Terms of Services
2025 Software Sales Terms and Conditions
1. Terms and Conditions of Business
1.1 These terms and conditions govern the provision of services by Virtual Days AB (“Virtual Days”), a company registered in Sweden under company number 559312-2053. Any reference to “we,” “us,” or “our” refers to Virtual Days.
1.2 “Client” or “you” refers to the party entering into a contract with Virtual Days under the terms of this Agreement.
1.3 “End-User” refers to users of the software under the guidance and support of the Client’s project managers.
2. Payment Terms
2.1 Full payment is required within 30 days of invoice or one week before the event date, whichever is sooner.
2.2 Late payments will incur an interest charge of 1.5% per month or the highest rate permitted by law, whichever is lower.
2.3 Virtual Days reserves the right to withdraw access to the software if payment remains outstanding beyond this period.
3. Cancellation
3.1 If the Client or End-User cancels this agreement, or if the Client fails to make a payment by the due date, Virtual Days reserves the right to cancel the agreement and charge the following:
– 100% of the invoice value if canceled within 14 days of the event.
– 75% of the invoice value if canceled within 30 days of the event.
– 50% of the invoice value if canceled within 60 days of the event.
3.2 Clients may cancel within 14 days of signing, provided no services have been rendered or the software has not been used, for a full refund.
3.3 Virtual Days reserves the right to suspend services if there is reasonable cause to believe that the Client is in breach of these terms.
4. Rights and Obligations of the Parties
4.1 Virtual Days undertakes to provide the Client with access to the software to support and manage End-Users, including full training and support.
4.2 Ensure the software’s functionality, provide technical support, and conduct routine maintenance.
4.3 Notify the Client of any technical modifications to the software at least three (3) working days in advance.
4.4 Upon the Client’s request, return all collected data at the end of this agreement and confirm in writing that all Client data has been returned, destroyed, or deleted.
4.5 Comply with GDPR as a “Data Processor,” ensuring personal data security and confidentiality.
4.6 Notify the Client within 24 hours in the event of a data breach that affects their information.
5. Intellectual Property Rights
5.1 Virtual Days owns all rights to the software and may grant licenses to other entities.
5.2 The Client shall not acquire any rights to the software beyond those agreed upon in this contract. Copying, modifying, or imitating the software is strictly prohibited.
5.3 All data provided by the Client or End-User belongs exclusively to them. Virtual Days will not use this data for any purpose beyond what is specified in the agreement.
6. Limitation of Liability
6.1 The total liability of Virtual Days under this contract shall be limited to the total amount paid by the Client.
6.2 Virtual Days shall not be liable for indirect damages, including loss of revenue, profits, or data breaches caused by third-party service providers.
7. Applicable Law
7.1 This agreement shall be governed by and construed in accordance with the laws of Sweden, and both parties submit to the exclusive jurisdiction of Swedish courts.
7.2 Both parties declare they have full legal capacity to enter into this agreement.
Appendix 1 – Background and Purpose
This Appendix 1 constitutes the Instruction/Specification of the Agreement between the Data Controller (DC) and the Data Assistant (DA) regarding the Virtual Meeting Platform. The definitions in the Data Processing Agreement (DPA) also apply to this Annex.
- Section A below contains general instructions to DA about the object of processing, the duration, nature, and purpose of the processing. It also contains conditions regarding the transfer of personal data to a third country or international organization.
- Section B contains instructions regarding technical and organizational security measures.
- Section C includes any additional terms and instructions that the DA must follow when processing Personal Data on behalf of the DC.
- Section D lists any approved sub-processors for processing personal data.
Section A – General Instructions
A.1 Basic Information
Area | Instruction |
Categories of personal data | Specify which personal data is to be processed by the DA: Exhibitor: Company name, role, contact person, email, and mobile phone number. Visitors: Name, e-mail, mobile phone number, CV (including home address and social security number). |
Categories of data subjects | Specify the categories of data subjects the DC will process personal data about and its scope: Exhibitors using the virtual platform, and visitors to the virtual platform. |
Purpose of processing | Describe the purpose(s) of processing personal data concerning the data subjects with whom DA shall assist the DC: The processing includes the storage of contact information for matching exhibitors and visitors at the digital fair. The storage of an email address is mandatory for participation, and uploading a CV is voluntary, intended to increase employment opportunities. The DA will provide the platform where virtual meetings take place. |
Treatment activities and nature of treatment | Specify which activities will be carried out by DA and the nature of the treatment: Storage of data to facilitate the matching of exhibitors and visitors. |
Duration of treatment | Describe the duration of the processing or, if not possible, indicate the parameters determining the timeframe (e.g., based on the contract’s duration): The data will be processed from 1 January 2023 onwards. |
Deadline for deletion and possible return of personal data upon termination of the agreement | Describe the deadlines: Personal data will be deleted or returned upon request following the termination of the agreement, as stipulated in the DPA. The data processing will continue from 1 January 2023 onwards. |
A.2 Transfer of Personal Data to a Third Country or International Organization
A.2.1 General Rule
Personal data may be transferred by the DA to another country within the EU/EEA or to a third country or international organization deemed by the EU Commission to have an adequate level of protection. Personal data may not be transferred to any other third country or international organization unless otherwise stated under A.2.2 or A.2.3.
A.2.2 Exception 1: Transfer of Personal Data to a Third Country or International Organization is Permitted
The transfer of personal data to a third country or international organization (in addition to what is stated in A.2.1) is permitted only if one or more of the following conditions are met:
-
The data subjects have expressly consented to the transfer.
-
There is an agreement with the European Commission’s model clauses. Signed model clauses are attached to this instruction.
-
The DA applies Binding Corporate Rules, which also apply to the recipient of the personal data in the relevant third country or international organization.
-
The DA (or Sub processor) has self-certified and agreed between the EU and the U.S. regarding Privacy Shield Principles or equivalent.
A.2.3 Exception 2: Restrictions on Data Transfer
-
Special restrictions apply to processing personal data, meaning the personal data may be transferred to countries within the EU/EEA but not to any third country or international organization without the DC’s prior written approval.
-
Alternatively, personal data may not be transferred outside of Sweden without the DC’s prior written approval.
Section B – Technical and Organizational Security Measures
As per the DPA, the DA is obliged, considering the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of natural persons, to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Regardless of DA’s overall responsibility, the following technical and organizational measures shall apply:
Area | Description of Requirements |
Physical access control | https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security |
Access control of systems | https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security |
Access control of personal data | https://docs.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data |
Access control on transfers | https://docs.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data |
Control over the entry of personal data | https://docs.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data#customer-data-ownership |
Accessibility Checker | https://docs.microsoft.com/en-us/azure/role-based-access-control/overview |
Intrusion prevention | https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security#physical-security |
Separation check | https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles |
Storage rules | https://docs.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data |
Encryption and pseudonymization | https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview |
Backup and business continuity planning | For Azure MySQL database: 7 days of Point-in-Time Restore for up to 35 days. Virtual machines and applications can use Azure Backup. |
Safety precautions | https://docs.microsoft.com/en-us/azure/compliance/ |
Certifications | https://docs.microsoft.com/en-us/azure/compliance/ |
Incident reporting procedures | Azure’s round-the-clock support for incidents via the Azure Support Plans. Administrators may open tickets for critical issues. https://azure.microsoft.com/en-us/support/plans/ |
Audit rules | For auditing: Azure Active Directory, Azure Database for MySQL, and Azure App Service logs are available as per relevant documentation. |
Section C – Additional Instructions
Any further instructions regarding the DA’s processing of personal data on behalf of the DC are as follows:
No further instructions.
Section D – Approved Sub-processors
This summary constitutes a complete list of Sub-processors approved under the Agreement. The DA is responsible for ensuring the list is accurate and complete.
Name of the Organization | Contact Person (Details) | Description of Service | Location | Legal Basis for Transfer |
Comechat | Josh@cometchat.com | Chat functionality | EU | ☐ Adequate level of protection ☐ Explicit consent ☐ EU Commission’s model clauses ☐ Binding Corporate Rules ☐ Privacy Shield |
Sendbird |
| E-mail service | EU | ☐ Adequate level of protection ☐ Explicit consent ☐ EU Commission’s model clauses ☐ Binding Corporate Rules ☐ Privacy Shield |
Whereby |
| Video conference service | EU | ☐ Adequate level of protection ☐ Explicit consent ☐ EU Commission’s model clauses ☐ Binding Corporate Rules ☐ Privacy Shield |
Microsoft Azure |
| Data centre services | EU | ☐ Adequate level of protection ☐ Explicit consent ☐ EU Commission’s model clauses ☐ Binding Corporate Rules ☐ Privacy Shield |
