Terms & Conditions
These Terms & Conditions (the “Terms”) govern the purchase and business use of the GBBS platform and related services. They form a binding agreement between GBBS AB (Sweden) (“GBBS,” “we,” “us”) and the entity that orders, accesses, or uses the Services (“Customer,” “you”).
By placing an order, accepting online, or using the Services, you agree to these Terms. If you accept on behalf of an entity, you confirm you have authority to bind that entity.
1. Definitions
1.1 Account means Customer’s account used to access the Services.
1.2 Authorised Users means Customer’s employees, agents, and contractors permitted to use the Services under Customer’s Account.
1.3 Certification Scheme means the certification requirements, rules, verification approach, and associated policies published by GBBS and updated from time to time.
1.4 Customer Data means data and content submitted to the Services by or on behalf of Customer, including records, attachments, and user-entered information.
1.5 Documentation means the user guides, in-product instructions, knowledge base, and technical documentation made available within the Services and/or at the documentation location designated by GBBS, as updated from time to time.
1.6 DPA means the Data Processing Agreement in Appendix A, incorporated into these Terms by reference.
1.7 Evidence Records means operational records maintained in an immutable, tamper-evident evidence store, including task completions, incident logs, inspection results, and certification events. Evidence Records are designed to avoid direct identifiers. Where Personal Data must be cryptographically anchored in the evidence store, it is stored as encrypted payloads using per-subject key material managed separately from the evidence store (for example via envelope encryption and separate key custody).
1.8 Order means any online checkout, order form, quote acceptance, statement of work, or other written/electronic agreement describing subscription scope, pricing, term, and any add-ons.
1.9 Personal Data has the meaning given in the GDPR. In the context of the Services, Personal Data includes (a) directly identifiable Personal Data stored in the primary relational database (for example names, email addresses, job titles/roles, and account credentials), and (b) any Personal Data that Customer chooses to include in Customer Data (for example free-text fields, file uploads, or attachments).
1.10 Post-Termination Period means the period following expiry or termination during which Customer may export Customer Data as described in Section 6.3. Unless an Order states otherwise, the Post-Termination Period is thirty (30) days.
1.11 Privacy Policy means the GBBS privacy notice published at the location designated by GBBS (including within the Services) and incorporated by reference as it relates to GBBS’s own processing activities as a controller (for example website and billing interactions). Processing where GBBS acts as processor is governed by the DPA.
1.12 Services means the GBBS platform (including web and mobile interfaces), training content, documentation tools, certification-related access (if applicable), support, updates, and any add-ons stated in an Order.
1.13 Subscription means the paid right to access the Services during the Subscription Term.
1.14 Subscription Term means the period stated in the applicable Order (monthly, annual, or otherwise).
2. The Services
2.1 Purpose. The Services provide a structured system for training, documentation, and traceable recordkeeping related to bed bug risk management workflows, including routine tasks, incident workflows, evidence capture, and offsite record retention where available.
2.2 Not pest control. GBBS is not a pest control operator and does not provide on-site inspection, treatment, eradication, or guarantee outcomes. Any third-party pest control engagement and results are Customer’s responsibility.
2.3 No Customer-specific SOPs by default. Unless expressly stated in an Order, GBBS does not provide Customer-specific SOPs or bespoke operating procedures. The Services provide a standard framework and tooling.
2.4 Add-ons and professional services. Integrations (including PMS and related systems), custom configuration, data migration, training delivery services, and other professional services may be offered as paid add-ons and must be agreed in an Order.
3. Accounts, Access, and Customer Responsibilities
3.1 Business use. The Services are intended for business customers and must be used only for Customer’s internal business operations.
3.2 Administration and access control. Customer must maintain at least one administrator responsible for creating and managing Authorised Users, assigning roles and permissions, and removing access promptly when no longer required. Subject to GBBS’s security obligations under these Terms and the DPA, GBBS is not liable for unauthorised access or misuse resulting from Customer’s failure to manage roles and permissions appropriately.
3.3 Credential security. Customer is responsible for safeguarding credentials and for all activity under its Account, including actions by Authorised Users.
3.4 Operational responsibility. Customer is responsible for ensuring personnel are trained and authorised for the tasks they perform and for ensuring Customer Data entered into the Services is accurate, complete, and reflects what occurred in practice.
3.5 No Personal Data in Evidence fields unless supported. To preserve evidentiary integrity and system design, Customer must not enter Personal Data into fields or workflows intended for Evidence Records or operational logging, except where expressly supported by the Services as described in the Documentation.
4. Subscriptions, Fees, Taxes, and Payment
4.1 Fees and billing basis. Fees, billing cycle, subscription basis (including any room-based pricing and tiers), and included quotas are as stated in the Order.
4.2 Taxes. Fees are exclusive of VAT and other applicable taxes unless stated otherwise. Customer is responsible for applicable taxes not collected at checkout.
4.3 Payment processing. Payments may be processed by a third-party payment provider and/or merchant of record. Customer agrees to the checkout terms presented during purchase.
4.4 Non-payment. If payment is overdue by more than 14 days, GBBS will notify Customer in writing. If payment remains outstanding 7 days after such notice, GBBS may suspend access to the Services until payment is received.
5. Renewal, Cancellation, Suspension, and Termination
5.1 Renewal. Subscriptions renew automatically for successive terms unless cancelled before renewal in accordance with account settings or the applicable Order.
5.2 Cancellation and refunds. Cancellation stops the next renewal. Fees already paid are non-refundable unless: (a) the Order expressly provides otherwise; (b) mandatory law requires otherwise; (c) GBBS terminates for convenience under Section 5.5; (d) Customer terminates under Section 12.3 (material service changes); or (e) Customer terminates pursuant to Section A5.3 (sub-processor objection), in which case Customer is entitled to a pro-rata refund of prepaid fees for the unused portion of the Subscription Term.
5.3 Suspension. GBBS may suspend access (in whole or part) if: (a) fees are overdue and the notice procedure in Section 4.4 has been followed; (b) Customer breaches these Terms or an Order; (c) use creates a security risk or threatens the integrity or availability of the Services; or (d) Customer’s use reasonably exposes GBBS or other customers to harm or risk. GBBS will provide reasonable notice before suspension where circumstances permit, except where immediate action is necessary.
5.4 Termination for cause. Either party may terminate these Terms for material breach if the breach is not cured within 30 days after written notice (or immediately if cure is not possible).
5.5 Termination for convenience by GBBS. GBBS may terminate these Terms for convenience by providing 90 days’ written notice to Customer. If GBBS terminates for convenience during a prepaid Subscription Term, Customer is entitled to a pro-rata refund of prepaid fees for the unused portion of the term.
5.6 Effect of termination. On expiry or termination: (a) access to the Services ends at the end of the Subscription Term (or earlier if suspended or terminated for cause), subject to the Post-Termination Period in Section 6.3; (b) Customer remains responsible for fees accrued up to termination; and (c) the sections listed in Section 5.7 survive.
5.7 Survival. The following survive expiry or termination: Sections 1 (Definitions as needed), 6 (Customer Data and retention), 7 (Privacy and personal data), 9 (Certification marks and post-termination obligations), 10 (Intellectual property and licence restrictions that by nature survive), 11 (Confidentiality), 13 (Warranties and disclaimers), 14 (Limitation of liability), 15 (Indemnity), 16 (Force majeure), 17 (Governing law and disputes), and 18 (General provisions), and any other provisions that by their nature are intended to survive.
6. Customer Data, Evidence Records, and Retention
6.1 Ownership. Customer retains ownership of Customer Data. GBBS processes Customer Data to provide, secure, support, maintain, and improve the Services and to meet legal obligations.
6.2 Architecture and evidentiary use. The Services are designed to maintain an architectural separation between (a) Personal Data stored in the primary relational database and (b) Evidence Records stored in an immutable, tamper-evident evidence store. Evidence Records are designed to avoid direct identifiers and, where Personal Data must be cryptographically anchored, it is stored as encrypted payloads with key material managed separately. Upon deletion of identity mapping and/or deletion or destruction of relevant key material from active systems (sometimes referred to as “crypto-shredding” of key access), GBBS is no longer able, within the Services, to directly associate the affected encrypted payloads in Evidence Records with an identifiable individual.
6.3 Residual identifiability. The parties acknowledge that whether a record constitutes Personal Data may depend on context and the availability of external linkage information (for example Customer-held HR rosters, CCTV, keycard logs, schedules, or other datasets). Customer is responsible for assessing such external linkage risk for its environment.
6.4 Retention, export, and deletion. During an active Subscription, Customer may export Customer Data using the export functionality available within the Services. Following expiry or termination, GBBS will retain Customer Data for the Post-Termination Period, during which Customer may export Customer Data via standard export functionality (or other standard export method) as described in the Documentation and the DPA.
6.5 Default action after the Post-Termination Period. If Customer does not request export within the Post-Termination Period, GBBS will delete Personal Data from the primary relational database from active systems and delete or destroy relevant key access from active systems in accordance with its key management procedures, subject to applicable law, court order, or binding regulatory request, and subject to backup retention cycles (during which deleted data or key material may persist in backups until overwritten or deleted pursuant to those cycles). Evidence Records in the immutable store are retained for integrity and auditability.
7. Privacy and Personal Data
7.1 Privacy Policy. Privacy and related matters are addressed in the Privacy Policy for contexts where GBBS acts as controller. Where GBBS processes Personal Data on behalf of Customer as processor, the DPA applies.
7.2 Data Processing Agreement. To the extent GBBS processes Personal Data on behalf of Customer as a data processor within the meaning of the GDPR, the DPA in Appendix A applies and is incorporated into these Terms by reference.
7.3 Customer obligations. Customer is responsible for ensuring it has a lawful basis to provide any Personal Data entered into the Services and for providing any required notices to employees, contractors, and other individuals whose Personal Data Customer enters into the Services.
8. Acceptable Use
Customer and Authorised Users must not:
8.1 reverse engineer or attempt to extract source code except where mandatory law permits;
8.2 interfere with or attempt unauthorised access to the Services;
8.3 bypass security controls;
8.4 upload malware or malicious content;
8.5 access data not belonging to Customer;
8.6 falsify records or training/certification status;
8.7 enter Personal Data into fields intended for Evidence Records or operational logging, except where expressly supported by the Services as described in the Documentation;
8.8 use the Services for competitive analysis, benchmarking, resale, or providing services to third parties without GBBS’s prior written consent; or
8.9 use the Services unlawfully or in a way that infringes third-party rights.
9. Certification (If Applicable)
9.1 Conditional status. Any certification status is conditional on Customer meeting Certification Scheme requirements, including ongoing conformity, periodic verification, and corrective actions within specified timeframes.
9.2 Effect of termination on certification. Upon termination or expiry of the Subscription, any certification status lapses at the end of the Subscription Term. Customer must immediately cease using any GBBS certification marks, logos, or references to certified status.
9.3 Certification marks licence. While Customer remains certified and in good standing, GBBS grants Customer a limited, non-exclusive, non-transferable right to use certification marks solely to describe Customer’s certified status in accordance with GBBS brand and usage guidelines. This right ends immediately upon lapse or termination of certification.
9.4 Enforcement. Unauthorised use of certification marks may cause irreparable harm. GBBS may seek injunctive or other equitable relief to the extent permitted by law.
9.5 No guarantee of outcomes. Certification and use of the Services do not guarantee any specific legal, insurance, regulatory, or commercial outcome. Customer remains responsible for its own risk management and compliance decisions.
10. Intellectual Property and Licence
10.1 GBBS IP. GBBS retains all rights, title, and interest in and to the Services, platform, training content, certification materials, marks, logos, templates, Documentation, and all updates and improvements.
10.2 Licence to Customer. Subject to payment and compliance with these Terms and the Order, GBBS grants Customer a limited, non-exclusive, non-transferable, non-sublicensable licence during the Subscription Term to access and use the Services for Customer’s internal business operations.
10.3 Feedback. If Customer provides feedback or suggestions, GBBS may use them without restriction or obligation.
11. Confidentiality
11.1 Obligations. Each party may receive confidential information from the other. Each party will protect the other’s confidential information using reasonable measures and will use it only to perform under these Terms.
11.2 Exceptions. Confidentiality obligations do not apply to information that is public through no breach, independently developed without use of the other party’s confidential information, or lawfully obtained from a third party without confidentiality obligation.
11.3 Duration. Confidentiality obligations survive termination for 5 years, except trade secrets which remain protected as long as they qualify as trade secrets under applicable law.
12. Availability, Support, and Changes
12.1 Availability. GBBS aims to provide reliable access but does not guarantee uninterrupted operation. Planned maintenance and unforeseen outages may occur.
12.2 Support. Support scope and channels are as stated in the Order, within the Services, or in the Documentation.
12.3 Updates and changes. GBBS may update or modify the Services and the Certification Scheme for security, performance, legal, or operational reasons. For material changes that substantially reduce the functionality described in the applicable Order, GBBS will provide at least 30 days’ prior written notice. If such a material change substantially degrades core functionality described in the Order, Customer may terminate the affected Subscription by written notice within 30 days of receiving that notice and will receive a pro-rata refund of prepaid fees for the unused portion of the Subscription Term.
13. Warranties and Disclaimers
13.1 Standard of service. GBBS will provide the Services with reasonable care and skill consistent with generally accepted industry practices.
13.2 Disclaimer. Except as expressly stated, the Services are provided “as is” and “as available”. To the maximum extent permitted by law, GBBS disclaims all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement. GBBS does not warrant that the Services will be error-free, uninterrupted, or that Customer’s use will satisfy every internal policy, insurance requirement, or legal strategy.
13.3 No legal advice. GBBS does not provide legal advice. Customer should obtain its own legal advice for claims, disputes, regulatory matters, and policy decisions.
14. Limitation of Liability
14.1 Excluded damages. To the maximum extent permitted by law, neither party is liable for indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, goodwill, or business interruption.
14.2 Liability cap. To the maximum extent permitted by law, each party’s total aggregate liability arising out of or related to the Services and these Terms will not exceed the fees paid (or payable) by Customer for the Services in the 12 months immediately preceding the event giving rise to the claim.
14.3 Carve-outs. The liability cap in Section 14.2 does not apply to: (a) Customer’s payment obligations; or (b) liability arising from a party’s wilful misconduct or gross negligence. For breach of confidentiality obligations under Section 11, each party’s total aggregate liability is capped at two times the fees paid (or payable) by Customer for the Services in the 12 months immediately preceding the event giving rise to the claim.
14.4 Allocation of risk. The parties agree that the limitations in this Section reflect a reasonable allocation of risk in a commercial relationship.
15. Indemnity
15.1 Customer indemnity. Customer will indemnify and hold GBBS harmless from third-party claims, damages, liabilities, and reasonable costs arising from (a) Customer Data content, (b) Customer’s misuse of the Services, or (c) Customer’s breach of applicable law or these Terms.
15.2 GBBS IP indemnity. GBBS will indemnify and hold Customer harmless from third-party claims that Customer’s authorised use of the Services in accordance with these Terms infringes that third party’s intellectual property rights. This obligation does not apply to the extent the claim arises from Customer Data, modifications made by Customer, use in combination with products or services not provided by GBBS, or use other than in accordance with these Terms. If the Services become, or in GBBS’s reasonable opinion are likely to become, the subject of an infringement claim, GBBS may at its option and expense: (a) obtain the right for Customer to continue using the Services; (b) modify or replace the infringing component so it becomes non-infringing without materially reducing functionality; or (c) if neither (a) nor (b) is commercially reasonable, terminate the affected Subscription and refund prepaid fees for the unused portion of the Subscription Term.
15.3 Indemnification procedure. The indemnified party must promptly notify the indemnifying party and cooperate reasonably. The indemnifying party controls the defence and settlement, provided it does not admit liability or impose obligations on the indemnified party without consent (not to be unreasonably withheld).
16. Force Majeure
Neither party is liable for delay or failure caused by events beyond its reasonable control, provided it uses reasonable efforts to mitigate and resume performance.
17. Governing Law and Disputes
These Terms are governed by the laws of Sweden. Any dispute arising out of or related to these Terms will be resolved by the courts of Sweden, with venue in Stockholm, unless mandatory law requires otherwise.
18. General Provisions
18.1 Entire agreement. These Terms, together with any applicable Order and any documents expressly incorporated by reference (including the Privacy Policy and the DPA), constitute the entire agreement regarding the Services and supersede all prior or contemporaneous agreements and communications relating to the Services.
18.2 Order of precedence. In the event of conflict: (1) the DPA solely for Personal Data processing terms; (2) the Order (commercial terms only); (3) these Terms; and (4) other incorporated documents, unless expressly stated otherwise in writing.
18.3 Severability. If any provision is held invalid or unenforceable, the remaining provisions remain in effect and the parties will replace the affected provision with a valid provision that most closely reflects the original intent.
18.4 No waiver. No failure or delay to enforce any provision constitutes a waiver. Any waiver must be in writing and applies only to the specific instance.
18.5 Assignment. Customer may not assign or transfer these Terms without GBBS’s prior written consent. GBBS may assign these Terms to an affiliate or in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all assets.
18.6 Independent contractors. The parties are independent contractors. Nothing creates a partnership, joint venture, agency, fiduciary, or employment relationship.
18.7 Third-party rights. Except as expressly stated, no third party has any right to enforce these Terms.
18.8 Notices. Formal notices must be in writing and delivered to the contact details stated in the Order or otherwise published by GBBS for legal notices. Notices are deemed received on delivery if delivered by hand, on the next business day if sent by courier, or when sent if delivered by email (provided no bounce or delivery failure notice is received).
18.9 Electronic acceptance. Orders and acceptance may be executed electronically. Electronic signatures and click-to-accept mechanisms are binding.
18.10 Language. If these Terms are made available in more than one language, the English version prevails in the event of conflict unless mandatory law requires otherwise.
19. Contact
Legal notices and support requests must be sent using the contact details published by GBBS or stated in the applicable Order.
By placing an order, accepting online, or using the Services, you agree to these Terms. If you accept on behalf of an entity, you confirm you have authority to bind that entity.
1. Definitions
1.1 Account means Customer’s account used to access the Services.
1.2 Authorised Users means Customer’s employees, agents, and contractors permitted to use the Services under Customer’s Account.
1.3 Certification Scheme means the certification requirements, rules, verification approach, and associated policies published by GBBS and updated from time to time.
1.4 Customer Data means data and content submitted to the Services by or on behalf of Customer, including records, attachments, and user-entered information.
1.5 Documentation means the user guides, in-product instructions, knowledge base, and technical documentation made available within the Services and/or at the documentation location designated by GBBS, as updated from time to time.
1.6 DPA means the Data Processing Agreement in Appendix A, incorporated into these Terms by reference.
1.7 Evidence Records means operational records maintained in an immutable, tamper-evident evidence store, including task completions, incident logs, inspection results, and certification events. Evidence Records are designed to avoid direct identifiers. Where Personal Data must be cryptographically anchored in the evidence store, it is stored as encrypted payloads using per-subject key material managed separately from the evidence store (for example via envelope encryption and separate key custody).
1.8 Order means any online checkout, order form, quote acceptance, statement of work, or other written/electronic agreement describing subscription scope, pricing, term, and any add-ons.
1.9 Personal Data has the meaning given in the GDPR. In the context of the Services, Personal Data includes (a) directly identifiable Personal Data stored in the primary relational database (for example names, email addresses, job titles/roles, and account credentials), and (b) any Personal Data that Customer chooses to include in Customer Data (for example free-text fields, file uploads, or attachments).
1.10 Post-Termination Period means the period following expiry or termination during which Customer may export Customer Data as described in Section 6.3. Unless an Order states otherwise, the Post-Termination Period is thirty (30) days.
1.11 Privacy Policy means the GBBS privacy notice published at the location designated by GBBS (including within the Services) and incorporated by reference as it relates to GBBS’s own processing activities as a controller (for example website and billing interactions). Processing where GBBS acts as processor is governed by the DPA.
1.12 Services means the GBBS platform (including web and mobile interfaces), training content, documentation tools, certification-related access (if applicable), support, updates, and any add-ons stated in an Order.
1.13 Subscription means the paid right to access the Services during the Subscription Term.
1.14 Subscription Term means the period stated in the applicable Order (monthly, annual, or otherwise).
2. The Services
2.1 Purpose. The Services provide a structured system for training, documentation, and traceable recordkeeping related to bed bug risk management workflows, including routine tasks, incident workflows, evidence capture, and offsite record retention where available.
2.2 Not pest control. GBBS is not a pest control operator and does not provide on-site inspection, treatment, eradication, or guarantee outcomes. Any third-party pest control engagement and results are Customer’s responsibility.
2.3 No Customer-specific SOPs by default. Unless expressly stated in an Order, GBBS does not provide Customer-specific SOPs or bespoke operating procedures. The Services provide a standard framework and tooling.
2.4 Add-ons and professional services. Integrations (including PMS and related systems), custom configuration, data migration, training delivery services, and other professional services may be offered as paid add-ons and must be agreed in an Order.
3. Accounts, Access, and Customer Responsibilities
3.1 Business use. The Services are intended for business customers and must be used only for Customer’s internal business operations.
3.2 Administration and access control. Customer must maintain at least one administrator responsible for creating and managing Authorised Users, assigning roles and permissions, and removing access promptly when no longer required. Subject to GBBS’s security obligations under these Terms and the DPA, GBBS is not liable for unauthorised access or misuse resulting from Customer’s failure to manage roles and permissions appropriately.
3.3 Credential security. Customer is responsible for safeguarding credentials and for all activity under its Account, including actions by Authorised Users.
3.4 Operational responsibility. Customer is responsible for ensuring personnel are trained and authorised for the tasks they perform and for ensuring Customer Data entered into the Services is accurate, complete, and reflects what occurred in practice.
3.5 No Personal Data in Evidence fields unless supported. To preserve evidentiary integrity and system design, Customer must not enter Personal Data into fields or workflows intended for Evidence Records or operational logging, except where expressly supported by the Services as described in the Documentation.
4. Subscriptions, Fees, Taxes, and Payment
4.1 Fees and billing basis. Fees, billing cycle, subscription basis (including any room-based pricing and tiers), and included quotas are as stated in the Order.
4.2 Taxes. Fees are exclusive of VAT and other applicable taxes unless stated otherwise. Customer is responsible for applicable taxes not collected at checkout.
4.3 Payment processing. Payments may be processed by a third-party payment provider and/or merchant of record. Customer agrees to the checkout terms presented during purchase.
4.4 Non-payment. If payment is overdue by more than 14 days, GBBS will notify Customer in writing. If payment remains outstanding 7 days after such notice, GBBS may suspend access to the Services until payment is received.
5. Renewal, Cancellation, Suspension, and Termination
5.1 Renewal. Subscriptions renew automatically for successive terms unless cancelled before renewal in accordance with account settings or the applicable Order.
5.2 Cancellation and refunds. Cancellation stops the next renewal. Fees already paid are non-refundable unless: (a) the Order expressly provides otherwise; (b) mandatory law requires otherwise; (c) GBBS terminates for convenience under Section 5.5; (d) Customer terminates under Section 12.3 (material service changes); or (e) Customer terminates pursuant to Section A5.3 (sub-processor objection), in which case Customer is entitled to a pro-rata refund of prepaid fees for the unused portion of the Subscription Term.
5.3 Suspension. GBBS may suspend access (in whole or part) if: (a) fees are overdue and the notice procedure in Section 4.4 has been followed; (b) Customer breaches these Terms or an Order; (c) use creates a security risk or threatens the integrity or availability of the Services; or (d) Customer’s use reasonably exposes GBBS or other customers to harm or risk. GBBS will provide reasonable notice before suspension where circumstances permit, except where immediate action is necessary.
5.4 Termination for cause. Either party may terminate these Terms for material breach if the breach is not cured within 30 days after written notice (or immediately if cure is not possible).
5.5 Termination for convenience by GBBS. GBBS may terminate these Terms for convenience by providing 90 days’ written notice to Customer. If GBBS terminates for convenience during a prepaid Subscription Term, Customer is entitled to a pro-rata refund of prepaid fees for the unused portion of the term.
5.6 Effect of termination. On expiry or termination: (a) access to the Services ends at the end of the Subscription Term (or earlier if suspended or terminated for cause), subject to the Post-Termination Period in Section 6.3; (b) Customer remains responsible for fees accrued up to termination; and (c) the sections listed in Section 5.7 survive.
5.7 Survival. The following survive expiry or termination: Sections 1 (Definitions as needed), 6 (Customer Data and retention), 7 (Privacy and personal data), 9 (Certification marks and post-termination obligations), 10 (Intellectual property and licence restrictions that by nature survive), 11 (Confidentiality), 13 (Warranties and disclaimers), 14 (Limitation of liability), 15 (Indemnity), 16 (Force majeure), 17 (Governing law and disputes), and 18 (General provisions), and any other provisions that by their nature are intended to survive.
6. Customer Data, Evidence Records, and Retention
6.1 Ownership. Customer retains ownership of Customer Data. GBBS processes Customer Data to provide, secure, support, maintain, and improve the Services and to meet legal obligations.
6.2 Architecture and evidentiary use. The Services are designed to maintain an architectural separation between (a) Personal Data stored in the primary relational database and (b) Evidence Records stored in an immutable, tamper-evident evidence store. Evidence Records are designed to avoid direct identifiers and, where Personal Data must be cryptographically anchored, it is stored as encrypted payloads with key material managed separately. Upon deletion of identity mapping and/or deletion or destruction of relevant key material from active systems (sometimes referred to as “crypto-shredding” of key access), GBBS is no longer able, within the Services, to directly associate the affected encrypted payloads in Evidence Records with an identifiable individual.
6.3 Residual identifiability. The parties acknowledge that whether a record constitutes Personal Data may depend on context and the availability of external linkage information (for example Customer-held HR rosters, CCTV, keycard logs, schedules, or other datasets). Customer is responsible for assessing such external linkage risk for its environment.
6.4 Retention, export, and deletion. During an active Subscription, Customer may export Customer Data using the export functionality available within the Services. Following expiry or termination, GBBS will retain Customer Data for the Post-Termination Period, during which Customer may export Customer Data via standard export functionality (or other standard export method) as described in the Documentation and the DPA.
6.5 Default action after the Post-Termination Period. If Customer does not request export within the Post-Termination Period, GBBS will delete Personal Data from the primary relational database from active systems and delete or destroy relevant key access from active systems in accordance with its key management procedures, subject to applicable law, court order, or binding regulatory request, and subject to backup retention cycles (during which deleted data or key material may persist in backups until overwritten or deleted pursuant to those cycles). Evidence Records in the immutable store are retained for integrity and auditability.
7. Privacy and Personal Data
7.1 Privacy Policy. Privacy and related matters are addressed in the Privacy Policy for contexts where GBBS acts as controller. Where GBBS processes Personal Data on behalf of Customer as processor, the DPA applies.
7.2 Data Processing Agreement. To the extent GBBS processes Personal Data on behalf of Customer as a data processor within the meaning of the GDPR, the DPA in Appendix A applies and is incorporated into these Terms by reference.
7.3 Customer obligations. Customer is responsible for ensuring it has a lawful basis to provide any Personal Data entered into the Services and for providing any required notices to employees, contractors, and other individuals whose Personal Data Customer enters into the Services.
8. Acceptable Use
Customer and Authorised Users must not:
8.1 reverse engineer or attempt to extract source code except where mandatory law permits;
8.2 interfere with or attempt unauthorised access to the Services;
8.3 bypass security controls;
8.4 upload malware or malicious content;
8.5 access data not belonging to Customer;
8.6 falsify records or training/certification status;
8.7 enter Personal Data into fields intended for Evidence Records or operational logging, except where expressly supported by the Services as described in the Documentation;
8.8 use the Services for competitive analysis, benchmarking, resale, or providing services to third parties without GBBS’s prior written consent; or
8.9 use the Services unlawfully or in a way that infringes third-party rights.
9. Certification (If Applicable)
9.1 Conditional status. Any certification status is conditional on Customer meeting Certification Scheme requirements, including ongoing conformity, periodic verification, and corrective actions within specified timeframes.
9.2 Effect of termination on certification. Upon termination or expiry of the Subscription, any certification status lapses at the end of the Subscription Term. Customer must immediately cease using any GBBS certification marks, logos, or references to certified status.
9.3 Certification marks licence. While Customer remains certified and in good standing, GBBS grants Customer a limited, non-exclusive, non-transferable right to use certification marks solely to describe Customer’s certified status in accordance with GBBS brand and usage guidelines. This right ends immediately upon lapse or termination of certification.
9.4 Enforcement. Unauthorised use of certification marks may cause irreparable harm. GBBS may seek injunctive or other equitable relief to the extent permitted by law.
9.5 No guarantee of outcomes. Certification and use of the Services do not guarantee any specific legal, insurance, regulatory, or commercial outcome. Customer remains responsible for its own risk management and compliance decisions.
10. Intellectual Property and Licence
10.1 GBBS IP. GBBS retains all rights, title, and interest in and to the Services, platform, training content, certification materials, marks, logos, templates, Documentation, and all updates and improvements.
10.2 Licence to Customer. Subject to payment and compliance with these Terms and the Order, GBBS grants Customer a limited, non-exclusive, non-transferable, non-sublicensable licence during the Subscription Term to access and use the Services for Customer’s internal business operations.
10.3 Feedback. If Customer provides feedback or suggestions, GBBS may use them without restriction or obligation.
11. Confidentiality
11.1 Obligations. Each party may receive confidential information from the other. Each party will protect the other’s confidential information using reasonable measures and will use it only to perform under these Terms.
11.2 Exceptions. Confidentiality obligations do not apply to information that is public through no breach, independently developed without use of the other party’s confidential information, or lawfully obtained from a third party without confidentiality obligation.
11.3 Duration. Confidentiality obligations survive termination for 5 years, except trade secrets which remain protected as long as they qualify as trade secrets under applicable law.
12. Availability, Support, and Changes
12.1 Availability. GBBS aims to provide reliable access but does not guarantee uninterrupted operation. Planned maintenance and unforeseen outages may occur.
12.2 Support. Support scope and channels are as stated in the Order, within the Services, or in the Documentation.
12.3 Updates and changes. GBBS may update or modify the Services and the Certification Scheme for security, performance, legal, or operational reasons. For material changes that substantially reduce the functionality described in the applicable Order, GBBS will provide at least 30 days’ prior written notice. If such a material change substantially degrades core functionality described in the Order, Customer may terminate the affected Subscription by written notice within 30 days of receiving that notice and will receive a pro-rata refund of prepaid fees for the unused portion of the Subscription Term.
13. Warranties and Disclaimers
13.1 Standard of service. GBBS will provide the Services with reasonable care and skill consistent with generally accepted industry practices.
13.2 Disclaimer. Except as expressly stated, the Services are provided “as is” and “as available”. To the maximum extent permitted by law, GBBS disclaims all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement. GBBS does not warrant that the Services will be error-free, uninterrupted, or that Customer’s use will satisfy every internal policy, insurance requirement, or legal strategy.
13.3 No legal advice. GBBS does not provide legal advice. Customer should obtain its own legal advice for claims, disputes, regulatory matters, and policy decisions.
14. Limitation of Liability
14.1 Excluded damages. To the maximum extent permitted by law, neither party is liable for indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, goodwill, or business interruption.
14.2 Liability cap. To the maximum extent permitted by law, each party’s total aggregate liability arising out of or related to the Services and these Terms will not exceed the fees paid (or payable) by Customer for the Services in the 12 months immediately preceding the event giving rise to the claim.
14.3 Carve-outs. The liability cap in Section 14.2 does not apply to: (a) Customer’s payment obligations; or (b) liability arising from a party’s wilful misconduct or gross negligence. For breach of confidentiality obligations under Section 11, each party’s total aggregate liability is capped at two times the fees paid (or payable) by Customer for the Services in the 12 months immediately preceding the event giving rise to the claim.
14.4 Allocation of risk. The parties agree that the limitations in this Section reflect a reasonable allocation of risk in a commercial relationship.
15. Indemnity
15.1 Customer indemnity. Customer will indemnify and hold GBBS harmless from third-party claims, damages, liabilities, and reasonable costs arising from (a) Customer Data content, (b) Customer’s misuse of the Services, or (c) Customer’s breach of applicable law or these Terms.
15.2 GBBS IP indemnity. GBBS will indemnify and hold Customer harmless from third-party claims that Customer’s authorised use of the Services in accordance with these Terms infringes that third party’s intellectual property rights. This obligation does not apply to the extent the claim arises from Customer Data, modifications made by Customer, use in combination with products or services not provided by GBBS, or use other than in accordance with these Terms. If the Services become, or in GBBS’s reasonable opinion are likely to become, the subject of an infringement claim, GBBS may at its option and expense: (a) obtain the right for Customer to continue using the Services; (b) modify or replace the infringing component so it becomes non-infringing without materially reducing functionality; or (c) if neither (a) nor (b) is commercially reasonable, terminate the affected Subscription and refund prepaid fees for the unused portion of the Subscription Term.
15.3 Indemnification procedure. The indemnified party must promptly notify the indemnifying party and cooperate reasonably. The indemnifying party controls the defence and settlement, provided it does not admit liability or impose obligations on the indemnified party without consent (not to be unreasonably withheld).
16. Force Majeure
Neither party is liable for delay or failure caused by events beyond its reasonable control, provided it uses reasonable efforts to mitigate and resume performance.
17. Governing Law and Disputes
These Terms are governed by the laws of Sweden. Any dispute arising out of or related to these Terms will be resolved by the courts of Sweden, with venue in Stockholm, unless mandatory law requires otherwise.
18. General Provisions
18.1 Entire agreement. These Terms, together with any applicable Order and any documents expressly incorporated by reference (including the Privacy Policy and the DPA), constitute the entire agreement regarding the Services and supersede all prior or contemporaneous agreements and communications relating to the Services.
18.2 Order of precedence. In the event of conflict: (1) the DPA solely for Personal Data processing terms; (2) the Order (commercial terms only); (3) these Terms; and (4) other incorporated documents, unless expressly stated otherwise in writing.
18.3 Severability. If any provision is held invalid or unenforceable, the remaining provisions remain in effect and the parties will replace the affected provision with a valid provision that most closely reflects the original intent.
18.4 No waiver. No failure or delay to enforce any provision constitutes a waiver. Any waiver must be in writing and applies only to the specific instance.
18.5 Assignment. Customer may not assign or transfer these Terms without GBBS’s prior written consent. GBBS may assign these Terms to an affiliate or in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all assets.
18.6 Independent contractors. The parties are independent contractors. Nothing creates a partnership, joint venture, agency, fiduciary, or employment relationship.
18.7 Third-party rights. Except as expressly stated, no third party has any right to enforce these Terms.
18.8 Notices. Formal notices must be in writing and delivered to the contact details stated in the Order or otherwise published by GBBS for legal notices. Notices are deemed received on delivery if delivered by hand, on the next business day if sent by courier, or when sent if delivered by email (provided no bounce or delivery failure notice is received).
18.9 Electronic acceptance. Orders and acceptance may be executed electronically. Electronic signatures and click-to-accept mechanisms are binding.
18.10 Language. If these Terms are made available in more than one language, the English version prevails in the event of conflict unless mandatory law requires otherwise.
19. Contact
Legal notices and support requests must be sent using the contact details published by GBBS or stated in the applicable Order.
Appendix A: Data Processing Agreement (DPA)
This DPA forms part of the Terms. It applies whenever GBBS processes Personal Data on behalf of Customer in connection with the Services.
A1. Scope and Roles
A1.1 Parties and roles. Customer is the Controller and GBBS is the Processor to the extent GBBS processes Personal Data on Customer’s behalf.
A1.2 GDPR. “GDPR” means Regulation (EU) 2016/679.
A1.3 Order of precedence. In the event of conflict between this DPA and the Terms, this DPA prevails with respect to data protection matters.
A2. Nature and Purpose of Processing
A2.1 Purpose. GBBS will process Personal Data solely to provide and maintain the Services and perform related technical operations, including managing user accounts, tracking training progress, maintaining certification records, providing support, hosting, backups, logging, and security monitoring.
A2.2 No other purpose. GBBS will not process Personal Data for any purpose other than those described in this DPA and the Terms unless required by applicable EU or Member State law. Where such a legal obligation exists, GBBS will inform Customer before processing unless the law prohibits such disclosure.
A3. Data Categories
A3.1 Data Subjects. Customer’s employees, contractors, and other individuals whose data Customer enters into the Services.
A3.2 Categories of Personal Data. Names, email addresses, job titles/roles, account identifiers, login and authentication data (stored hashed/encrypted as applicable), training completion logs, certification status, and any other Personal Data Customer chooses to enter into the Services (including in free-text or uploads).
A3.3 Special Categories. GBBS does not require or intentionally collect special categories of Personal Data (Article 9 GDPR). Customer must not enter special categories unless strictly necessary and Customer is responsible for having a lawful basis and implementing required safeguards.
A3.4 Evidence Records and cryptographic separation. Evidence Records are designed to avoid direct identifiers. Where Personal Data must be cryptographically anchored in the evidence store, it is stored as encrypted payloads using per-subject key material managed separately from the evidence store. Upon deletion of the relevant identity mapping and deletion or destruction of key access from active systems, GBBS is no longer able, within the Services, to directly associate the affected encrypted payloads in Evidence Records with an identifiable individual. The parties acknowledge that whether an Evidence Record constitutes Personal Data may depend on Customer’s environment and external linkage information.
A3.5 Duration. Processing continues for the Subscription Term and any Post-Termination Period, and thereafter only as necessary to complete deletion/return obligations, comply with applicable law, or maintain backup cycles as described in Section A8.
A4. Processor Obligations
GBBS agrees to:
A4.1 Instructions. Process Personal Data only on documented instructions from Customer. The Terms, Orders, and Customer’s use/configuration of the Services constitute documented instructions. If GBBS believes an instruction infringes applicable data protection law, it will inform Customer.
A4.2 Confidentiality. Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
A4.3 Security. Implement appropriate technical and organisational measures under Article 32 GDPR appropriate to risk, including as appropriate: encryption in transit and at rest; access controls; segregation of duties; logging; vulnerability management; backup and restore capability; and the architectural separation described in Section A3.4.
A4.4 Sub-processing controls. Engage sub-processors only in accordance with Section A5 and impose obligations no less protective than this DPA.
A4.5 Assistance with data subject requests. Assist Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling Customer’s obligations to respond to data subject rights requests. If GBBS receives a request directly from a data subject, GBBS will redirect it to Customer unless legally required to respond directly. GBBS may charge reasonable fees for assistance beyond what is included in the standard functionality of the Services, provided it informs Customer in advance.
A4.6 DPIAs and consultation. Taking into account the nature of processing and information available to GBBS, assist Customer with DPIAs and prior consultations where required under Articles 35 and 36 GDPR. GBBS may charge reasonable fees for assistance beyond what is included in the standard functionality of the Services, provided it informs Customer in advance.
A4.7 Breach notification. Notify Customer without undue delay and, where reasonably practicable, within 48 hours after becoming aware of a Personal Data breach affecting Customer Data. Notifications will include, to the extent known: nature of the breach; categories and approximate number of data subjects/records affected; likely consequences; measures taken or proposed; and a contact point. GBBS will cooperate with Customer and take reasonable steps to mitigate effects.
A5. Sub-Processors
A5.1 General authorisation. Customer grants GBBS general written authorisation to engage sub-processors to assist in providing the Services.
A5.2 List. GBBS will maintain a current list of sub-processors and make it available via the Services or on request.
A5.3 Notice and objection. GBBS will provide at least 30 days’ advance notice of any intended addition or replacement of a sub-processor, where reasonably practicable. Customer may object on reasonable data protection grounds by notifying GBBS in writing within 14 days of notice. The parties will discuss in good faith. If no resolution is reached within 30 days of Customer’s objection, Customer may terminate the affected Subscription and receive a pro-rata refund of prepaid fees for the unused portion of the Subscription Term.
A5.4 Flow-down obligations. GBBS will impose data protection obligations on each sub-processor no less protective than this DPA.
A5.5 Liability. GBBS remains liable to Customer for performance of sub-processor obligations under this DPA.
A6. International Transfers
A6.1 Safeguards. GBBS will not transfer Personal Data outside the EU/EEA unless an appropriate safeguard under Chapter V GDPR is in place, such as an adequacy decision, SCCs (with supplementary measures and transfer impact assessment where required), or another valid mechanism.
A6.2 Invalidation. If a relied-upon transfer mechanism is invalidated, GBBS will inform Customer and the parties will cooperate to implement an alternative lawful mechanism.
A7. Audits
A7.1 Information. Upon reasonable written request (no more than once per 12-month period unless required by a supervisory authority or following a breach), GBBS will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
A7.2 Third-party reports. GBBS may satisfy audit requests by providing summaries of relevant findings from an independent third-party audit or certification (for example SOC 2 or ISO 27001) in lieu of on-site access.
A7.3 On-site audit. If Customer reasonably determines provided information is insufficient, Customer may conduct or commission an on-site audit subject to: at least 30 days’ prior written notice; Customer bears cost; normal business hours; minimal disruption; confidentiality obligations; limited to systems and controls relevant to processing of Customer Personal Data; no access to other customers’ data; and no unnecessary access to GBBS trade secrets.
A8. Deletion, Return, and Crypto-Shredding
A8.1 Customer election. Upon termination or expiry, and during the Post-Termination Period, Customer may elect in writing to: (a) export Personal Data via standard export functionality (or other standard export method supported by the Services), or (b) proceed with deletion and key access deletion/destruction as described below. Export does not include bespoke data packaging or custom development unless agreed in an Order.
A8.2 Deletion from primary systems. If Customer elects deletion, or if Customer makes no election within the Post-Termination Period, GBBS will delete Personal Data from active primary systems in accordance with its retention policies, subject to (i) applicable law, court order, or binding regulatory request, and (ii) backup retention cycles.
A8.3 Key access deletion and destruction (crypto-shredding). In conjunction with deletion under A8.2, GBBS will delete the per-subject key material or key access from active systems and destroy it in accordance with its key management procedures, subject to (i) applicable law, court order, or binding regulatory request, and (ii) backup retention cycles. Key material may persist in backups until overwritten or deleted pursuant to those cycles.
A8.4 Effect on Evidence Records. After deletion of identity mapping and deletion/destruction of key access from active systems, GBBS is no longer able, within the Services, to directly associate affected encrypted payloads in Evidence Records with an identifiable individual. Evidence Records remain in the immutable evidence store for integrity and auditability. The parties acknowledge residual identifiability may depend on Customer’s environment and external linkage information.
A8.5 Confirmation. GBBS will confirm completion of deletion and key access deletion/destruction from active systems in writing upon Customer’s request.
A9. Governing Law
This DPA is governed by the laws of Sweden, consistent with Section 17 of the Terms. Where mandatory data protection law of another EU Member State applies to the processing, such law applies to the extent required.
A10. Duration
This DPA remains in effect for as long as GBBS processes Personal Data on behalf of Customer and survives termination of the Terms to the extent necessary for GBBS to complete its obligations under Section A8.
A1. Scope and Roles
A1.1 Parties and roles. Customer is the Controller and GBBS is the Processor to the extent GBBS processes Personal Data on Customer’s behalf.
A1.2 GDPR. “GDPR” means Regulation (EU) 2016/679.
A1.3 Order of precedence. In the event of conflict between this DPA and the Terms, this DPA prevails with respect to data protection matters.
A2. Nature and Purpose of Processing
A2.1 Purpose. GBBS will process Personal Data solely to provide and maintain the Services and perform related technical operations, including managing user accounts, tracking training progress, maintaining certification records, providing support, hosting, backups, logging, and security monitoring.
A2.2 No other purpose. GBBS will not process Personal Data for any purpose other than those described in this DPA and the Terms unless required by applicable EU or Member State law. Where such a legal obligation exists, GBBS will inform Customer before processing unless the law prohibits such disclosure.
A3. Data Categories
A3.1 Data Subjects. Customer’s employees, contractors, and other individuals whose data Customer enters into the Services.
A3.2 Categories of Personal Data. Names, email addresses, job titles/roles, account identifiers, login and authentication data (stored hashed/encrypted as applicable), training completion logs, certification status, and any other Personal Data Customer chooses to enter into the Services (including in free-text or uploads).
A3.3 Special Categories. GBBS does not require or intentionally collect special categories of Personal Data (Article 9 GDPR). Customer must not enter special categories unless strictly necessary and Customer is responsible for having a lawful basis and implementing required safeguards.
A3.4 Evidence Records and cryptographic separation. Evidence Records are designed to avoid direct identifiers. Where Personal Data must be cryptographically anchored in the evidence store, it is stored as encrypted payloads using per-subject key material managed separately from the evidence store. Upon deletion of the relevant identity mapping and deletion or destruction of key access from active systems, GBBS is no longer able, within the Services, to directly associate the affected encrypted payloads in Evidence Records with an identifiable individual. The parties acknowledge that whether an Evidence Record constitutes Personal Data may depend on Customer’s environment and external linkage information.
A3.5 Duration. Processing continues for the Subscription Term and any Post-Termination Period, and thereafter only as necessary to complete deletion/return obligations, comply with applicable law, or maintain backup cycles as described in Section A8.
A4. Processor Obligations
GBBS agrees to:
A4.1 Instructions. Process Personal Data only on documented instructions from Customer. The Terms, Orders, and Customer’s use/configuration of the Services constitute documented instructions. If GBBS believes an instruction infringes applicable data protection law, it will inform Customer.
A4.2 Confidentiality. Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
A4.3 Security. Implement appropriate technical and organisational measures under Article 32 GDPR appropriate to risk, including as appropriate: encryption in transit and at rest; access controls; segregation of duties; logging; vulnerability management; backup and restore capability; and the architectural separation described in Section A3.4.
A4.4 Sub-processing controls. Engage sub-processors only in accordance with Section A5 and impose obligations no less protective than this DPA.
A4.5 Assistance with data subject requests. Assist Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling Customer’s obligations to respond to data subject rights requests. If GBBS receives a request directly from a data subject, GBBS will redirect it to Customer unless legally required to respond directly. GBBS may charge reasonable fees for assistance beyond what is included in the standard functionality of the Services, provided it informs Customer in advance.
A4.6 DPIAs and consultation. Taking into account the nature of processing and information available to GBBS, assist Customer with DPIAs and prior consultations where required under Articles 35 and 36 GDPR. GBBS may charge reasonable fees for assistance beyond what is included in the standard functionality of the Services, provided it informs Customer in advance.
A4.7 Breach notification. Notify Customer without undue delay and, where reasonably practicable, within 48 hours after becoming aware of a Personal Data breach affecting Customer Data. Notifications will include, to the extent known: nature of the breach; categories and approximate number of data subjects/records affected; likely consequences; measures taken or proposed; and a contact point. GBBS will cooperate with Customer and take reasonable steps to mitigate effects.
A5. Sub-Processors
A5.1 General authorisation. Customer grants GBBS general written authorisation to engage sub-processors to assist in providing the Services.
A5.2 List. GBBS will maintain a current list of sub-processors and make it available via the Services or on request.
A5.3 Notice and objection. GBBS will provide at least 30 days’ advance notice of any intended addition or replacement of a sub-processor, where reasonably practicable. Customer may object on reasonable data protection grounds by notifying GBBS in writing within 14 days of notice. The parties will discuss in good faith. If no resolution is reached within 30 days of Customer’s objection, Customer may terminate the affected Subscription and receive a pro-rata refund of prepaid fees for the unused portion of the Subscription Term.
A5.4 Flow-down obligations. GBBS will impose data protection obligations on each sub-processor no less protective than this DPA.
A5.5 Liability. GBBS remains liable to Customer for performance of sub-processor obligations under this DPA.
A6. International Transfers
A6.1 Safeguards. GBBS will not transfer Personal Data outside the EU/EEA unless an appropriate safeguard under Chapter V GDPR is in place, such as an adequacy decision, SCCs (with supplementary measures and transfer impact assessment where required), or another valid mechanism.
A6.2 Invalidation. If a relied-upon transfer mechanism is invalidated, GBBS will inform Customer and the parties will cooperate to implement an alternative lawful mechanism.
A7. Audits
A7.1 Information. Upon reasonable written request (no more than once per 12-month period unless required by a supervisory authority or following a breach), GBBS will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
A7.2 Third-party reports. GBBS may satisfy audit requests by providing summaries of relevant findings from an independent third-party audit or certification (for example SOC 2 or ISO 27001) in lieu of on-site access.
A7.3 On-site audit. If Customer reasonably determines provided information is insufficient, Customer may conduct or commission an on-site audit subject to: at least 30 days’ prior written notice; Customer bears cost; normal business hours; minimal disruption; confidentiality obligations; limited to systems and controls relevant to processing of Customer Personal Data; no access to other customers’ data; and no unnecessary access to GBBS trade secrets.
A8. Deletion, Return, and Crypto-Shredding
A8.1 Customer election. Upon termination or expiry, and during the Post-Termination Period, Customer may elect in writing to: (a) export Personal Data via standard export functionality (or other standard export method supported by the Services), or (b) proceed with deletion and key access deletion/destruction as described below. Export does not include bespoke data packaging or custom development unless agreed in an Order.
A8.2 Deletion from primary systems. If Customer elects deletion, or if Customer makes no election within the Post-Termination Period, GBBS will delete Personal Data from active primary systems in accordance with its retention policies, subject to (i) applicable law, court order, or binding regulatory request, and (ii) backup retention cycles.
A8.3 Key access deletion and destruction (crypto-shredding). In conjunction with deletion under A8.2, GBBS will delete the per-subject key material or key access from active systems and destroy it in accordance with its key management procedures, subject to (i) applicable law, court order, or binding regulatory request, and (ii) backup retention cycles. Key material may persist in backups until overwritten or deleted pursuant to those cycles.
A8.4 Effect on Evidence Records. After deletion of identity mapping and deletion/destruction of key access from active systems, GBBS is no longer able, within the Services, to directly associate affected encrypted payloads in Evidence Records with an identifiable individual. Evidence Records remain in the immutable evidence store for integrity and auditability. The parties acknowledge residual identifiability may depend on Customer’s environment and external linkage information.
A8.5 Confirmation. GBBS will confirm completion of deletion and key access deletion/destruction from active systems in writing upon Customer’s request.
A9. Governing Law
This DPA is governed by the laws of Sweden, consistent with Section 17 of the Terms. Where mandatory data protection law of another EU Member State applies to the processing, such law applies to the extent required.
A10. Duration
This DPA remains in effect for as long as GBBS processes Personal Data on behalf of Customer and survives termination of the Terms to the extent necessary for GBBS to complete its obligations under Section A8.