Terms of Service

SAAS-AGREEMENT

Software as a Service Agreement

WE KINDLY ASK THAT YOU READ THIS AGREEMENT BEFORE USING OUR SERVICES. BY ACCESSING OR USING OUR SOFTWARE OR SERVICES OFFERING, YOU ACCEPT AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT.

1. BACKGROUND

1.1 Kanda ApS, a private limited company registered in Denmark under CVR no. 33590369 (“Kanda”), offers to its Customers an online training platform and course tool (the “Simulator System”). The Simulator System is made available to the Users over the internet as Software as a Service.

1.2 This Software as a Service agreement (“Agreement”) is entered into between a Customer (as defined below) and Kanda. Kanda and Customer agree that the following terms and conditions will apply to the services provided under this Agreement and orders placed thereunder.

2. DEFINITIONS

2.1 For purposes of this Agreement, the definitions set forth below apply:

“Agreement” means this “software as a service” agreement, including any and all appendices, exhibits etc.

“User” means the agreed number of named or specified (by username or other user identification) individuals authorized by Customer to use the Services. Users may include the employees of Customer and the employees of third party independent contractors or third party consultants of Customer; provided, however, that any third party’s access to and use of the Service is limited to use solely in connection with Customer’s business operations. Customer acknowledges and agrees that it is responsible for ensuring that usage of the Service by any third party is in accordance with the terms and conditions of this Agreement. A breach of this Agreement by a User shall be deemed a breach by Customer.

“Customer Data” means all data and materials provided by Customer to Kanda for use in connection with the Services, including, without limitation, User applications, data files, and graphics.

“Documentation” means the reference manuals/materials, online presentations, and other information describing the SaaS and/or Services provided or otherwise made available to Customer. Documentation includes specifications for the Services set forth in any Order Form.

“Effective Date” means the date where the Agreement commences, either the date of the Customer’s accept of the Agreement, or another date as agreed by the parties.

“Simulator System” means the online training and course tool offered by Kanda to its Customers.

“Host” means the computer equipment on which the Software is installed, which is owned and operated by Kanda or its subcontractors.

“Kanda” means Kanda ApS, a private limited company registered in Denmark under CVR no. 33590369

“Maintenance Services” means the support and maintenance services provided by Kanda to Customer according to this Agreement.

“Other Services” means all technical and non-technical services performed or delivered by Kanda under this Agreement, including, without limitation, implementation services and other professional services, training and education services but excluding the SaaS Services and the Maintenance Services. Other Services will be provided on a time and material basis at such times or during such periods, as may be specified in an Order Form and mutually agreed to by the parties.

“Services” means all services, not limited to Saas Services, Maintenance Services and Other Services delivered by Kanda to Customer under this Agreement.

“Order Form” means any online or written order form for Services, submitted by Customer either during an online order process (via a Kanda website, via email or pdf), or separately signed by Customer and submitted to Kanda, and any future purchase order or order form that makes reference to this Agreement.

“Software” means the object code version of any software to which Customer are provided access as part of the Service, including any updates or new versions.

“SaaS Services” refer to the specific Kanda internet-accessible service identified in an Order Form that provides use of Kanda’ Software that is hosted by Kanda or its services provider and made available to Customer over a network on a term-use basis.

“Subscription Term” shall mean the period specified in an Order Form during which a Customer will have on-line access and use of Services. The Subscription Term shall renew for successive 12-month periods unless either party delivers written notice of non-renewal to the other party at least 30 days prior to the expiration of the then-current Subscription Term.

“Customer” means you and any company you represent. BY CLICKING THE “I ACCEPT” BUTTON, SIGNING (EXECUTED IN ONE OR MORE COUNTERPARTS), OR OTHERWISE ACCEPTING THIS AGREEMENT AS SET FORTH IN ANY ONLINE, PRINTED ORDER FORM REFERENCING THIS AGREEMENT, OR OTHER PRINTED OR ELECTRONIC FORM, YOU AND ANY COMPANY YOU REPRESENT AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU ARE AGREEING TO THIS AGREEMENT ON BEHALF OF YOUR COMPANY, YOU ARE REPRESENTING TO US THAT YOU HAVE THE AUTHORITY TO BIND YOUR COMPANY TO THIS AGREEMENT, AND THE TERM “YOU” SHALL REFER TO YOUR COMPANY.

3. SAAS SERVICES

3.1 During the Subscription Term, Customer will receive a nonexclusive, non-assignable, royalty free, worldwide limited right to use the Services, and allow the agreed number of Users enrolled by Customer to access and use the Services, solely for Customers internal business operations and subject to the terms of the Agreement. Customer may, subject to the conditions on any Order Form, allow its Users to use the Services for this purpose. Customer is responsible for its Users’ compliance with the Agreement.

3.2 Customer acknowledges that this Agreement is a services agreement and Kanda will not be delivering copies of the Software to Customer as part of the Services.

4. RESTRICTIONS

4.1 Customer shall not, and shall not permit anyone to: (i) copy or republish the Services, (ii) make the Services available to any person other than Users, (iii) use or access the Services for timesharing, (iv) modify or create derivative works based upon the Services or Documentation, (v) remove, modify or obscure any copyright, trademark or other proprietary notices contained in the Software or Services or in the Documentation, (vi) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Software used to provide the Services, except and only to the extent such activity is expressly permitted by applicable law, or (vii) access the Services or use the Documentation in order to build a similar or competitive product.

4.2 Kanda owns all right, title and interest in and to the Software, Services, Documentation, and other deliverables provided under this Agreement, including all modifications, improvements, upgrades, derivative works and feedback related thereto and intellectual property rights therein.

5. CUSTOMERS RESPONSIBILITIES

5.1 Customer shall provide commercially reasonable information and assistance to Kanda to enable Kanda to deliver the Services.

5.2 Customer shall comply with all applicable local, state, national and foreign laws in connection with its use of the SaaS Services, including those laws related to data privacy, international communications, and the transmission of technical or personal data. Customer acknowledges that Kanda exercises no control over the content of the information transmitted by Customer through the Services. Customer shall not upload, post, reproduce or distribute any information, software or other material protected by copyright, privacy rights, or any other intellectual property right without first obtaining the permission of the owner of such rights.

5.3 Customer represents, covenants, and warrants that Customer will use the Services only in compliance with the purpose the Services are provided for and all applicable laws and regulations. Customer hereby agrees to indemnify and hold harmless Kanda against any damages, losses, liabilities, settlements, and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services. Although Kanda has no obligation to monitor Customer’s use of the Services, Kanda may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.

5.4 Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to User passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.

5.5 Customer is solely responsible for collecting, inputting and updating all Customer Data stored on the Host, and for ensuring that the Customer Data does not (i) include anything that actually or potentially infringes or misappropriates the copyright, trade secret, trademark or other intellectual property right of any third party, or (ii) contain anything that is obscene, defamatory, harassing, offensive or malicious.

5.6 Customer shall: (i) notify Kanda immediately of any unauthorized use of any password or User id or any other known or suspected breach of security, (ii) report to Kanda immediately and use reasonable efforts to stop any unauthorized use of the Services that is known or suspected by Customer, and (iii) not provide false identity information to gain access to or use of the Services.

5.7 Subject to the terms and conditions of this Agreement, Customer grants to Kanda a limited, non-exclusive and non-transferable license, to copy, store, configure, perform, display and transmit Customer Data solely as necessary to provide the Services to Customer.

6. SECURITY AND PASSWORDS

6.1 Kanda will provide Customer with a username and/or password for each User. At the initial login, each User will be given the option to change the default password provided by Kanda to a personalized password that will enable such User to access the Services in accordance with this Agreement. The transmission of any User’s name or Password to allow any other person to use the Services is expressly prohibited.

6.2 If Kanda reasonably believes that a User is causing Customer to breach this Agreement or is in any way mishandling a password or using the Services in violation of this Agreement, then Kanda may, at its sole discretion, suspend User’s access to the Services indefinitely. All use of passwords assigned to Customer and its Users shall be at Customer’s sole responsibility and risk. Customer shall not, and shall cause its Users not to, disclose, transfer or disseminate any Password to any third party.

6.3 The Customer agrees that it shall be responsible and liable for any costs or expenses arising from or related to, any misuse of passwords or any Services, or other breaches of the restrictions or conditions contained in this Agreement, by Customer’s Users or other personnel.

7. CONFIDENTIALITY; PROPRIETARY RIGHTS

7.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Kanda includes non-public information regarding features, functionality, and performance of the Services. Proprietary Information of Customer includes non-public data provided by Customer to Kanda to enable the provision of the Services (“Customer Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information.

7.2 The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.

7.3 Customer shall own all right, title, and interest in and to the Customer Data, as well as any data that is based on or derived from the Customer Data and provided to Customer as part of the Services. Kanda shall own and retain all right, title, and interest in and to (a) the Services and Software, all improvements, enhancements, or modifications thereto, (b) any software, applications, inventions, or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.

7.4 Notwithstanding anything to the contrary, Kanda shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom). Kanda will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Kanda offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein.

7.5 Kanda shall have a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the Services any suggestions, enhancement requests, recommendation or other feedback provided by Customer, relating to the operation of the Services.

8. ORDERS AND PAYMENT

8.1 The fees for the Services (“Fees”) are set forth in the Order Form and are payable in advance, irrevocable and non-refundable except as set forth in the Order Form and this Agreement. Customer must provide Kanda with complete and accurate billing and contact information.

8.2 Where payment by credit card is agreed in the Order Form, or Customer provides Kanda with credit card information, Customer authorize Kanda to bill such credit card (a) at the time that Customer order the Services, (b) for any billing frequency otherwise established in the Order Form, and (c) at the time of any renewal, for the amount charged plus any applicable sales taxes for any renewed Term.

8.3 Kanda may, in its own discretion, permit Customer to make payment using a method other than a credit card. Kanda will then invoice Customer on an annual basis for an annual subscription and a monthly basis for a monthly subscription in advance of the relevant billing period, and all such amounts invoiced will be due within 30 days of Customers receipt of Kanda’ invoice. Late payments shall be subject to a service charge of one and one-half percent (1.5%) per month, or the maximum charge permitted by law, whichever is less.

8.4 Customer shall pay all personal property, sales, use, value-added, withholding, and similar taxes (other than taxes on Kanda’s net income) arising from the transactions described in this Agreement, even if such amounts are not listed on an Order Form.

8.5 Kanda may terminate or suspend Customers access to Services (i) if the billing or contact information provided by is false or fraudulent or (ii) any payment under this Agreement is late by more than 30 days. Customer agrees that Kanda shall not be liable to User or to any third party for any liabilities, claims or expenses arising from or relating to suspension of the Services resulting from Customers nonpayment.

9. TRIAL USE OF THE SERVICES

9.1 If specified in the Order Form or elsewhere, Customer may order certain Services for trial, nonproduction purposes subject to the terms and conditions of the Agreement. Services acquired for trial purposes are provided “as is” and Kanda does not offer any warranties for such Services.

10. TERM AND TERMINATION

10.1 The term of this Agreement shall begin on the Effective Date and shall continue until terminated by either party as outlined in this section or with a notice of 30 days to the end of a Subscription Term.

10.2 Either party may terminate this Agreement immediately upon a material breach by the other party that has not been cured within fourteen (14) days after receipt of notice of such breach.

10.3 Upon any termination, Kanda will make all Customer Data available to Customer for electronic retrieval for a period of ten (10) days, but thereafter Kanda may, but is not obligated to, delete stored Customer Data. All sections of this Agreement, which by their nature should survive termination, will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.

11. WARRANTIES

11.1 Kanda shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner, which minimizes errors and interruptions in the Services and shall perform the Services in a professional and competent manner.

11.2 Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Kanda or by third-party providers, or because of other causes beyond Kanda reasonable control, but Kanda shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. HOWEVER, KANDA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES ARE PROVIDED “AS IS” AND KANDA DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. KANDA DOES NOT WARRANT OR GUARANTEE THAT THE SERVICES WILL BE VIRUS-FREE, NOR SHALL KANDA BE LIABLE FOR UNAUTHORIZED ALTERATION, THEFT OR DESTRUCTION OF CUSTOMERS DATA.

11.3 Basis of the Bargain: Customer acknowledges that Kanda has set its prices and entered into this Agreement in reliance upon the Warranty Disclaimer and Limitation of Liability set forth in this Agreement, and that the same form an essential basis of the bargain between the parties. The parties agree that the limitation of liability specified in this Agreement will survive and apply even if the warranty disclaimer or any limitation of remedies is found to have failed of its essential purpose. Notwithstanding the foregoing, nothing contained herein shall limit Kanda’s liability for its own willful or wanton conduct.

12. LIMITATIONS OF LIABILITY

12.1 NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT FOR BODILY INJURY OF A PERSON, KANDA AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF CUSTOMER DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND KANDA REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO KANDA FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT KANDA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13. INDEMNIFICATION

13.1 Indemnification by Kanda.

13.1.1 If a third party makes a claim against Customer that the Services infringes any patent, copyright or trademark, or misappropriates any trade secret, or that Kanda’ negligence or willful misconduct has caused bodily injury or death, Kanda shall defend Customer and its directors, officers and employees against the claim at Kanda’ expense and Kanda shall pay all losses, damages and expenses (including reasonable attorneys’ fees) finally awarded against such parties or agreed to in a written settlement agreement signed by Kanda, to the extent arising from the claim.

13.1.2 The foregoing obligations do not apply with respect to portions or components of the Services (i) not supplied by Kanda, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified after delivery by Kanda, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement,(vi) claims related to Customers Data or (vii) where Customer’s use of the Service is not strictly in accordance with this Agreement.

13.1.3 If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Kanda to be infringing, Kanda may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Service.

13.2 Indemnification by Customer.

13.2.1 If a third party makes a claim against Kanda that the Customer Data or any portions or components of the Services as mentioned in section 14.1.2 infringes any patent, copyright or trademark, or misappropriates any trade secret, Customer shall defend and hold harmless Kanda and its directors, officers and employees against the claim at Customers expense and Customer shall pay all losses, damages and expenses (including reasonable attorneys’ fees) finally awarded against such parties or agreed to in a written settlement agreement signed by Customer, to the extent arising from the claim.

13.3 A party seeking indemnification under this section shall (a) promptly notify the other party of the claim, (b) give the other party sole control of the defense and settlement of the claim, and (c) provide, at the other party’s expense for out-of-pocket expenses, the assistance, information, and authority reasonably requested by the other party in the defense and settlement of the claim.

14. FORCE MAJEURE

14.1 Each party will be excused from performance for any period during which, and to the extent that, such party or any subcontractor is prevented from performing any obligation or Service, in whole or in part, as a result of causes beyond its reasonable control, and without its fault or negligence, including without limitation, failure or interruption or termination of a necessary third party service, acts of terrorism, or the stability or availability of the Internet or a portion thereof., acts of God, strikes, lockouts, riots, acts of terrorism or war, epidemics, communication line failures, and power failures.

15. PERSONAL DATA

15.1 In performing the Services, Kanda will comply with the Kanda Privacy Policy, which is available here and incorporated herein by reference. The Kanda Privacy Policy is subject to change at Kanda discretion.

15.2 Kanda reserves the right to provide the Services from locations, and/or through use of subcontractors, worldwide.

15.3 Customer agrees to provide any notices and obtain any consents related to Customer’s and Users’ use of the Services and Kanda’ provision of the Services, including those related to the collection, use, processing, transfer, and disclosure of personal information. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and ownership of all of its data.

16. GENERAL PROVISIONS

16.1 Non-Exclusive Service. Customer acknowledges that Services is provided on a non-exclusive basis. Nothing shall be deemed to prevent or restrict Kanda ability to provide the Services or other technology, including any features or functionality first developed for Customer, to other parties.

16.2 Assignment. Customer may not assign this Agreement or any right under this Agreement, without the consent of Kanda, which consent shall not be unreasonably withheld or delayed.

16.3 Customer Reference. Customer agrees (i) that Kanda may identify Customer as a recipient of Services and use Customer’s logo in sales presentations, marketing materials and press releases.

16.4 Statistical Information. Kanda may anonymously compile statistical information related to the performance of the Services for purposes of improving the Service, if such information does not identify Customers data or include Customers name.

16.5 Waiver. No waiver shall be effective unless it is in writing and signed by the waiving party. The waiver by either party of any breach of this Agreement shall not constitute a waiver of any other or subsequent breach.

16.6 Severability. If any term of this Agreement is held to be invalid or unenforceable, that term shall be reformed to achieve as nearly as possible, the same effect as the original term, and the remainder of this Agreement shall remain in full force.

16.7 Entire Agreement. This Agreement (including all Order Forms and exhibits) contains the entire agreement of the parties and supersedes all previous oral and written communications by the parties, concerning the subject matter of this Agreement. This Agreement may be amended solely in a writing signed by both parties. Terms and conditions provided by Customers, whether implicit or explicit, are deemed null and void unless such terms and conditions are accepted explicit in writing by Kanda.

16.8 Governing Law. This Agreement and any dispute arising out of or in connection with it, shall be governed by and construed in accordance with the Danish law, excluding its conflict of law principles. The United Nations Convention on Contracts for the International Sale of Goods shall not apply. Customer and Kanda agree to submit to venue in Aarhus, Denmark.

Aarhus, Denmark, December 2025

Privacy Policy

1. PURPOSE

Kanda is committed to ensuring your privacy is protected. This Privacy Policy sets out how Kanda (“Kanda”, “us” or “we”) uses and protects any information that you (“you” or “user”) provide us when you use our services (“Services”) or our domain Kanda.dk (“Site”). If you have questions or comments regarding this Privacy Policy, please contact us at admin@kanda.dk.

2. WHAT INFORMATION WE COLLECT AND HOW WE USE IT

To be able to use and subscribe to our Services, we may require you provide us with information that identifies you personally. This information may include:

  • Your name
  • Your company name
  • Your email address
  • Telephone number
  • IP address
  • Technical information such as type of browser and device
  • Any data that you input in our Services, such as images, text, user statistics, etc.

We may also sometimes collect other information that does not identify you, such as your preferences in our Services.

The information we collect will primarily be used to verify your identity, to facilitate use of our Services and the Site, to invoice you for our Services, and to correspond with you about the Service, e.g., newsletters, information about our Service, Site and other communication between you and us. Furthermore, we will use your personal data in the following circumstances:

  • Where we need to perform the contract, we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not supersede those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • We strive only to collect the minimum amount of data necessary.

You can contact us at admin@kanda.dk to remove your data at any time.

2.1 Buttons, tools, and content from other companies

The Site and/or Services may include buttons, tools, or content that link to other companies’ services (for example, a button that links to a third party LMS). We may collect information about your use of these features. In addition, when you see or interact with these buttons, tools, or content, or view a webpage or Service containing them, some information from your browser or app session may automatically be sent to the other company. Please read that company’s privacy policy for more information.

2.2 Personal information

We make every effort to give you access to your personal information, to allow you to correct any inaccuracies, or to remove your personal information at your request provided it is not required for genuine business purposes or by law to be retained.

We require you identify yourself and the information you request to access, remove, modify or correct before commencing such requests. We may refuse requests that are of unreasonable technical effort or would be highly unfeasible, endanger the privacy of others, or require access that is not normally necessary. When we provide access to your personal information for the purposes of modification, correction or removal, we do so free of charge except where doing so requires an unreasonable effort.

To request access, correction or removal of your personal information, please contact admin@kanda.dk. To request the removal of your account, please contact admin@kanda.dk. We will remove all of your information and data from the Site within reasonable time upon receipt of your request.

3. DISCLOSURE OR SHARING OF INFORMATION

We may disclose your information as follows:

  • Kanda affiliates. We may disclose information to any of Kanda’s current or future affiliates (affiliates are companies controlling, controlled by, or under common control with us, parent companies, or subsidiaries to process for the purposes described in this Privacy Policy.
  • Kanda service providers. We may disclose information to vendors, service providers, agents, contractors, or others who perform functions (e.g., maintenance, data analysis, customer relationship management, email marketing, surveys, credit card processing, data hosting, fraud detection) on our behalf.
  • Displaying the services.When you submit or share information on the Services, it may be displayed to other users authorized by you.
  • To comply with laws.If we receive a request for information, we may disclose information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
  • To enforce our rights, prevent fraud, and for safety.To protect and defend the rights, property, or safety of Kanda or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.

4. HOW WE ENSURE THE SECURITY OF YOUR INFORMATION

Kanda is committed to ensuring that your identifiable and non-identifiable personal information is secure. We have put in place suitable physical, electronic and managerial procedures to prevent unauthorized access, modification, disclosure, or loss of your identifiable personal information. However, we cannot assure your identifiable and non-identifiable personal information will never be disclosed in a nature that conflicts with this Privacy Policy. Additionally, we are not responsible for any breach of security or actions undertaken by any third parties that receive the information.

5. COOKIES

We may use a variety of methods, including “cookies” to collect information. The cookies used on our Site and Services are described below.

5.1 Performance Cookies

We collect cookies on our Site and/or Services to capture information about page visits (e.g., “performance cookies”). This information is anonymous, and we use this information only internally to deliver the most effective content to our users. Information from the cookie is used to gauge page popularity, analyze traffic patterns on our Site and/or Services and guide development of other improvements to our sites and/or Services.

5.2 Targeting, Performance, and Functionality Cookies

We employ some tracking methods (e.g., “targeting, performance, and functionality cookies”). We track “opens” via a tracking pixel in the email- meaning we track who opens our mail messages and when you open our mail messages; and we track “clicks” via encoded URLs-meaning we track whether you click on the links contained in our mail messages. This information is used internally only to help us deliver relevant messaging.

5.3 Functionality and Necessary Cookies

We do not require that you accept cookies, and you may withdraw your consent to our use of cookies at any time by adjusting your browser’s privacy settings, however, some functionality on our Site (e.g., “functionality cookies”), our product or service check-out process, and Services may be disabled or impaired if you decline to accept cookies (e.g., “necessary cookies”).

5.4 Opting Out of Cookies

By using the Site and Services, you consent to the placement of the cookies referenced above. You can, however, set your browser to notify you when you receive a cookie, giving you the chance to decide whether or not to accept it. You may also change your cookie settings through preference options in our Site and/or Services, where applicable. Please be aware that upon selecting your preferences, that we will use a cookie to remember your preferences.

6. THIRD PARTY ADVERTISING TECHNOLOGIES

In addition to using cookies and related technologies as described above, we also may permit certain third-party companies to help us tailor advertising, e.g., remarketing, that we think may be of interest to users and to collect and use other data about user activities on our Site and/or Services (e.g., to allow them to tailor ads on third party services).

7. DATA STORAGE AND SECURITY

We may utilize third party vendors and hosting companies to provide the software, hardware, storage, networking and other necessary technology required to provide the Services and the Site.

Kanda applies appropriate measures for the protection of the data which are collected during the registration process. We apply SSL technology. Our Services are hosted on servers which is located within the European Union or Safe Harbor countries. All data stored, are encrypted. The company processes the personal data of the users of our Site in a way which guarantees compliance with the law, as in force, for the protection of personal data. Without prejudice to more specific provisions/terms contained therein, we do not transfer or sell the data to third parties, legal or natural persons.

Our personnel, partners are legally bound to keep everything confidential and to comply with this policy and the data protection laws.

8. UPDATES AND CHANGES

From time to time, we may change or amend this privacy policy. We will notify you in advance before any changes take place.

Aarhus, Denmark, December 2024

Quality Policy

1. PURPOSE

The quality policy acts as a compass by providing the direction and framework for establishing key corporate level performance measures, as well as related objectives and targets. Top management ensures that our corporate policies are established and documented, and that the policies are available to all interested parties via our website.

2. SCOPE

The quality policy is communicated to all employees at all levels throughout our organization via regular internal communications and reinforcement during annual employee training and review sessions. Employee understanding of our policies and objectives is determined during internal audits and other methods deemed appropriate.

3. QUALITY POLICY STATEMENT

3.1 General

Our organization is committed to an operating philosophy based on openness in communication, integrity, and honesty in serving our customers, fairness and concern for our employees and responsibility to the communities within which we operate. Additionally, we are dedicated to creating a culture that supports and nurtures self- determination in how to structure one’s work.

3.2 Our People

Our organization is committed to equality in employment opportunity and rewards, embracing wholeheartedly the cultural diversity within the communities we call home.

Our employees’ welfare and interests are foremost throughout all aspects of our business and how we conduct our affairs. Our organization is committed to:

  1. Creating and nurturing an environment of success based on honesty and integrity;
  2. Equitable sharing in the success of the company;
  3. Empowerment through training and communication;
  4. Individual growth and equal opportunity;
  5. Designing and providing a safe and secure work environment.

Our organization recognizes its responsibilities with regard to ensuring the welfare of our employees and preventing accidents in its operations. All necessary steps are taken to ensure the health and safety of employees and contractors wherever they may be working. All accidents and near misses are investigated to prevent re-occurrence.

Competencies and the attitudes of individuals and teams will be developed to support safe and healthy working conditions, protecting the environment and preserving our organization’s assets.

The competency of contractors and sub-contractors will be confirmed through contractual requirements and monitored through audits and inspections. Client contractors’ competencies will be assessed upon arrival at Kanda ApS facility.

3.3 Our Customers

Our vision is to exceed customer expectations for quality, safety, sustainability, cost, delivery and value. An honest and respectful dialogue with our Customers is paramount and represent the highest priority within our business. Our obligation is to proactively seek out and help customers clarify their needs, while addressing all requests expeditiously without creating false expectations.

3.4 Our Community

Our organization is committed to supporting the communities within which we operate. We believe in the practice of social responsibility and encourage similar behavior in our employees and suppliers.

We support the conservation of the physical environment and the prevention of pollution at our facilities. We proactively comply with all applicable safety, environmental, legal and regulatory requirements to which we subscribe.

3.5 Our Quality

Beginning with a clear definition of customers’ expectations, we strive to consistently meet or exceed them. We adhere to all applicable standards and customer specific requirements and endeavour to provide processes that ensure we achieve this, in order to build a robust and world class business.

Our organization is committed to achieving competitive excellence and providing our customers with products and services designed, produced, and maintained to meet or exceed their expectations by:

  1. Complying with all customer, statutory and regulatory requirements;
  2. Enabling employees to achieve business and professional goals;
  3. Continually improving our processes via our QMS;

We will ensure that our quality management system and processes are effective through a comprehensive compliance monitoring program. The audits will consider facilities, systems, equipment, contractors and sub- contractors. All follow-up and action points will be tracked and rectified in a timely manner.

This compliance monitoring program will be supplemented through client inspections and reviews. Audit leaders will be formally trained. All internal audits will include participation by line departments.

GDPR Data Processing Agreement (DPA)

1. PREAMBLE

1.1 As part of the commencement of an agreement on providing services related to the development and delivery of software. (hereinafter referred to as the ‘Main Agreement’), the Parties hereby enter into this data processing agreement (hereinafter referred to as the ‘Data Processing Agreement’). These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.

1.2 The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3 The Data Processor’s delivery of the services under the Main Agreement means that the Data Processor will process the Personal Data pertaining to the registrants on behalf of the Data Controller.

1.4 The Clauses shall take priority over any similar provisions contained in other agreements between the parties.

1.5 The Clauses includes these Appendices, which apply in the following order:

      1. Information about the processing
      2. Processing Specification Form
      3. Instruction pertaining to the use of personal data

2. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER

2.1 The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State[1] data protection provisions and the Clauses.

2.2 The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

2.3 The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

3. THE DATA PROCESSOR ACT ACCORDING TO INSTRUCTIONS

3.1 The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions shall be specified in the Clauses and specifically Appendix B. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing.

3.2 The Data Processor shall not be under obligation to comply with a request from the Data Controller according to this clause if the request contravenes personal data legislation. The Data Processor shall inform the Data Controller if this sub-clause should become relevant.

4. CONFIDENTIALITY

4.1 The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.

4.2 The data processor shall at the reasonable request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.

5. SECURITY AND PROCESSING

5.1 The data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks.

5.2 The data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.

5.3 Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.

  1. If subsequently – in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.

6. USE OF SUB-PROCESSORS

6.1 The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).

6.2 The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Clauses without the prior general written authorisation of the data controller.

  1. The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least 15 calendar days in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s).

6.3 Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Clauses and the GDPR.

  1. The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.

6.4 A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.

6.5 The data processor shall agree a third-party beneficiary clause with the sub-processor where – in the event of bankruptcy of the data processor – the data controller shall be a third-party beneficiary to the sub-processor agreement and shall have the right to enforce the agreement against the sub-processor engaged by the data processor, e.g. enabling the data controller to instruct the sub-processor to delete or return the personal data.

6.6 If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.

7. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

7.1 Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.

7.2 In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

7.3 Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:

    1. transfer personal data to a data controller or a data processor in a third country or in an international organization
    2. transfer the processing of personal data to a sub-processor in a third country
    3. have the personal data processed in by the data processor in a third country

7.4 The data controller’s instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix C.6.

7.5 The Clauses shall not be confused with standard data protection clauses within the meaning of Article 46(2)(c) and (d) GDPR, and the Clauses cannot be relied upon by the parties as a transfer tool under Chapter V GDPR.

8. ASSISTANCE TO THE DATA CONTROLLER

8.1 The data processor shall, against reasonable remuneration, as required and to a reasonable extent assist in the data controller’s fulfilment of its obligations in the processing of the Personal Data under the Clauses, including by:

    1. responding to registrants in their exercise of their rights
    2. impact analyses
    3. preliminary regulatory authority hearings

9. NOTIFICATION OF PERSONAL DATA BREACH

9.1 In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.

9.2 The data processor’s notification to the data controller shall, if possible, take place within 24 after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.

9.3 In accordance with Clause 9(2)(a), the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3) GDPR, shall be stated in the data controller’s notification to the competent supervisory authority:

    1. The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. the likely consequences of the personal data breach;
    3. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

10. ASSISTANCE TO THE DATA CONTROLLER

10.1 On termination of the provision of personal data processing services, the data processor shall be under obligation to delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so unless Union or Member State law requires storage of the personal data.

  1. The data processor commits to exclusively process the personal data for the purposes and duration provided for by this law and under the strict applicable conditions.

11. AUDIT AND INSPECTION

11.1 The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

11.2 The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.

11.3 The Data Processor shall be entitled to reasonable time and material payment for assistance under sub-clause 12.

12. COMMENCEMENT AND TERMINATION

12.1 The Clauses shall become effective on the date of both parties’ signature.

12.2 Both parties shall be entitled to require the Clauses renegotiated if changes to the law or inexpediency of the Clauses should give rise to such renegotiation.

12.3 The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Clauses cannot be terminated unless other Clauses governing the provision of personal data processing services have been agreed between the parties.

12.4 If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller pursuant to Clause 11.1. and Appendix C.3., the Clauses may be terminated by written notice by either party.

APPENDIX A: INFORMATION ABOUT THE PROCESSING

A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:

The purpose of the processing is disclosing of personal data to the data processor in connection with data controllers users or employees use of the services in order for the data processor to execute necessary tasks connected to the services.

A.2. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):

The data Processor makes available IT-services to the data controller and hereby processes personal data about the data controller’s employees or users on the Data Processors servers.

A.3. The processing includes the following types of personal data about data subjects:

“Name, e-mail address, employer, IP Address, test scores and other relevant statistics related to training and use of the services, attendance at online training and registration for specific training modules.”

A.4. Processing includes the following categories of data subject:

Data Controllers employees and users using the services.

A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:

Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.

APPENDIX B: SPECIFICATION OF PROCESSING

The Parties have entered into the following agreement:

Data processor Microsoft Corporation
Services We run our backend services on Microsoft Azure. Access to customer data by Microsoft operations and support personnel is denied by default.
Approved subcontracted data processors The Services include the following subcontracted data processors:

·       https://servicetrust.microsoft.com/DocumentPage/badc200c-02ab-43d9-b092-ed9b93b9b4a8
Geographical location(s) for the processing Personal data will be processed in the following countries/locations:
☒ EU or EEA territories ☐ Other

[Specify]
Categories of registrants Registrant categories include the following:
☒ Employees ☐ Customers and/or clients
☐ Suppliers ☐ Others
Categories of personal data Personal data to be processed include:
☒ Customer data e.g. name, title, address, telephone number, e-mail address, date of birth, sex, customer number, order number, service history and details.
☐ Commercial customers, partners and supplier details e.g. name, title, address, telephone number, e-mail address, date of birth, sex, service history and details.
☐ Financial data e.g. income, salary, assets, payments, purchases, loans, bank account, card number, credit ratings, insurance and pension details.
☐ Employment details e.g. name, address, telephone number, e-mail address, date of birth, sex, CPR number, job market history, appointment and dismissal details, employee history and courses.
☐ Other

[Specify]
Special categories of personal data
☐ Race or ethnicity ☐ Political beliefs ☐ Religious or philosophical orientation
☐ Trade union ☐ Genetic or biometric data ☐ Health information
☐ Sexual orientation ☐ Criminal convictions
Data processor Exit Games GmbH
Services During multiplayer sessions, a user’s name is shared with other participants using Exit Games’ Photon Cloud services. The names of players are anonymized using encryption before being shared to the Photon Cloud servers. The IP address of the end user device is shared with Photon Cloud in order to enable IP routing.
Approved subcontracted data processors The Services include the following subcontracted data processors:

·       https://download.photonengine.com/subprocessors
Geographical location(s) for the processing Personal data will be processed in the following countries/locations:
☒ EU or EEA territories ☐ Other

[Specify]
Categories of registrants Registrant categories include the following:
☒ Employees ☐ Customers and/or clients
☐ Suppliers ☐ Others
Categories of personal data Personal data to be processed include:
☒ Customer data e.g. name, title, address, telephone number, e-mail address, date of birth, sex, customer number, order number, service history and details.
☐ Commercial customers, partners and supplier details e.g. name, title, address, telephone number, e-mail address, date of birth, sex, service history and details.
☐ Financial data e.g. income, salary, assets, payments, purchases, loans, bank account, card number, credit ratings, insurance and pension details.
☐ Employment details e.g. name, address, telephone number, e-mail address, date of birth, sex, CPR number, job market history, appointment and dismissal details, employee history and courses.
☒ Other

IP Address
Special categories of personal data
☐ Race or ethnicity ☐ Political beliefs ☐ Religious or philosophical orientation
☐ Trade union ☐ Genetic or biometric data ☐ Health information
☐ Sexual orientation ☐ Criminal convictions
Data processor Auth0
Services We use Auth0 for authentication and it stores basic profile data and IP for users logging in to VTP.
Approved subcontracted data processors The Services include the following subcontracted data processors:

https://www.okta.com/sites/default/files/2022-11/SUBPROCESSORS_INFORMATION%20-%2011.02.2022.pdf
Geographical location(s) for the processing Personal data will be processed in the following countries/locations:
☒ EU or EEA territories ☐ Other

[Specify]
Categories of registrants Registrant categories include the following:
☒ Employees ☐ Customers and/or clients
☐ Suppliers ☐ Others
Categories of personal data Personal data to be processed include:
☒ Customer data e.g. name, title, address, telephone number, e-mail address, date of birth, sex, customer number, order number, service history and details.
☐ Commercial customers, partners and supplier details e.g. name, title, address, telephone number, e-mail address, date of birth, sex, service history and details.
☐ Financial data e.g. income, salary, assets, payments, purchases, loans, bank account, card number, credit ratings, insurance and pension details.
☐ Employment details e.g. name, address, telephone number, e-mail address, date of birth, sex, CPR number, job market history, appointment and dismissal details, employee history and courses.
☒ Other

IP Address
Special categories of personal data
☐ Race or ethnicity ☐ Political beliefs ☐ Religious or philosophical orientation
☐ Trade union ☐ Genetic or biometric data ☐ Health information
☐ Sexual orientation ☐ Criminal convictions
Data processor Mailgun
Services We use Mailgun to send automated emails to VTP users. Recipent email addresses are temporarily stored on Mailgun infrastructure
Approved subcontracted data processors The Services include the following subcontracted data processors:

https://www.mailgun.com/legal/dpa/
Geographical location(s) for the processing Personal data will be processed in the following countries/locations:
☒ EU or EEA territories ☐ Other

[Specify]
Categories of registrants Registrant categories include the following:
☒ Employees ☐ Customers and/or clients
☐ Suppliers ☐ Others
Categories of personal data Personal data to be processed include:
☒ Customer data e.g. name, title, address, telephone number, e-mail address, date of birth, sex, customer number, order number, service history and details.
☐ Commercial customers, partners and supplier details e.g. name, title, address, telephone number, e-mail address, date of birth, sex, service history and details.
☐ Financial data e.g. income, salary, assets, payments, purchases, loans, bank account, card number, credit ratings, insurance and pension details.
☐ Employment details e.g. name, address, telephone number, e-mail address, date of birth, sex, CPR number, job market history, appointment and dismissal details, employee history and courses.
☐ Other

[Specify]
Special categories of personal data
☐ Race or ethnicity ☐ Political beliefs ☐ Religious or philosophical orientation
☐ Trade union ☐ Genetic or biometric data ☐ Health information
☐ Sexual orientation ☐ Criminal convictions
Data processor Unity Gaming Services
Services During an application session, events are shared to Unity Analytics in order to provide metrics such as active user count and session length. We use the Kanda-assigned user ID such that events can be linked to unique users who are otherwise anonymous to Unity services. The metrics we collect are only accessible to Kanda staff. Enterprise customers can choose to opt-out from data collection.
Approved subcontracted data processors The Services include the following subcontracted data processors:

  • None
Geographical location(s) for the processing Personal data will be processed in the following countries/locations:
☐ EU or EEA territories ☒ Other

United States
Categories of registrants Registrant categories include the following:
☒ Employees ☐ Customers and/or clients
☐ Suppliers ☐ Others
Categories of personal data Personal data to be processed include:
☐ Customer data e.g. name, title, address, telephone number, e-mail address, date of birth, sex, customer number, order number, service history and details.
☐ Commercial customers, partners and supplier details e.g. name, title, address, telephone number, e-mail address, date of birth, sex, service history and details.
☐ Financial data e.g. income, salary, assets, payments, purchases, loans, bank account, card number, credit ratings, insurance and pension details.
☐ Employment details e.g. name, address, telephone number, e-mail address, date of birth, sex, CPR number, job market history, appointment and dismissal details, employee history and courses.
☒ Other

Kanda-assigned User ID
Special categories of personal data
☐ Race or ethnicity ☐ Political beliefs ☐ Religious or philosophical orientation
☐ Trade union ☐ Genetic or biometric data ☐ Health information
☐ Sexual orientation ☐ Criminal convictions

APPENDIX C: INSTRUCTION PERTAINING TO THE USE OF PERSONAL DATA

C.1. The subject of/instruction for the processing

The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:

The Data Processor shall use the disclosed personal data in order to deliver its services and making the services available for the employees or users of data controller.

C.2. Security of processing

The level of security shall take into account:

That the processing involves a limited volume of personal data which are subject to Article 6 of the GDPR which is why an average level of security should be established.

The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.

The following technical and organizational security measures have been applied by the Data Processor:

  • Access: All access to software, file systems and network is via log-in with username and password. Access to data is limited to relevant areas for each individual employee. In case of critical transactions authorization and authentication with certificates or similar can be applied.
  • Data storage: Data is stored on central servers. Server rooms are physically protected with access control. Furthermore, security measures and precautions against incidents such as fire, smoke, water, power outages and theft have been installed and/or implemented in the server rooms. Networks are physically protected and separated from other data traffic.
  • Back-up: Data back-up is completed daily, so that data can be recreated at any time so that no more than one day’s of data can be lost. Back-up data is stored with copies on two internal and on one external location.
  • Antivirus: Protection against viruses in files and e-mails is applied continuously.
  • Education and IT awareness: For relevant employees IT awareness courses are conducted annually. Furthermore, the Data Processor has implemented guidelines when handling personal data.

C.3. Storage period/erasure procedures

Personal data is stored for 6 months after the termination of the Main Agreement after which the personal data is automatically erased by the data processor

C.4. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor

The data processor shall once yearly, at the written request of data controller and at its expense obtain an inspection report from an independent third party concerning the data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.

The inspection report shall without undue delay be submitted to the data controller for information. The data controller may contest the scope and/or methodology of the report and may in such cases request a new audit/inspection under a revised scope and/or different methodology.

Based on the results of such an audit/inspection, the data controller may request further measures to be taken to ensure compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.

The data controller or the data controller’s representative shall in addition have access to inspect, including physically inspect, the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing. Such an inspection shall be performed, when the data controller deems it required.”

C.5. Procedures for audits, including inspections, of the processing of personal data being performed by sub-processors

The data processor shall once yearly, at the written request of data controller and at its expense obtain an inspection report from an independent third party concerning the sub-processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.

The report shall without undue delay be submitted to the data controller for information. The data controller may contest the scope and/or methodology of the report and may in such cases request a new audit/inspection under a revised scope and/or different methodology.

Based on the results of such an audit/inspection, the data controller may request further measures to be taken to ensure compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.