data Processor shall take all measures to ensure confidentiality in connection with the requested information and immediately inform the Data Controller accordingly, unless the Data Processor is prevented from doing so under Applicable Data Protection Law.
Considering the nature of the Processing, the Data Processor shall assist the Data Controller by taking appropriate technical and organizational measures insofar as this is possible, in observing its legal obligations in relation to the rights of Data Subjects under Applicable Data Protection Law. This includes, but shall not be limited to, the Data Controller’s obligation to respond to requests concerning the right of Data Subjects to receive information and, upon request by Data Subjects, rectify, block or erase Personal Data.
The Data Processor shall assist the Data Controller in fulfilling potential duties under Applicable Data Protection Law to enable data portability regarding Personal Data which the Data Processor is Processing under this DPA. The Data Processor and the Data Controller will agree as to what, if any, additional fees will be charged for this service.
The Data Processor shall inform the Data Controller of any inquiries from the Supervisory Authority concerning Processing of Personal Data under the DPA. The Data Processor is not entitled to represent the Data Controller or act on the Data Controller’s behalf in relation to Supervisory Authority.
The Data Processor may only subcontract Processing to third parties based on the Data Controller’s prior authorization, as required by Art 28.2 of the GDPR. Upon execution of this DPA, the Data Processor is granted general authorization to engage Subprocessors to fulfill its contractual obligations under this DPA or to provide specific services on its behalf, such as providing support services. The Subprocessors assigned by the Data Processor at the time of execution of this DPA are listed in Appendix 3 ("Subprocessors of the Data Processor") to this DPA. For the Subprocessors referred to in Appendix 3, specific authorization is granted by the Data Controller upon execution of this DPA.
When engaging a Subprocessor, the Data Processor shall ensure compliance with Art 28.2 and 28.4 of the GDPR. In particular, the Data Processor is responsible for ensuring that such Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing meets the requirements of Applicable Data Protection Law. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessor(s) at least thirty (30) days before planned use of a new Subprocessor, thereby allowing the Data Controller the opportunity to object to the change. The Data Controller shall notify the Data Processor of such objection within ten (10) days of receiving the change notice. If the Data Controller makes an objection to such a change within ten (10) business days of receiving notice of the change, the Data Processor may not make the change unless granted specific written authorization by the Data Controller to make the change.
The Data Processor shall ensure by contract that the provisions fixed between the Data Controller and the Data Processor shall apply accordingly to the Subprocessor(s). Thus, the Data Processor shall enter into a written agreement with its Subprocessor(s). To the extent that the Subprocessor(s) performs the same Processing services that the Data Processor is providing under this DPA, the Data Processor will impose on the Subprocessor(s) the same contractual obligations that the Data Processor has under this DPA.
The Data Processor shall verify the Subprocessor’s compliance with the DPA when entering into a contract and regularly thereafter (or when necessary changes occur). The Data Processor shall document the results of these controls.
Subcontracting in the meaning of these provisions does not include any additional services ordered by the Data Processor from third parties to assist in the performance of the DPA, such as telecommunications services, maintenance or user support, cleaning, auditing, or the disposal of data media. To ensure the protection and security of the Data Controller’s data, the Data Processor must conclude adequate and conformable to law agreements, and undertake monitoring activities, when any additional services are taken from third parties.
Within the area of its responsibilities, the Data Processor shall organize the internal organization in a way to meet the special requirements of data protection. The Data Processor will take technical and organizational measures to adequately protect the data of the Data Controller by meeting the requirements of Art. 32 of the GDPR.
The technical and organizational measures shall ensure the confidentiality, integrity, availability, and resilience of the systems and services related to the Processing on a long-term basis. Measures must also be taken to restore the availability of Personal Data and access to them immediately after a physical or technical incident, and to use a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the safety of the Processing. The measures to be taken include the pseudonymization and encryption of Personal Data, to the extent that it is necessary to provide an appropriate security level. The Data Controller verifies the Data Processor's technical and organizational measures as per enclosed Appendix 2 by agreeing to this DPA and are confirmed as binding.
The Data Processor shall support the Data Controller in accordance with Art. 28 para. 3 e) of the GDPR as far as possible using appropriate technical and organizational protective measures to enable the latter to fulfill its existing obligations towards the Data Subject, as per section III of the GDPR. This may include the information and access provided to the Data Subject, the rectification or erasure and forgetting of data, the restriction of Processing and the right to data portability or object.
The Data Processor shall assist in compliance with Art. 28 para. 3 f) of the GDPR to establish a data protection impact assessment (DPIA) according to Art. 35 of the GDPR and, where applicable, in the prior consultation of the Supervisory Authorities according to Art. 36 of the GDPR.
The Data Processor shall authorize the Data Controller to inspect the Data Processor’s compliance with Applicable Data Protection Law as well as its compliance with the Data Controller’s instructions by the latter or by third parties, especially by requesting information and inspecting the storage of Personal Data and the Processing systems or by inspections of the Data Processor’s premises. The Data Processor shall ensure to support such inspections, if necessary. Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. The cost of such inspection and compliance review will be at the Data Controller's expense unless the inspection reveals material non-compliance.
The Data Processor shall provide the Data Controller with the necessary details and documents upon request and provide evidence of the implementation of technical and organizational measures. If the Data Controller requests some information that the Data Processor declines to provide, the Data Controller is entitled to terminate this DPA and the Terms.
The Data Processor shall immediately notify the Data Controller if the safety measures taken by the Data Processor differ from the requirements agreed upon, or if severe disturbances occur in the operating procedure, or in case of violations of Applicable Data Protection Law or the provisions made in this DPA by the Data Processor or the persons employed by it, as well as in the case of suspicion of data breaches as per section 11 below or irregularities in the processing of Personal Data.
The Data Processor will only undertake transfer of Personal Data to a Third Country upon a prior written request by the Data Controller. If the Data Controller requests such transfer, the Data Processor and/or Subprocessor who is Processing Personal Data in a Third Country shall ensure that such transfer and Processing complies with Applicable Data Protection Law and specifically Art. 44 to 50 of the GDPR, including but not limited to using the Standard Contractual Clauses. Prior to requesting the Data Processor to transfer Personal Data to a Third Country, the Data Controller will ensure that they have made the proper risk analysis as required by law.
For the avoidance of doubt, 84codes does not physically host any of the servers provided for the Service. Instead, data centers provided by external cloud platforms are used, which the Data Controller chooses itself when using the Service. These cloud platforms are listed as Subprocessors in Appendix 3.
84codes does not know what kind of Data the Data Controller is handling while using the Service. Employees of 84codes do not look at the Data Controller’s Data (unless we have a reason to believe that the Data Controller is interfering with our Program Policies), nor copy the Data to a server other than the one chosen by the Data Controller. All Data stored in the Service is stored until the Data Controller removes the data, either manually or by policies. Backups (where applicable) are deleted after 30 days.
The Data Processor and/or Subprocessor who is Processing Personal Data in a Third Country shall ensure that transfer and Processing of Personal Data to a Third Country is made in compliance with Applicable Data Protection Law and specifically Art. 44 to 50 of the GDPR, including the execution of the Standard Contractual Clauses.
The Data Processor provides the Data Controller the option to use the Service in a Third Country, including countries that may not provide adequate Personal Data protection according to the Applicable Data Protection Law. In this respect, the Data Controller is solely responsible for which data center and region(s) it chooses for the Service (i.e., where the Personal Data will be Processed). Once the Data Controller has made its choice, the Data Processor will not transfer the Personal Data from the Data Controller’s selected data center and region(s), unless upon explicit instruction from the Data Controller or except as described in section 5.1 of this DPA.
As set forth in Section 11.1 if the Data Controller selects a data center in a region of a Third Country, such selection will be done on reliance with the Standard Contractual Clauses currently in place with the Subprocessor providing the data center. The Data Processor shall assist the Data Controller in ensuring that the transfer of Personal Data based on such selection is in compliance with Applicable Data Protection Law and specifically Art. 44 to 50 of the GDPR. The Data Controller shall, without undue delay, notify the Data Processor of such selection, and the Data Processor shall support the Data Controller in ensuring compliance.
For the strict and necessary purposes of enabling the contractual relationship with you, your Personal Data may be communicated to third party judicial subjects of foreign countries whether within or outside the European Union always with respect to the rules contained in art. 44 to 50 of the GDPR.
In case of a Security Incident involving Personal Data Processed on behalf of the Data Controller, the Data Processor shall take into account the nature of Processing and the information available to the Data Processor to support the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to article 33 in the GDPR.
If the Data Processor becomes aware of a Security Incident, the Data Processor shall without undue delay notify the Data Controller of the Security Incident. The notification shall at least:
The liability of each party arising out of or related to this DPA (whether in contract, tort, or any other theory of liability) shall be subject to the exclusions and limitations of liability set out in the Terms. The Data Controller agrees that any regulatory penalties incurred by the Data Processor in relation to the Personal Data that arise as a result of, or in connection with, Data Controller’s failure to comply with its obligations under this DPA and the Applicable Data Protection Law shall count towards and reduce the Data Processor’s liability under the Terms as if it were a liability to the Data Controller under the Terms.
Subject to section 13.1, the Data Controller shall indemnify and hold harmless the Data Processor and its subsidiaries, affiliates, officers, agents, employees, advertisers, licensors, suppliers or partners, (collectively "84codes AB and Partners") from and against any direct claims, including any claim from Data Subjects, against the Data Processor due to Processing of Personal Data which violates the Applicable Data Protection Law, if such violation is due to unclear, inadequate or inadmissible instructions from the Data Controller, inadequate information from the Data Controller regarding the categories of Personal Data being Processed (e.g., if sensitive Personal Data is Processed without the Data Controller having informed the Data Processor about this) or otherwise due to circumstance on the Data Controller’s side.
This DPA shall continue in force until the termination of the Service (the "Termination Date").
Upon termination of this DPA, the Data Processor shall permanently erase, or completely block for access, all business-related information, documentation, and data provided by the Data Controller, including Personal Data created in connection with this DPA, unless there is an obligation for the storage of Personal Data according to EU laws or the rights of member states (see Art. 28 para. 3 lit. g GDPR). The same applies to Subprocessors.
The Data Processor may at any time make additions and/or amendments to this DPA and all its constituent elements (including any assurances granted by the Data Processor) by informing the Data Controller of the new terms, with a specific indication that it is an amendment or addition to this DPA. The Data Processor shall inform the Data Controller of the new terms in writing, which may also be in electronic form. The Data Controller may notify The Data Processor of any objection to the new terms within ten (10) business days. If such an objection is made, the DPA cannot be amended, nor can additions be made, unless in the form of written agreement between the Parties. Should no objection be made, the amendments and/or additions to the DPA shall enter into force after thirty (30) days from the notice date.
If any provision of this DPA should be, or become, partly invalid or unenforceable, it shall not invalidate the whole agreement. Any provision of this DPA that is held invalid or unenforceable only in part or degree shall be rewritten by mutual agreement to closely reflect the invalid or unenforceable provision while being valid and enforceable.
What follows from the Terms shall also apply to the Data Processor’s Processing of Personal Data and the commitments according to this DPA. For avoidance of doubt; where there are conflicting provisions in the Terms and the DPA, the provisions in the DPA shall take precedence regarding all Processing of Personal Data and nothing in the Terms shall be considered to limit or change the commitments according to this DPA to the extent this would mean the Data Controller does not comply with the Applicable Data Protection Law.
Swedish law applies in all aspects to the Data Processor’s Processing of Personal Data under this DPA.
Any dispute arising out of or in connection with the DPA shall be settled per the dispute resolution provision in the Terms.
The following instructions apply to the Processing of the Personal Data under this DPA. In addition to what is stated in this DPA, the Data Processor shall comply with the instructions below:
Processing operations and purposes |
The Processing shall include the following operations and purposes:
|
Categories of Data |
The Personal Data Processed might include the following Categories of Data:
|
Categories of Data Subjects |
The Personal Data Processed might include the following Categories of Data Subjects:
|
Retention period |
The Personal Data shall be erased at the Data Controller’s request according to the Data Controller’s instructions. |
The following TOMS are agreed upon between the Data Controller and the Data Processor.
There is no unauthorized access to data processing systems. Data is stored in highly secure data centers that are monitored 24/7. Physical access to the data center facilities is strictly limited to selected cloud staff.
There is no unauthorized system usage. SSH keys are required when identifying trusted computers, along with a certificate that is received via a two-step verification process. Two-step authentication is enabled on every cloud platform providing it (platforms such as AWS and Heroku). Individual authentication credentials are not shared. SSH keys are frequently rotated. All endpoints (computers, laptops, mobile phones) use encrypted storage, secure passwords, and auto-locking mechanisms.
There is no unauthorized reading, copying, changing or removing within the system.
Personal Data is Processed in dedicated systems that are not shared with other services, applications, or corporate entities. Within individual systems and databases, data is segregated with logical access control. Personal Data is not used for purposes other than what it has been collected for, except in the case of explicit customer approval.
There is no unauthorized reading, copying, changing, or removing during electronic transmission or transport. Data encryption measures are in place to protect Personal Data. All data that 84codes holds about its customers is encrypted both at rest and in transit. All data that the Data Controller inserts to the Service is encrypted at rest per default at 84codes' side (at the cloud platforms that support it). The Data Controller can encrypt data in transit for additional security.
Logging systems are in place to determine and record whether and by whom Personal Data was entered, changed, or removed.
There is protection against accidental damage or destruction or loss via escalation ways and emergency plans.
According to Art. 28 of the GDPR, no Processing under commission is allowed without corresponding instructions from the Data Controller via explicit contract design, formalized order management, stringent selection of the service provider, obligation to convince in advance, and follow-up inspections.
Systems and services are designed to withstand intermittent high stresses or high constant loads of Processing. Further, the systems and services are also tested for vulnerabilities to ensure and maintain a high level of security.
The use of personnel, customer, and supplier IDs instead of names is prioritized to protect Personal Data.
Data encryption measures are in place to protect personal data on 84codes’ side. All data that 84codes holds about its customers is encrypted both at rest and in transit. All data that the Data Controller inserts to the Service is encrypted at rest per default at 84codes' side (at the cloud platforms that support it). The Data Controller can encrypt data in transit for additional security.
84codes stores data in redundant data storage, and backups are performed on the databases regularly. The Data Controller has the option to set up redundancy for data processed via the Service.
Company name, direction and nomination of possible Data Protection Officer/contract partner for data protection questions |
Content of assignment (Scope of the commission by the Data Processor) |
Place of Processing |
Transmission of/access to Personal Data of the Data Controller (category of data and Data Subjects) |
|
---|---|---|---|---|
1 | Amazon Web Services | Data Center | Dependent on the Data Controller | Storage of data |
2 | Digital Ocean | Data Center | Dependent on the Data Controller | Storage of data |
3 | Google Cloud Platform | Data Center | Dependent on the Data Controller | Storage of data |
4 | Microsoft Azure | Data Center | Dependent on the Data Controller | Storage of data |
Please note that the data center is chosen on behalf of the Data Controller. Thus, not all data centers listed as Subprocessors will have access to the Data Controller’s data. Only the data center of the Data Controller’s choice will have access to the data and is considered as a Subprocessor in the means of this DPA.
These Program Policies are an exhibit to the Terms of Service (hereinafter referred to as Contract) and is incorporated therein.
To uphold the quality and reputation of 84codes AB products and services, your use of ElephantSQL (the "Service") is subject to these program policies. If you are found to violate our policies at any time, as determined by 84codes AB in its sole discretion, we may warn you or suspend or terminate your account.
Please note that we may change our program policies at any time, and pursuant to the ElephantSQL Terms of Service (the "Terms"), it is your responsibility to keep up-to-date with and adhere to these policies. All capitalized terms used herein have the meanings stated in the Terms, unless stated otherwise.
Revision Date: These Program Policies were last revised on February 12, 2021.
The Content displayed and/or processed through your Application or other web site utilizing the Service shall not contain any of the following types of content (“Prohibited Content”):
In addition to the violations described in the Terms, you shall not (and shall not allow any third party, including your end users) to:
Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to:
84codes AB is conscious of the kind of impact we are having on all aspects of society, including economic, social and environmental. To make sure we are in line with our Corporate Social Responsibility model and Code of Ethics, the following business are not allowed as clients at 84codes AB: