Centuri User Agreement

GENERAL TERMS AND CONDITIONS FOR CENTURI SAAS

1. Introduction and scope

1.1. These general terms and conditions for Centuri SaaS (the "General Terms and Conditions") set forth the general terms and conditions for Centuri AB's (the "Supplier") supply of Centuri SaaS and related Professional Services ("collectively "Services") to the customer (the "Customer"), and form an integral part of the Agreement.

1.2. Any deviations from these General Terms and Conditions must be agreed in writing in the Order Form in order to be valid between the Parties.

1.3. These General Terms and Conditions are supplemented by the service level agreement (the “SLA”), the data processing terms (the “Data Processing Terms”) and the service description for Centuri SaaS (the “Service Description”) (all terms and conditions, including these General Terms and Conditions, collectively referred to as the “Terms”). In the event of conflicting terms, they shall take precedence in the following order: (a) the Order Form, including any appendices thereto, (b) these General Terms and Conditions, (c) the SLA, and (d) the Service Description. The Data Processing Terms shall always prevail in all matters relating to the processing of the Customer's personal data.

1.4. The current versions of these General Terms and Conditions and other Terms are available at www.centuri.se.

2. Definitions

2.1. The words and terms used in these General Terms and Conditions shall have the meanings set out below, or as otherwise specified in these General Terms and Conditions.

2.2. "Affiliate" means any legal entity that directly or indirectly controls a Party, is controlled by a Party, or is under common control with a Party. In this Agreement, "control" of a company means direct or indirect ownership of, or the ability to exercise such control over, more than fifty percent (50%) of the votes/shares in such company, as long as such right or power of control exists.

2.3. "Agreed Start Date" means the date specified in the Order Form, when the Supplier begins to supply Centuri SaaS (at the start of the Implementation Project), and when invoicing of the Centuri SaaS fee begins (and if such a date is not specified in the Order Form, the Agreed Start Date is the same as the Effective Date).

2.4. "Agreement" means the agreement for the supply of Centuri SaaS and related Professional Services entered into between the Parties, which includes the Order Form, the Terms, and any additional appendices to the Order Form.

2.5. "Applicable Law" means all laws, regulations, and rules applicable to the Parties at any given time.

2.6. "Centuri SaaS" means the Supplier's software for information management and business management, including any Third-Party Software, provided on a software-as-a-service basis, including license rights for the software, Support and Maintenance, server platform, security monitoring, data storage, backup of Customer Data, and installation of Updates, as described in more detail in the Service Description.

2.7. "Confidential Information" means technical, commercial, or other information that a Party has expressly (in writing or orally) specified as confidential, or which, given the nature of the information and the circumstances surrounding its disclosure, should reasonably be considered Confidential Information. Confidential Information includes (but is not limited to) information that is confidential under Applicable Law, Customer Data, and the Supplier's software code and user documentation relating to Centuri SaaS.

2.8. "Contract Period " means the Initial Term and each subsequent Renewal Term.

2.9. "Effective Date" means the date on which the Agreement enters into force, as specified in the Order Form (or, if not specified therein, the date on which both Parties have signed the Order Form).

2.10. "Customer Data" means all data, including personal data, that the Customer uploads, adds, stores, and processes in Centuri SaaS, or otherwise provides to the Supplier within the scope of the Agreement.

2.11. "Implementation Project" means, where applicable, the implementation project for the installation, implementation, and configuration of Centuri SaaS as agreed by the Parties in the Statement of Work.

2.12. "Incident" means software errors or errors in the operating environment of Centuri SaaS, which means that Centuri SaaS is not available to Users or that Centuri SaaS does not have the content, functionality, or performance described in the Service Description. The Supplier's responsibility for Incidents, and exceptions to liability, are specified in the SLA.

2.13. "Intellectual Property Rights" means inventions, patents, registered and unregistered designs, copyrights, registered and unregistered trademarks, and trade secrets, including, where applicable, applications for registration of any of the foregoing rights, and all other rights of a similar nature in all countries worldwide.

2.14. "Initial Term" means the initial, binding contract period specified in the Agreement. The Initial Term begins on the Effective Date and runs for thirty-six (36) months from the Agreed Start Date, unless otherwise specified in the Agreement.

2.15. "Maintenance" means the supply of preventive and corrective maintenance in relation to Centuri SaaS, including the supply of Updates, as further specified in the Service Level Agreement, which is available at www.centuri.se.

2.16. "Malicious Code" means viruses and other malicious or harmful code, files, scripts, agents, or programs.

2.17. “Party” and “Parties” means the Supplier or the Customer, and the Supplier and the Customer jointly, respectively.

2.18. "Professional Services" means professional services supplied by the Supplier in relation to Centuri SaaS, such as implementation services, general consultancy services, and training, and which are supplied by the Supplier in accordance with an agreed Statement of Work.

2.19. "Renewal Term " means a period of time for extension of the Agreement after the Initial Term. Each Renewal Term is twelve (12) months unless otherwise specified in the Agreement.

2.20. “Service Level Agreement” or “SLA” means the Supplier’s service level agreement, which is available at www.centuri.se, and which shall apply to the supply of Support and Maintenance under the Agreement.

2.21. "Service Levels" means the service levels for the supply of Support and Maintenance, as specified in the Service Level Agreement.

2.22. "Statement of Work" means an agreed specification of the Implementation Project or other Professional Services, which specifies the agreed Professional Services, resources and competencies, deliverables, customer obligations, time plan, fees and payment, etc.

2.23. "Supplier Materials" means all software, user manuals, documentation, and other materials provided by the Supplier as part of, or in connection with, Centuri SaaS, including all results of Professional Services.

2.24. "Support" means the supply of support services in relation to Centuri SaaS, including the receipt, handling, and reporting of Support cases, as further regulated in the Service Level Agreement, which is available at www.centuri.se.

2.25. "Term" means the term of the Agreement, which includes the Initial Term and any subsequent Renewal Terms.

2.26. "Third-Party Software" means any software provided as part of Centuri SaaS and which is owned by a third party.

2.27. "Updates" means new releases, versions, updates, error corrections, and bug fixes relating to the software included in Centuri SaaS and which are provided as part of Maintenance.

2.28. "User" means named users of Centuri SaaS (the Customer's or its Affiliates' employees or contractors who are registered as named users and who have received unique, named user IDs and passwords. Users are divided into different categories with different permissions and rights in Centuri SaaS.

2.29. "Volume Limitation" means an agreed volume/unit-based limitation on the use of Centuri SaaS, such as the number of Users (and categories of Users).

3. Supply of Centuri SaaS

3.1. The Supplier undertakes to supply Centuri SaaS to the Customer, from the Agreed Start Date and during the Term, in accordance with the Terms and the Agreement.

3.2. Unless otherwise specified in the Agreement, the Supplier shall deliver Centuri SaaS through an agreed Implementation Project.

3.3. The Supplier warrants that Centuri SaaS shall, in all material respects, function in accordance with the Service Description. However, the Supplier does not warrant that the Customer's use of Centuri SaaS will be free from errors or disruptions. The Supplier shall, to the best of its ability, remedy any Incidents in Centuri SaaS by providing Support and Maintenance in accordance with the Service Level Agreement.

3.4. Centuri SaaS is a standardized service that can be configured to suit the Customer's requirements. In addition, the Supplier may, to a limited extent, provide certain integrations with the Customer's third-party software or other customer-specific functionality by special agreement on supply of Professional Services.

3.5. The Supplier develops Centuri SaaS continuously, and its functionality may therefore change during the Term, in accordance with the Supplier's development roadmap, or to maintain performance and/or security, or for other reasons. The Supplier shall notify the Customer with reasonable advance notice of any major changes to be made to Centuri SaaS, with an update to the Service Description.

3.6. The Customer acknowledges that Centuri SaaS is a standardized software service and that the Customer therefore needs to investigate and verify that the features and functionality of Centuri SaaS meet the Customer's needs. The Supplier does not warrant that Centuri SaaS has any specific features or functionality that are not set forth in the Service Description.

3.7. The Supplier may engage subcontractors for the supply of Centuri SaaS (as well as for the supply of the Implementation Project and other Professional Services), in which case the Supplier shall be responsible for the actions and omissions of such subcontractors in the same way as for its own. If such subcontractors are to process personal data on behalf of the Customer, the provisions set forth in the Data Processing Terms on engagement of sub-processors shall apply.

3.8. The Customer acknowledges that in order for Centuri SaaS to function as intended (including any Integrations with the Customer's third-party software), the Customer must meet the Supplier's at each time applicable technical requirements regarding software, hardware, equipment, communication networks, and other parts of the Customer's IT environment as recommended by the Supplier, and that the Customer must otherwise comply with all of the Supplier's instructions and regulations set out in user manuals and/or otherwise. The Customer is responsible for obtaining the necessary licenses or other agreements regarding such necessary third-party software, hardware, equipment, or communication networks.

3.9. The Supplier may temporarily suspend or restrict the Customer's and/or its authorized Users' access to Centuri SaaS, (a) in the event of a breach by the Customer or Users of the terms and conditions for use of Centuri SaaS under this Agreement, (b) in the event of a virus attack or other security threat that risks causing damage to Centuri SaaS, the Supplier or other customers, or (c) if the Customer fails to pay fees due under this Agreement. In connection herewith, the Supplier may not take more drastic measures than is reasonable under the circumstances and shall notify the Customer as soon as possible of any such suspension or restriction of access to Centuri SaaS.

3.10. The Supplier has the right to immediately prevent the storage and dissemination of Customer Data in Centuri SaaS if it can reasonably be assumed that such storage or dissemination constitutes an infringement of a third party's Intellectual Property Rights or otherwise violates Applicable Law. The Supplier has the right to access Customer Data that has been uploaded or transferred to Centuri SaaS in order to exercise these rights. The Supplier shall notify the Customer in reasonable time before exercising this right.

4. License Rights to Centuri SaaS

4.1. The Supplier grants the Customer a non-exclusive, non-transferable right to use Centuri SaaS (including all Supplier Materials) during the Term for internal business purposes in its own operations and within the agreed Volume Limitations. The Customer's right to use Centuri SaaS is conditional upon all fees under this Agreement being paid on time.

4.2. The Customer is entitled to sublicense the rights of use granted hereunder to (a) its Affiliates, as long as they remain Affiliates, and (b) to consultants and other third parties who need to use Centuri SaaS for providing services to the Customer and/or its Affiliates. For the avoidance of doubt, the agreed Volume Limitations apply also in relation to all use by an authorized sublicensee. The Customer is responsible for all use and other actions performed by Users, including Users of authorized sublicensees.

4.3. The Customer may, by written request at any time during the Term, request that the agreed Volume Limitations shall be changed (for example, by adding additional Users or reducing the number of Users) or by placing other additional orders (for example, by ordering more environments for Centuri SaaS). Such requests must be confirmed in writing by the Supplier. Any such additional order relating to an increase in the Volume Limitations or other additional purchases shall take effect immediately and the applicable fees for the increase will be charged from the order date, for the remainder of the relevant Contract Period and following Contract Periods. However, a reduction in the Volume Limitations or other reduction (e.g. in the number of environments in Centuri SaaS) shall not take effect until the next Contract Period, with a corresponding adjustment of the fee for Centuri SaaS.

4.4. The Supplier has the right to conduct a license audit to verify that the Customer's use of Centuri SaaS is in accordance with the Agreement. The Customer shall cooperate in good faith and shall provide all necessary data and information for such license audit without delay. If the license audit shows that the Customer's use of Centuri SaaS is not in accordance with the Agreement (for example, that the number of Users exceeds the number of licensed Users, either in total or per category of Users, or that other agreed Volume Limitations have been exceeded), the Supplier shall be entitled to immediately invoice the Customer for the excess usage, based on the Supplier's price list applicable at the time (including with retroactive effect for previous excess usage, and for the sake of clarity, without the application of any agreed discounts set forth in the Agreement). If the Customer fails to pay for verified excess usage, this shall be considered a material breach of contract which entitles the Supplier to terminate the Agreement prematurely. For clarification, the Customer may not (a) in the event of excess usage relating to the number of Users, compensate for excess Users in a particular User category with underuse in another User category, and (b) the Customer is obliged to hold licenses for all registered Users, regardless of the degree of actual use of Centuri SaaS by these Users.

5. Customer obligations

5.1. The Customer undertakes to:

• only use Centuri SaaS in accordance with the terms of this Agreement (including agreed Volume Limitations and other restrictions) and Applicable Law;

• not sublicense, grant access to, or otherwise make Centuri SaaS available to any third party that is not entitled to use Centuri SaaS under this Agreement;

• be responsible for the control and administration of permissions for all Users. The Customer is thereby responsible for (i) the administration of user accounts for Users, including the registration of new user accounts and the closure of expired user accounts, (ii) ensuring that all Users' use of Centuri SaaS is in accordance with this Agreement, (iii) ensuring that the login details for each User are only used by the natural person named as the User, and (iv) maintaining the confidentiality of login details, security measures, and other information provided by the Supplier for access to Centuri SaaS. The Customer shall immediately notify the Supplier of any security incidents where unauthorized persons have gained access to Centuri SaaS;

• follow the Supplier's instructions and the terms and conditions applicable to the Customer's use of Centuri SaaS;

• not (i) attempt to reverse engineer or discover any source code or underlying ideas or algorithms for Centuri SaaS (subject to mandatory legislation), or (ii) create derivative works from, modify or alter Centuri SaaS; or (iii) use or access Centuri SaaS for the purpose of building a competing product or service, or otherwise use Centuri SaaS's underlying ideas, features, functions, design, or graphics for its own purposes;

• promptly provide such information and make such decisions as are necessary for the Supplier to perform its obligations under the Agreement; and

• be responsible for ensuring that the Customer has full legal right to upload and dispose of the Customer Data, and that the use of the Customer Data does not infringe any third party's Intellectual Property Rights or violate Applicable Law, and that the Customer Data does not contain any Malicious Code or in any other way may harm or adversely affect the Supplier, Centuri SaaS or any third party.

6. Supply of the Implementation Project and other Professional Services

6.1. The Supplier undertakes to supply the Implementation Project and other Professional Services in accordance with the agreed Statement of Work, these General Terms and Conditions and the Agreement in general.

6.2. The Supplier shall fulfill its obligations to supply the Services with personnel who are suitable, qualified, and competent for the purpose and in a professional manner.

6.3. The Supplier may replace personnel with personnel having equivalent competence. The Customer may request a change of personnel if there are objective reasons for doing so.

6.4. The Parties shall specify in the Statement of Work their respective contact persons, who are responsible for coordination and decisions concerning day-to-day matters within the scope of the Professional Services. For the avoidance of doubt, however, the contact person shall only have the right to amend an Statement of Work or other part of the Agreement if he or she is duly authorized by power of attorney or otherwise.

6.5. The Customer undertakes to:

• cooperate in good faith and provide necessary information,

• undertake and implement all necessary measures and decisions in a timely manner,

• provide technical and physical resources, and fulfill such customer obligations as may reasonably be expected from the Customer, or in accordance with the Statement of Work, and

• use qualified personnel and adequate resources in the collaboration.

6.6. The Supplier shall make reasonable efforts to supply the Professional Services in accordance with the agreed time plan in the Statement of Work. However, the time plan is only a reasonable estimate and may be revised. The Supplier shall only be liable for delays if the Parties have specifically agreed on such liability in the Statement of Work.

6.7. If the Parties have specifically agreed that the Supplier shall be liable for delays in accordance with Section 6.6 , the Supplier shall be liable for delays (if caused by the Supplier) as follows: (a) the Supplier shall be liable to pay a delay penalty of 0.5% of the total contract value for the relevant Statement of Work for each week of delay commenced, up to a maximum of 10% of the total contract value for the relevant Statement of Work; and (b) if the Customer has incurred damage due to the delay that exceeds the delay penalty, the Supplier shall be liable for such excess damage (subject to the limitations of liability set out in these General Terms and Conditions); and (c) if the delay is material (which includes that the maximum delay penalty is payable), the Customer may terminate the Statement of Work.

6.8. The Customer may request changes to the Implementation Project or other Professional Services. Change requests shall be made in writing. The Supplier shall not deny a change request without reasonable cause. Upon the Customer's request for a change, the Supplier shall inform the Customer of the impact on time, cost, and content. The Customer shall provide its approval in writing in order for the change request to be considered agreed.

6.9. For the Implementation Project, and for other Professional Services where acceptance tests are to be carried out in accordance with defined deliverables, the following procedures for testing and approval of delivery shall apply (unless otherwise agreed):

• The Supplier shall deliver according to the agreed schedule and shall submit the deliverables to the Customer for acceptance testing at the time specified in the Statement of Work (the "Agreed Delivery Date"). Before handover for acceptance testing, the Supplier shall have carried out its own internal tests. The Supplier shall confirm that such internal tests have been carried out but is not obliged to provide test documentation.

• The Customer shall perform acceptance testing in accordance with defined acceptance criteria, during a time period of ten (10) calendar days unless otherwise specified in the Statement of Work.

• Deviations shall be documented in written minutes and be corrected before a new test is performed.

• The Implementation Project, or other delivery of Professional Services, shall be considered completed and approved (whereupon the "Effective Delivery Date" shall occur) when: (i) the Customer has approved the acceptance tests in writing, or (ii) the acceptance test period has passed without objection, or (iii) the Supplier has corrected any defects reported during the acceptance tests, or (iv) the Customer takes Centuri SaaS into production use or otherwise puts the deliverables into use.

6.10. For Professional Services where no delivery control is to be carried out in accordance with Section 6.9 above, these shall be deemed to have been performed and completed when the Supplier has fulfilled all commitments and obligations specified in the respective Statement of Work. However, if the Parties have agreed on ongoing Professional Services during a specific agreed time period, the Professional Services shall be provided during this agreed time period and shall be deemed to be completed at the end of the agreed time period.

6.11. The Supplier is responsible for correcting any defects in the Professional Services (meaning deviations from the agreed requirements in the Statement of Work or the Agreement) reported by the Customer during a warranty period of six (6) months from the completion of the Professional Service. If the Supplier is responsible for a reported defect, the Supplier shall remedy the defect in an appropriate manner, at its own expense, and with the urgency required by the circumstances.

6.12. During the Term and for six months thereafter, neither Party may actively recruit the other Party's personnel without written consent. This provision shall not prevent a Party from hiring an employee from the other Party if the person hired has responded directly to a recruitment advertisement, either through a recruitment agency or through general advertising.

7. Fees and payment

7.1. All prices and fees in this Agreement are stated in the currency specified in the Order Form, excluding applicable value added tax. Payment shall be made to the Supplier within thirty (30) days from the invoice date. Payment of all applicable fees is a prerequisite for the Customer's right to receive the Services under this Agreement. Fees paid will not be refunded upon termination of this Agreement for any reason, except (in the event of termination by the Customer for cause) any prepaid fees for the time period after the effective termination of the Agreement.

7.2. The fees for Centuri SaaS will be set forth in the Order Form. Unless otherwise set forth in the Order Form, the fees for Centuri SaaS will be invoiced annually in advance from the Agreed Start Date.

7.3. Fees for Professional Services will be invoiced monthly in arrears unless otherwise set forth in the Statement of Work. For the Implementation Project or other Professional Services provided as projects, the Parties may instead agree on a fixed fee, or a target price or other incentive model, which shall be invoiced according to an agreed payment plan. For agreed ongoing Professional Services (such as application management services), an agreed annual fee will be invoiced annually in advance, unless otherwise specified in the Statement of Work. Training services will be invoiced in accordance with the Supplier's current price list. The fees for the Professional Services will be based on the Supplier's applicable prices at the time of performance of the Professional Services, unless otherwise agreed in the Agreement. The Supplier shall be entitled to compensation for expenses (travel, travel time, etc.) against documentation. In the event of cancellation of on-site training or other Professional Services at short notice, the Supplier reserves the right to invoice the agreed fee in full or in part unless the Supplier can use the agreed consultants for other purposes.

7.4. If the Customer is late with payment, a penalty interest will be charged in accordance with the Swedish Interest Act (1975:635). If the Supplier has requested the Customer in writing to pay outstanding amounts due, the Supplier may, thirty (30) days after such written request, with reference to this Section, suspend the continued provision of Services until the Customer has paid the outstanding amounts due.

7.5. The Supplier shall be entitled to increase the fees for the Services set forth in the Agreement on an annual basis, in accordance with the changes to the Labour Cost Index for white-collar workers (LCI White-collar workers) published by Statistics Sweden (SCB), preliminary index, SNI 2007 code J (Information and Communication Activities). The base index is taken from the current quarter in which the Effective Date occurs. In the event of a negative change in the index, there will be no downward adjustment of the fees. Indexation will take place annually as of January 1, starting the year after the Effective Date (however, if the Agreement is entered into during Q3 or Q4, the first indexation will not take place on January 1 of the following year, but only the year after that), whereby the latest index published by Statistics Sweden is compared with the Agreement's base index.

7.6. The Supplier reserves the right to increase the fees for Centuri SaaS for each new Contract Period. Such price increases shall be notified to the Customer at least one (1) month before the date on which the Customer can last terminate the Agreement. If the Customer chooses to continue with the Agreement, the Customer shall be deemed to have approved the fee increase.

7.7. The Supplier is entitled to compensation for additional costs for work caused by the Customer, such as for investigating and correcting Incidents for which the Supplier is not responsible.

8. Intellectual Property Rights

8.1. The Supplier and/or its licensors own all rights to Centuri SaaS, including all Supplier Materials, and all related Intellectual Property Rights. The Customer is granted a limited right to use Centuri SaaS and the Supplier Materials in accordance with Section 4 above.

8.2. The Customer owns all rights to the Customer Data and other materials that the Customer provides to the Supplier. The Supplier may only use such Customer Data and other materials for the purpose of supplying the Services under the Agreement.

9. Liability for infringement of Intellectual Property Rights

9.1. The Supplier undertakes, at its own expense, to defend the Customer if claims are made or legal action is taken against the Customer for alleged infringement of third-party Intellectual Property Rights due to the Customer's use of Centuri SaaS (including the Supplier Materials) in accordance with the Agreement. The Supplier further undertakes to compensate the Customer for any compensation and damages that the Customer may be liable to pay through settlement or judgment. The Supplier's undertaking shall only apply on condition that the Supplier is notified in writing by the Customer within a reasonable time of any claims made or legal action brought, and that the Supplier alone may decide on the defense against such legal action and conduct negotiations for a settlement or compromise.

9.2. If infringement is finally found to exist and the Supplier has been allowed to participate in the trial and settlement as described above, or if, in the Supplier's own assessment, such infringement is likely to exist, the Supplier shall, at its own expense, either (i) ensure the Customer's right to continue using Centuri SaaS, or (ii) modify the relevant parts of Centuri SaaS or replace them with another equivalent service or product, the use of which does not constitute infringement, or (iii) terminate the Customer's license rights with regard to the relevant parts of Centuri SaaS and give the Customer the right to a price reduction corresponding to the reduced value of Centuri SaaS due to the infringement. If the infringement causes significant inconvenience to the Customer, despite the Supplier having fulfilled its obligations under the foregoing within a reasonable time, the Customer shall be entitled to terminate the Agreement prematurely by written notice.

9.3. The Supplier is not liable to the Customer for infringement claims based on Centuri SaaS being modified by the Customer or anyone other than the Supplier, or being used in violation of the Supplier's instructions or the Agreement.

9.4. The Supplier's liability for infringement of third-party Intellectual Property Rights is limited to what is stated above in this Section, unless the infringement has been caused by intent or gross negligence, and the Customer may not make any other claims against the Supplier in this regard.

9.5. Correspondingly to the above, the Customer shall defend the Supplier and hold it harmless if claims are made or legal action is taken against the Supplier due to the Supplier's use of the Customer Data within the scope of the Agreement.

10. Data protection and information security

10.1. The Customer acknowledges and agrees that the Supplier may process personal data about Users and the Customer's contact persons, acting as a data controller under Applicable Law, in order to provide the Services under the Agreement and to administer the contractual relationship with the Customer. The Supplier shall process all such personal data in accordance with Applicable Law.

10.2. The Supplier's processing of the Customer's personal data acting as a data processor, in connection with the supply of the Services under this Agreement, is governed by the Data Processing Terms.

10.3. The Data Processing Terms set forth the general information security requirements that the Supplier maintains for the storage and other processing of the Customer's Data, regardless of whether it contains personal data or not.

11. Confidentiality

11.1. Each Party undertakes not to disclose to any third party, without the other Party's written consent, any Confidential Information that it has received from the other Party or otherwise in connection with the performance of the Agreement. A Party may only use Confidential Information received from the other Party to perform its obligations under the Agreement.

11.2. Confidentiality does not apply to information that a Party can show has become known to it other than through the performance of the Agreement or that is generally known. Confidentiality also does not apply when a Party is required by law, official decision, or applicable stock exchange rules to disclose information. A Party is obliged to ensure that its employees, subcontractors, and others who may gain access to the other Party's Confidential Information through it observe corresponding confidentiality by entering into written confidentiality agreements.

11.3. Confidentiality for Confidential Information shall apply during the Term and for three (3) years after the termination of the Agreement, except that for information that is confidential under Applicable Law, confidentiality shall apply for the time period specified in the relevant legislation.

12. Limitations of liability

12.1. Unless otherwise set forth in Section 12.3, a Party's total liability for damages under this Agreement shall (a) for damage attributable to Centuri SaaS, be limited to an amount equal to the total fees paid by the Customer under the Agreement for Centuri SaaS during the twelve (12) months preceding the occurrence of the event giving rise to the claim, and (b) for damage attributable to Professional Services, be limited to fifty percent (50%) of the contract value of the relevant Statement of Work.

12.2. Unless otherwise set forth in Section 12.3, the liability of a Party shall be limited to direct damage, cost or loss, and neither Party shall be liable for loss of profit, loss of revenue or other indirect damage, cost or loss, or for the other Party's liability to third parties, except as provided in Section 9, or for loss of data.

12.3. The limitations of liability in this Agreement shall not apply in relation to (a) personal injury or death caused by negligence, (b) either Party's liability for compensation under Section 9, or (c) cost, loss, or damage caused by a Party intentionally or by gross negligence.

12.4. In order not to lose its right to compensation, a Party shall submit a written claim for compensation to the other Party within six (6) months from the date of the damage event.

13. Term and termination

13.1. The Agreement shall enter into force on the Effective Date and shall remain in force until the end of the Initial Term. Either Party may terminate the Agreement no later than six (6) months before the end of the Initial Term (and each subsequent Renewal Term), and if the Agreement is not terminated, it shall be automatically extended for successive Renewal Terms, with the same notice period for each Party.

13.2. Termination must be in writing and may only be made in relation to the Agreement as a whole.

13.3. Either Party shall have the right to terminate the Agreement in writing with immediate effect if the other Party:

• materially breaches its obligations under the Agreement and has not remedied such breach within thirty (30) days of written notice from the first Party (if such remedy is possible); or

• is declared bankrupt, goes into liquidation, or for any other reason can reasonably be assumed to be insolvent.

13.4. Upon termination of the Agreement:

• the Customer's rights to use Centuri SaaS, including all Supplier Materials, shall automatically terminate,

• the Customer shall immediately pay all outstanding fees and other compensation; and

• the Supplier shall return or delete, and cease processing, all Customer Data and personal data included therein, as specified in more detail in the Data Processing Terms.

13.5. Except if the Supplier terminates the Agreement prematurely in accordance with Section 13.3 above, upon termination of the Agreement, at the Customer's request, the Supplier shall provide exit assistance and cooperate to a reasonable extent to enable the Customer to change to another supplier of equivalent services in order to help ensuring that such transfer takes place with as little disruption as possible to the Customer. Such exit assistance shall be supplied as a special Professional Service, at the Customer's expense in accordance with the Supplier's current price list.

13.6. Provisions in this Agreement that are clearly intended to apply even after the termination of the Agreement shall continue to apply after the termination of this Agreement, regardless of the reason.

14. General provisions

14.1. Force Majeure: If a Party is prevented from fulfilling its obligations under the Agreement due to a force majeure event, this shall result in a postponement of the date of performance and exemption from damages and other possible penalties. If the performance of the Agreement has been prevented to a significant extent for a period longer than two (2) months due to a force majeure event, the Party shall be entitled to withdraw from the Agreement in writing without any liability for compensation. "Force majeure" shall thereby mean circumstances beyond the control of a Party, such as lightning strikes, labor disputes, fires, natural disasters, changes in government regulations, government intervention, and errors or delays in services from subcontractors due to such circumstances.

14.2. Changes: The Agreement is governed by the Terms in the at each time applicable versions available at www.centuri.se. The Supplier may update the Terms during the Term and shall then inform the Customer of such changes in writing (including by email). However, the Supplier is not entitled to change prices or other commercial terms during a current Contract Period. In the event that an update to the Terms results in a significant deterioration for the Customer, the Customer shall be entitled to terminate the Agreement in writing prematurely with three (3) months' notice, whereby notice of such termination shall be given no later than one (1) month after the updated version of the Terms has entered into force. In all other respects, no modification, amendment, or addition to the Agreement shall be considered valid unless made in writing and signed by an authorized representative of both Parties.

14.3. Assignment: A Party may not assign or pledge its rights or obligations under the Agreement without the written consent of the other Party. Nor is the Customer entitled to sublicense, rent out or lend the license rights granted under this Agreement. Notwithstanding the foregoing, the Supplier shall be entitled, without the Customer's consent, to (i) assign this Agreement to an Affiliate of the Supplier, or (ii) assign its right to receive payment under this Agreement, in which case the Customer shall be notified in writing of such assignment.

14.4. No Waiver: No failure or delay by either Party in exercising any right under the Agreement shall be deemed a waiver of such right.

14.5. Invalidity of provisions: If any provision of the Agreement is or becomes illegal, invalid or unenforceable, the legality, validity and enforceability of the other provisions of the Agreement shall not be affected, and the provision shall apply with such deletions or amendments as may be necessary to make the provision legal, valid and enforceable.

14.6. Publication: Upon entering into this Agreement, the Supplier shall be entitled to publish a press release approved in advance by the Customer, and otherwise refer to the Customer's name in its marketing. Any use of the Customer's name in marketing shall be in accordance with good practice.

15. Applicable law and dispute resolution

15.1. This Agreement shall be governed by Swedish law, without application of its choice of law rules.

15.2. Any dispute, controversy or claim arising out of or in connection with the Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (SCC). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be the Swedish language. The confidentiality provisions set forth herein shall apply to the arbitration proceedings and the arbitral award.

SERVICE LEVEL AGREEMENT (CENTURI SAAS)

1. Introduction and scope

1.1. This Service Level Agreement (the "SLA") sets forth the terms and conditions for Centuri AB’s (the " Supplier") supply of Support and Maintenance, including applicable Service Levels, for Centuri SaaS to the customer (the "Customer").
1.2. This SLA supplements the General Terms and Conditions and forms an integral part of the service agreement between the Supplier and the Customer (the "Agreement").
1.3. The Supplier's obligations under this SLA, with regard to Support, Maintenance, and Service Levels, apply on weekdays from 8:00 a.m. to 5:00 p.m. CET, excluding public holidays in Sweden (the "Agreed Service Hours"). For clarification, the Customer has access to and can use Centuri SaaS even outside the Agreed Service Hours, but the agreed Service Levels do not apply outside the Agreed Service Hours.
1.4. The current version of this SLA is available at www.centuri.se.

2. Support

2.1. The Customer is responsible for providing first-line support to its Users. If the Customer's own support organization/management team is unable to resolve the problem, the Customer has the right to contact the Supplier for second-line or third-line support.
2.2. The Supplier's support includes access to a service desk for handling Incidents and support cases.
2.3. Support cases are registered via the case management system, or via email or telephone in accordance with the Supplier's current procedures, and are prioritized depending on their impact.
2.4. Support is provided via remote support, telephone, and email, depending on the type of case.

3. Maintenance

3.1. The Supplier provides ongoing Maintenance, including bug fixes and Updates. Where appropriate, the Supplier may alternatively provide instructions on how to circumvent the Incident, or other alternative solutions (so-called workarounds), which may be replaced by permanent fixes at a later date.
3.2. The Supplier will provide Updates when the need arises (either in connection with the resolution of Incidents or in accordance with the general release plan communicated by the Supplier). The Updates will be installed by the Supplier in Centuri SaaS. The Customer may not refuse installation of an Update in Centuri SaaS, but may (if the Customer has valid, objective reasons for doing so) request that installation of an Update is postponed (however, normally not longer than six months from when the Update was made available, and such right does not apply to Updates that correct security vulnerabilities). The Customer acknowledges that the Supplier only provides support for the current and immediately preceding version of Centuri SaaS, and that the Customer's decision to postpone an Update may mean that an older version is no longer supported.
3.3. Planned maintenance is communicated in advance and will normally take place outside the Agreed Service Hours. Time for planned maintenance is excluded when calculating availability as described below.
3.4. The Supplier is responsible for backup by taking a full backup per week and an incremental backup per day. The Customer's data is restored from backup as needed, but the Supplier is not responsible for data loss that cannot be restored (by reading the backup taken in accordance with the specified backup plan).

4. Customer obligations

4.1. The Customer shall follow applicable procedures for reporting errors and appoint contact persons. Information about contact persons shall be kept up to date.
4.2. The Customer shall set up its own internal management team to provide first-line support to Users. The Customer shall ensure that the management team has the training and knowledge of Centuri SaaS required to provide such first-line support.

5. Prioritization and feedback

5.1. Support cases/Incidents are assigned priority based on their impact on operations:
• Critical: The system is completely unavailable
• High: Large parts are unavailable
• Normal: Minor parts are affected
• Low: Does not affect work
5.2. Status updates are provided on an ongoing basis, especially for critical Incidents.

6. Service Levels – Response Time and Resolution Time

6.1. "Response Time" refers to the actual time, during the Agreed Service Hours, from when a support case is opened until the Customer is notified that work on the support case has begun.

6.2. "Resolution time" refers to the time (target only) during the Agreed Service Hours from when a support case is opened until a solution to the support case (permanent solution or workaround) is provided to the Customer.

6.3. The following Response Times apply to Incidents (during the Agreed Service Hours):
• Critical/High: 1 hour
• Normal: 4 hours
• Low: 8 hours

6.4. The following Resolution Times apply (as a target only) to Incidents (during the Agreed Service Hours):
• Critical/High: 2 hours
• Normal: 8 hours
• Low: 16 hours (If the Supplier assesses that the Incident with Low priority needs to be resolved, which is determined unilaterally by the Supplier).

6.5. The following Response Times and Resolution Times apply to support cases other than Incidents (i.e. user support) and professional services cases (during the Agreed Service Hours):
• For user support, a 4-hour Response Time applies.
• For professional services cases, an 8-hour Response Time and 5 working days Resolution Time apply (as a target only).

7. Service Levels - Availability

7.1. The Supplier guarantees an Availability for Centuri SaaS of 99.5% during the Agreed Service Hours. Availability is measured at the connection point to the Supplier's data center. Disruptions are documented and can be shared with the Customer upon request.
7.2. The following are excluded when measuring Availability: (a) Planned Maintenance; (b) force majeure; (c) Incidents and other errors caused by the Customer, its Users, the Customer's software, network or other equipment, or by third parties outside the Supplier's control; (d) or by Malicious Code, provided that the Supplier has taken appropriate security measures to prevent such Malicious Code.

8. Compensation

8.1. If guaranteed Availability is not achieved, the Supplier may, at its discretion, grant a reasonable price reduction for the month in question. This is the only compensation payable for a failure to meet Service Levels, and the Customer may not make any other claims against the Supplier for a failure to meet Service Levels.

DATA PROCESSING TERMS

1. Background

1.1. These data processing terms (the “Data Processing Terms”) govern Centuri AB’s (the “Processor”) processing of Personal Data on behalf of the Customer (the “Data Controller”) in connection with the supply of services under the service agreement entered into between the Parties (the “Agreement”).
1.2. These Data Processing Terms supplement the General Terms and Conditions and form part of the Agreement, and have been entered into in accordance with the requirements of the Personal Data Legislation.
1.3. For the processing of Personal Data pursuant to the Agreement and these Data Processing Terms, the Processor will act as a data processor for the Data Controller, who is the data controller for the processing of Personal Data pursuant to these Data Processing Terms.
1.4. These Data Processing Terms are supplemented by the Data Controller's instructions to the Processor regarding the processing of Personal Data (the "Instructions"). Appendix 1 to these Data Processing Terms constitutes these Instructions and describes the processing of Personal Data that typically takes place when the Processor provides services under the Agreement, but may be amended, supplemented, or clarified in the Agreement in the event of deviating instructions or if the Data Controller has specific requirements.
1.5. For clarification, these Data Processing Terms do not apply to the processing of personal data where Centuri AB acts as the data controller, such as the processing of personal data relating to the Customer's contact persons for the Agreement.
1.6. The current version of these Data Processing Terms is available at www.centuri.se.

2. Definitions

2.1. The words and terms used in these Data Processing Terms shall have the meanings set out below or otherwise set forth in these Data Processing Terms, or as follows from the Personal Data Legislation.
2.2. "Data Subject" means the natural person to whom Personal Data relates.
2.3. "General Data Protection Regulation" or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, or any other regulation replacing it.
2.4. "Personal Data" means personal data that the Processor processes on behalf of the Controller in accordance with these Data Processing Terms. Personal Data is data that constitutes personal data according to the at each time applicable Personal Data Legislation.
2.5. "Personal Data Legislation" means the at each time applicable laws or regulations relating to the processing of Personal Data, including but not limited to the GDPR, the Swedish Act (2018:218) containing supplementary provisions to the GDPR, and other applicable Swedish or EU legislation regarding the processing of personal data, as well as the Supervisory Authority's at each time applicable decisions, advice, and recommendations.
2.6. "Supervisory Authority" means the authority or authorities that supervise the processing of personal data under the Personal Data Legislation. At the time of entering into these Data Processing Terms, the Swedish Authority for Privacy Protection (IMY) is the authority that exercises such supervision in Sweden.

3. The Data Controller's obligations

3.1. The Data Controller undertakes to comply with and keep itself updated with the Personal Data Legislation and to take into account the decisions, advice, and recommendations of the Supervisory Authority. The Data Controller also undertakes to cooperate with the Supervisory Authority in its supervision of the processing of Personal Data.
3.2. The Data Controller is obliged to provide up-to-date and accurate information about the Personal Data that the Processor processes on behalf of the Data Controller.
3.3. The Data Controller is obliged to provide clear, written, and documented Instructions to the Processor regarding the Processor's processing of Personal Data. The Data Controller shall ensure that the Instructions are kept current and updated, and shall provide amended or supplementary Instructions to the Processor when necessary. The Data Controller shall inform the Processor of any such changes in good time and in a clear manner in writing. The Processor shall not object to any change to the Instructions without valid reasons (and in no event if the change is required under the Personal Data Legislation). Notwithstanding the above, the Parties' agreement on the change is required for any non-insignificant change or extension in accordance with Section 14 below.
3.4. The Data Controller is responsible for ensuring that the Instructions comply with and meet the requirements of the Personal Data Legislation.
3.5. The Data Controller undertakes to ensure that the Data Controller's employees and other Data Subjects receive information about how their Personal Data is processed by the Processor.

4. The Processor's obligations

4.1. The Processor shall only process Personal Data in accordance with the Instructions and only to the extent necessary for the performance of the Agreement. The Processor may never process Personal Data for purposes other than those specified in the Instructions.
4.2. If the Processor considers that Instructions are missing, which are necessary for the Processor to perform the Agreement or its obligations under these Data Processing Terms, the Processor shall inform the Controller in writing of its position and await further Instructions from the Controller. The Processor further undertakes to immediately inform the Controller in writing if the Processor considers that the Instruction provided by the Controller is in violation of the Personal Data Legislation.
4.3. Once the Processor has informed the Controller of missing instructions or instructions that violate the Personal Data Legislation, the Processor shall be entitled to suspend the processing in question until the Controller has supplemented or adjusted its instructions so that they are complete and comply with Personal Data Legislation. The change in the Processor's performance of its obligations under the Agreement that such a refusal would entail, does not entitle the Data Controller to claim a breach of the Processor's performance under the Agreement or these Data Processing Terms. Agreed fees shall still be paid.
4.4. In the event that the Processor processes Personal Data beyond or in contravention of the Controller's Instructions, due to requirements under Swedish or EU law to which the Processor is subject, the Processor undertakes to inform the Controller in writing of the legal requirement before the Personal Data is processed, if such information is permitted under the Personal Data Legislation.
4.5. In the event that an authority, Data Subject, or other third party requests information from the Processor regarding the processing of Personal Data, the Processor shall refer to the Data Controller as soon as possible and without undue delay. The Processor may only disclose Personal Data or information about the processing of Personal Data in accordance with written instructions from the Data Controller or if the Processor is obliged to disclose such information in accordance with law, regulation, court order, authority decision, or stock exchange regulation.
4.6. The Processor shall, without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data, or any attempt to do so ("Personal Data Incident"), notify the Controller hereof in writing. In such an event, the Processor shall, at the expense of the Controller and if requested by the Controller, in addition to notifying the Controller that a Personal Data Incident has occurred, assist the Controller in fulfilling the Controller's obligations under the Personal Data Legislation.
4.7. The Processor undertakes, provided that records are legally required, to keep records of all categories of processing carried out on behalf of the Controller in accordance with Article 30.2 a)-d) of the GDPR, to take all measures required under Article 32 of the GDPR, and to assist the Data Controller in ensuring that the obligations under Articles 32-36 of the GDPR are fulfilled.
4.8. The Assistant may not transfer Personal Data to a third country (a “third country” being a country that is not a member of the EU or the EEA) in violation of the Personal Data Legislation.
4.9. The Processor undertakes to comply with the Personal Data Legislation, to take into account the Supervisory Authority's advice and recommendations, and to keep itself updated with the Personal Data Legislation. The Processor also undertakes to cooperate with the Supervisory Authority in its supervision of the processing of personal data.
4.10. The Processor undertakes to ensure that the Processor's employees and other persons who are given access to the Personal Data by the Processor receive information on how the Personal Data may be processed.

5. Technical and organizational measures

5.1. The Processor undertakes, taking into account the nature of the processing, to undertake appropriate technical and organizational measures to ensure that the Processor can fulfill its obligations under these Data Processing Terms. The technical and organizational security measures taken in relation to the processing of Personal Data are set out in Appendix 2 to these Data Processing Terms.
5.2. The Processor shall, taking into account the nature of the processing, implement appropriate technical and organizational measures to protect the Personal Data. For example, the Processor shall limit access to the Personal Data to only those persons who need access to perform their duties under the Agreement.
5.3. The measures to be taken by the Processor under Section 5.2 shall achieve a level of security appropriate to the technical possibilities available, the cost of implementing the measures, the specific risks involved in the processing of the Personal Data, and the sensitivity of the Personal Data.
5.4. The Processor shall, at the expense of the Controller, assist the Controller by appropriate technical and organizational measures, taking into account the nature of the processing and as far as this is possible, so that the Controller can fulfill its obligations to respond to requests for the exercise of the Data Subject's rights under the Personal Data Legislation.

6. Audits

6.1. The Processor shall provide the Controller with access to such information as is necessary to demonstrate compliance with the obligations under these Data Processing Terms and the Personal Data Legislation. The Processor shall also enable and contribute to audits, including inspections, conducted by the Controller or by an auditor appointed by the Controller for the purpose of verifying that the Processor complies with the obligations set out in these Data Processing Terms and the Personal Data Legislation. Such an audit shall be preceded by at least thirty (30) days' written notice from the Data Controller, specifying the content and scope of the inspection. The content and scope shall not exceed what is necessary in view of the purpose of the audit. As a general rule, inspections shall only be carried out if an audit under the Personal Data Legislation cannot be performed by the provision of information by the Processor.
6.2. The Processor shall be entitled to reasonable compensation for the assistance required under Section 6.1, unless the Data Controller's audit shows that the Processor has breached these Data Processing Terms in any material respect.

7. Compensation

7.1. Notwithstanding anything else in these Data Processing Terms or in the Agreement, the Processor is entitled to reasonable compensation for: (a) the work and additional costs incurred as a result of the Data Controller changing the original Instructions in Appendix 1, (b) the work and additional costs incurred as a result of supervision or audit by a Supervisory Authority or similar measures, (c) the work and additional costs incurred by the Processor due to the Controller's failure to comply with its obligations under Section 3 of these Data Processing Terms, and (d) the work and additional costs incurred by the Processor when the Processor shall assist the Controller in ensuring that the Controller's obligations under Articles 34-36 of the GDPR are fulfilled.
7.2. In addition to what is set forth in these Data Processing Terms regarding the Processor's right to compensation, the Processor's right to compensation is governed by the Agreement.

8. Sub-Processors

8.1. The Processor may engage sub-processors for the processing of Personal Data. The Processor is responsible for informing the Controller of which sub-processors the Processor engages. The Processor shall ensure that all sub-processors are bound by written agreements in which the sub-processor is subject to the same or equivalent obligations as the Processor under these Data Processing Terms and guarantees to take appropriate technical and organizational measures in such a way that the processing of Personal Data complies with applicable Personal Data Legislation.
8.2. The sub-processors engaged at the time of entering into the Agreement are specified in the Instructions and are deemed to be approved by the Data Controller. The Processor undertakes to inform the Data Controller in writing (including by electronic communication) in the event that the Processor intends to change sub-processors or enter into agreements with new sub-processors. The Data Controller shall then have the right to object in writing to such changes within 14 days of receiving notification of such a change. If the Data Controller does not object to the change within the specified time, the change shall be deemed to have been approved. If the Data Controller objects to the change, the Parties shall discuss an appropriate solution in good faith. If no such solution can be reached, the Processor shall be entitled to terminate the Agreement prematurely with reasonable notice.

9. Confidentiality

9.1. The Processor undertakes not to disclose or reveal the Personal Data or other information obtained by the Processor as a result of these Data Processing Terms to third parties who are not subject to the same obligations as the Processor under these Data Processing Terms.
9.2. The Processor shall ensure that the Processor's employees and other persons who are given access to the Personal Data by the Processor have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
9.3. The obligations under this Section 9 do not include information disclosed in accordance with the Data Controller's instructions or which the Processor is required to disclose by law, regulation, court order, official decision or stock exchange regulation. The Processor shall notify the Controller in writing without delay if the Processor is required to disclose such information, provided that it is permissible to make such a notification.
9.4. The confidentiality undertaking in this Section 9 shall remain in force also after these Data Processing Terms have ceased to apply.

10. Liability

10.1. Each Party is responsible for any administrative fines imposed on the Party by a Supervisory Authority or court (pursuant to Article 83 of the GDPR or other Personal Data Legislation). Such administrative fines are not subject to division of liability between the Parties under these Data Processing Terms, but shall be borne by the Party on which the administrative fine is imposed.
10.2. Each Party is responsible for damage claims from Data Subjects or other third parties in the manner specified in Article 82 of the GDPR. The Party requesting compensation from the other Party shall, without delay, inform the other Party in writing of the claim by the Data Subject or other third party and cooperate with the other Party to defend against the claim in a manner reasonable under the circumstances. The Party claiming compensation from the other Party shall submit its final claim for compensation to the other Party in accordance with this Section 10.2 no later than six (6) months after it has been finally determined (by a final judgment or approved settlement) that the Party is liable to pay compensation to a Data Subject or other third party, but in any event no later than six (6) months after the Agreement has expired.
10.3. The general limitation of liability set forth in the Agreement shall apply to the liability of the Parties under Section 10.2 and otherwise under these Data Processing Terms.

11. Term and termination

11.1. These Data Processing Terms form part of the Agreement and shall apply for as long as the Agreement is in force between the Parties. Upon termination of the Agreement, regardless of the reason, these Data Processing Terms shall cease to apply between the Parties without prior notice, provided that if the Processor still has access to the Personal Data at that time, these Data Processing Terms shall continue to apply until all processing of the Personal Data has ceased.

12. Consequences of termination of the Agreement

12.1. Upon termination of the Agreement, regardless of the reason for termination, the Processor shall, in accordance with the instructions of the Data Controller and at the expense of the Data Controller, delete or return all Personal Data to the Data Controller, or to the person designated by the Data Controller, and then delete any existing copies, unless the storage of the Personal Data is required under the Personal Data Legislation or other legislation applicable to the Processor's activities.
12.2. However, the above requirements for deletion do not apply to the deletion of backups, which is carried out in accordance with the applicable backup routine and is therefore not something that the Processor can influence manually.
12.3. In addition to the termination of the Agreement as described above, the Data Controller may request the deletion or return of Personal Data at any time during the term of the Agreement, in which case the Processor shall comply with such request in accordance with the above.

13. Assignment

13.1. Any assignment of rights or obligations under these Data Processing Terms to a third party may only take place in connection with the assignment of the Agreement (if such assignment is permitted under the Agreement).

14. Amendments

14.1. These Data Processing Terms may only be amended in accordance with the Agreement.

15. Choice of law and dispute resolution

1. These Data Processing Terms are governed by the applicable law and dispute resolution provisions set out in the Agreement.

Appendix 1

Instructions for Data Processing Terms
1. Purpose
This Appendix 1 specifies the processing of Personal Data that the Processor performs on behalf of the Controller under the Agreement and the Data Processing Terms.
The purpose is to clarify which processing operations and which Personal Data are covered by the Agreement and to comply with the requirements of the GDPR in accordance with, for example, Article 28.3 of the GDPR.

2. Categories of personal data
The Personal Data processed relates to the following categories of personal data:
• User information in the system linked to name, email address, organizational affiliation
• Documents and cases that may contain personal data (name, telephone number, personal identification number).

3. Sensitive personal data (where applicable)
It is the Data Controller who, through its use of the service provided by the Processor under the Agreement, alone enters and controls which Personal Data is processed under the Agreement. The Parties agree, and the Data Controller undertakes to ensure, that no Sensitive Personal Data (as defined below) shall be entered for processing in the service or otherwise be made available to the Processor for processing under the Agreement. The Processor shall therefore not process any Sensitive Personal Data under these Data Processing Terms.
Any changes to the processing of Personal Data that the Processor shall undertake on behalf of the Controller shall be agreed jointly and in writing, e.g. if Sensitive Personal Data is to be processed. In the event of such agreed changes, the Parties shall also agree on any adjustments to the technical and organizational measures applied. The Processor is entitled to additional compensation for all work undertaken by the Processor in connection with the provisions of this paragraph.

"Sensitive Personal Data" means Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

If the Data Controller requests the Data Processor to process Sensitive Personal Data under the Agreement, this Appendix 1 shall be amended before such processing may commence.

4. Categories of Data Subjects
The Personal Data relates to the following categories of Data Subjects:
• Employees of the Data Controller who use the service
• Customers, suppliers, and personnel of the Data Controller
• Contact persons at the Data Controller regarding the Agreement.

5. Nature and purpose of the processing of Personal Data
The processing of Personal Data is carried out for the following purpose(s):
• Configuration and support for the system, which requires consultants or technical support staff of the Processor to log in to the Data Controller's technical environment.
• Operation of the Data Controller's technical environment.
• Continuous information to contact persons at the Data Controller regarding updates and changes to the system.

6. Processing
Personal Data will be subject to the following processing:
• Operation of the Data Controller's technical environment.
• Configuration of information flows and support for document and case management.

The Processor shall not process Personal Data for any purpose other than those specified above.

7. Sub-processors
The Processor uses the sub-processors listed below for processing in accordance with the Agreement and the Data Processing Terms:
• FourEdge AB, organization number 556726-8106. FourEdge AB provides the following services as a subcontractor within the framework of the Agreement: Data Center Operating Agreement

8. Geographical location of processing
The Personal Data is processed in Sweden. However, Personal Data may be processed in another country within the EU/EEA area when engaging a new sub-processor.

Appendix 2

Technical and organizational security measures
The technical and organizational security measures undertaken by the data center operating partner and the Processor are:

A. Security measures undertaken by the operating partner
The Processor engages an operating partner that is ISO 27001 certified. The operating partner is responsible for technical operations, including the following security measures:
• Equipment access protection: Prevents unauthorized access to computer equipment and data centers in accordance with the ISO 27001 standard through physical security, intrusion protection, alarms, and surveillance.
• Access control system: The operating partner has established procedures for assigning, changing, and removing access rights, which are initiated in accordance with the Processor’s instructions. This ensures that unauthorized persons do not get access to systems that process Personal Data.
• Data access control: The operating partner ensures that users only have access to Personal Data that is relevant to their authorisation, and that the data cannot be read, copied, changed or deleted without authorisation.
• Transfer control: Personal data is protected against unauthorized access during electronic transfer, transport, or storage. The operating partner uses sFTP accounts with secure handling of login details and can control transfer points.
• Service control: The operating partner ensures that personal data is only processed in accordance with the instructions of the Processor and the Data Controller.
• Availability control: Personal data is protected against accidental loss or destruction through regular backup, storage, and restoration in accordance with documented procedures.
• Separation control: Personal data collected for different purposes can be processed separately.
• Incident management: The operating partner has established processes in accordance with ISO 27001 for handling and reporting security incidents.
The Processor ensures that the operating partner's compliance with the above security measures is continuously monitored, for example through regular meetings, reports, or reviews of current certification.

B. The Processor’s own security measures
In addition to the operating partner's security measures, the Processor undertakes the following organizational and technical security measures on its own:
• Access control: The Processor uses multi-factor authentication (MFA) and individual access control for all employees and users. Access rights are limited according to the principle of least privilege.
• Physical security: The Processor's premises are protected by alarms, unique access cards, and restricted physical access.
• Introduction control: It is possible to determine after an incident whether and by whom Personal Data has been introduced, changed, or removed from systems that process Personal Data.
• Incident management: The Processor has internal policies, guidelines, and reporting flows for incident management and reporting to responsible parties.
• Training and instructions: The Processor performs regular training of personnel regarding information security, GDPR, and internal procedures.

Service Description Centuri SaaS

1. Introduction and purpose

Centuri is a web-based software service (SaaS), provided and operated by Centuri AB, for structured management and control of organizational information. The service is used to support and improve established working methods and requirements for traceability, quality, and regulatory compliance in the business.

The purpose of this appendix is to provide a general description of Centuri as a product, its main functional areas, and how the service is delivered and used.
The description refers to Centuri as a standard product and does not constitute a detailed functional or requirements specification.

2. Overview of Centuri as a platform

Centuri is a cohesive platform for controlling how information is created, managed, and flows throughout all or parts of an organization. The platform is built around common basic components that are used consistently throughout the system, regardless of information type or functional area.

Central to Centuri are:

a common workflow engine

a common form and metadata engine

a common rule and notification logic

a common authorization and security system

These basic components form the basis for how information is structured, followed up, and automated in all parts of the platform.

2.1 Workflow engine and process logic

Centuri uses a common workflow engine for managing information in the system. The workflow engine controls how information moves through the organization: from initiation to completion and archiving.

Workflows can be configured with steps, transparency, and responsibility, and linked to rules, tasks, and notifications via the platform's common rule and notification logic. This ensures consistent working methods, high traceability, and the possibility of automation without customer-specific programming.

2.2 Forms, metadata, and information structure

All information created in Centuri is based on forms and metadata, as well as files from other services. The same form and metadata engine is used throughout the system, with adjustments depending on the type of information.

Forms are configured using drag-and-drop and can be supplemented with rules, dependencies, and validations that control both information collection and workflow logic. This ensures that information is accurate, complete, and structured as soon as it is entered.

2.3 Rule and notification logic

Centuri has a common rule and notification logic that is used across the entire platform to automate events and follow-ups.

The logic can be used to:

generate notifications to users, groups, roles, or devices

create automatic tasks linked to workflows

trigger reminders and escalations based on time or status

control the next step in a workflow based on content or metadata

In addition to automatically generated notifications and tasks, users can also create manual tasks for coordination and follow-up.

2.4 Authorization and security system

Centuri has a common authorization and security system that is applied consistently across the entire platform. Access to and editing of information can be controlled via users, groups, roles, and organizational affiliation.

2.5 Consistent user experience and administration

Since the same basic components are used throughout Centuri, users and administrators get a consistent experience regardless of functional area. Configuration and administration are similar throughout the system, and the same principles for authorization, traceability, and history apply throughout.

The platform's uniform structure contributes to a lower administrative burden and enables the use of Centuri to be gradually expanded over time.

3. Main functional areas

3.1 Document management

Centuri supports the management of both governing and operational documentation, such as procedures, instructions, policies, guidelines, reports, meeting minutes, role descriptions, and project documentation.

The functionality includes:

use of Microsoft 365 for file editing

via MS 365 Online or desktop with locally installed document assistant

version management and full history

review and approval in workflow

controlled publishing and distribution

read receipts and follow-up

archiving according to configured rules

templates and automatic formatting

3.2 Case management

Case management is used for event-based information gathering according to predefined and configured processes, such as deviations, improvement suggestions, audits, inspections, rounds, and longer projects.

Cases are handled in workflows with support for, among other things:

form-based registration

responsibilities and tasks per step

transparency, status, history, and traceability

deletion of personal data

3.3 Contract management

Contract management in Centuri covers contracts and associated appendices, as well as related information, including certifications and registrations. Contracts are managed as structured information objects with metadata, workflow, and access control.

Support is available for, among other things:

monitoring of due dates

linking to counterparties and registers

version management and archiving

escalation and control via contract managers and stakeholders

3.4 Registry management

Registers are used to structure and reuse common business information, such as counterparties, facilities, products, processes, roles, and other business objects.

Registry entries can:

be linked to documents, cases, contracts, risks, and competencies, as well as other registry entries

be used in forms and workflow logic

form the basis for reporting and follow-up

be used for grouping and classifying information

3.5 Risk management

Centuri supports various types of risk management through several complementary system logics, including:

aggregation of cases into defined risks for cyclical assessment

use of risk catalogs in cases for overall assessment

structured and independent management and visualization of risks

3.6 Competence management

Centuri supports organizations in defining competencies and tracking which users are authorized to perform work within defined time intervals. In addition to supporting control and compliance, competency management enables the structuring of knowledge packages based on information in Centuri for easier learning.

4. Supportive and cross-platform functions

In addition to the main functional areas, Centuri includes supporting functions that are used across the entire platform.

These include, among other things:

global search function with access control

shared information library for published and valid information

function-independent task overview ("to do") for coordination and process simplification during development

archive for history management

reporting and compilations

Configurable start page with widgets for overview

5. Security and encryption

Information in Centuri is protected by technical and organizational security measures in accordance with accepted industry standards. The security measures are designed to support requirements under applicable standards and regulations in information security and data protection.

5.1 Transport encryption

All communication between client and server takes place over encrypted connections using Transport Layer Security (TLS). Centuri is configured to use the latest available version.

5.2 Encryption of data at rest

Stored information is protected by encryption. The database is encrypted with Transparent Data Encryption (TDE) in Microsoft SQL Server. Document data, search indexes, and backups are stored on encrypted storage media and protected with strong encryption algorithms, such as AES-256.

5.3 Key management

Cryptographic keys are managed in an FIPS 140-2 Level 3 validated hardware security module (HSM). Keys are generated, stored, and used within this protected environment in accordance with established security policies.

5.4 Logging and traceability

All activity in the system is logged for traceability and follow-up.

6. Technical delivery

Centuri is delivered as a web-based SaaS service and is accessed via a modern web browser. The service is based on .NET technology with data storage in Microsoft SQL Server and uses Elasticsearch for search functionality. The user interface is responsive for use on computers, tablets, and mobile devices.

6.1. Authentication and access

Centuri supports secure passwords, automatic logout after inactivity, and Single Sign-On (SSO) via SAML. Support is available for AD synchronization via the Centuri service or API.

6.2 Operation

Centuri is operated in a secure server environment with continuous monitoring, backup management, and proactive performance optimization for high availability and operational reliability.

6.3 Integrations and data exchange

Centuri provides open APIs for integration with external systems such as HR systems, ERP, intranets, and reporting tools. The platform also supports integrations via push and pull services.

Support is available for importing and exporting information in established formats.

7. Upgrades

The cloud service is updated regularly depending on the price plan and/or customer-specific configuration, but always at least once a year to a new main version of the standard software. In addition to this, ongoing updates may be made for security improvements and bug fixes. Deviations and extensions may be agreed upon in the Agreement and in an Application Management Agreement. Upgrades are carried out with minimal impact on users.

8. Support and management

Centuri AB provides support, documentation, and training materials. Consulting services can be offered for implementation, configuration, training, and integrations.

Centuri is continuously developed and made available as part of the standard product.

9. Additional services

Additional services may be offered, such as digital signing, process mapping with 2c8, custom integrations, AD synchronization, and extended integrations with email and SharePoint.

10. Termination and data portability

Upon termination of the service, the customer has the right to receive their data in an agreed format. After termination, customer data is deleted in accordance with the agreement and applicable legislation.

Centuri User Agreement

General terms and conditions for Centuri SaaS

Service level agreement (Centuri SaaS)

Data processing terms

Service Description Centuri SaaS

GENERAL TERMS AND CONDITIONS FOR CENTURI SAAS

1. Introduction and scope

2. Definitions

3. Supply of Centuri SaaS

4. License Rights to Centuri SaaS

5. Customer obligations

6. Supply of the Implementation Project and other Professional Services

7. Fees and payment

8. Intellectual Property Rights

9. Liability for infringement of Intellectual Property Rights

10. Data protection and information security

11. Confidentiality

12. Limitations of liability

13. Term and termination

14. General provisions

15. Applicable law and dispute resolution

SERVICE LEVEL AGREEMENT (CENTURI SAAS)

1. Introduction and scope

2. Support

3. Maintenance

4. Customer obligations

5. Prioritization and feedback

6. Service Levels – Response Time and Resolution Time

7. Service Levels - Availability

8. Compensation

DATA PROCESSING TERMS

1. Background

2. Definitions

3. The Data Controller's obligations

4. The Processor's obligations

5. Technical and organizational measures

6. Audits

7. Compensation

8. Sub-Processors

9. Confidentiality

10. Liability

11. Term and termination

12. Consequences of termination of the Agreement

13. Assignment

14. Amendments

15. Choice of law and dispute resolution

Appendix 1

Appendix 2

Service Description Centuri SaaS

1. Introduction and purpose

2. Overview of Centuri as a platform

3. Main functional areas

4. Supportive and cross-platform functions

5. Security and encryption

6. Technical delivery

7. Upgrades

8. Support and management

9. Additional services

10. Termination and data portability