The Terms & Conditions below describe the regulations related to using the Private Cloud service provided by YetiForce S.A. within the European Union.

Registration data:

YetiForce S.A.
With its headquarters in Warsaw, Al. Jana Pawła II 22, 00-133 Warszawa, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under the KRS number: 0000385023, share capital: 650.000,00 zł (fully paid), Tax ID: 118-000-24-25 represented by: Mr Bartosz Hermann – President; later referred to as “Vendor” or “YetiForce S.A.”​.

Infrastructure information

1. The YetiForce S.A. company built a cluster based on dedicated servers located in an OVH server room (later referred to as “Server Room”). Servers belong to OVH Sp. z o.o. (ul. Karola Miarki 6-10 lok. 3-4, Wrocław) and the YetiForce S.A. company leases them in order to provide private cloud services.
2. The cluster consists of a number of servers, and the power of a single server is similar to the reference server’s parameters:
   1. Server for virtualization purposes
      1. Processor​: Intel 2x Xeon Gold 6140, 36/72t - 2.3GHz /3.7GHz
      2. RAM​: 768GB RAM ECC (2666 MHz DDR4) - 24x32GB
      3. Drives:
         • 3x PCIe - 375GB NVMe - Intel - Optane P4800X (30 DWPD)
         • 3x 3,8TB SSD - Enterprise - Samsung - PM863a (0.8 DWPD)
         • 9x 10TB SAS - 7,2K Enterprise - HGST - Ultrastar He10
   2. Server for backup purposes
      1. Processor: Intel  Xeon E5-2620v3 - 6/12t - 2.4GHz /3.2GHz
      2. RAM: 64GB DDR4 ECC 1866 MHz
      3. Drives: HardRaid 12x4TB SAS
3. All servers are located in OVH Sp. z o.o. in different locations in Europe in order to ensure highest availability in case one of the data centers malfunctions.
4. The Customer receives a part of the physical server in the form of a virtual server (VPS) in accordance to the purchased Private Cloud plan, available at and https://yetiforce​.com​. 
5. YetiForce S.A. is allowed to schedule breaks in the infrastructure operation in order to apply necessary changes and updates. If the break time exceeds 6h the Customer is entitled to a free extension of their service period by an amount of time equal to the service’s downtime. A notification about each scheduled break will be sent in advance to the email address provided by the client. 
6. YetiForce S.A. is allowed to use scripts and tools used to central monitoring and management or individual virtual machines.

Security

1. Server room level security: OVH relied on ISO 27002 standards for implementing good practices in information security management and ISO 27005 for risk assessment and related operations. SOC 1 type II certifies that OVH has defined and implemented controls related to the protection of its clients' data. SOC 2 type II assesses these controls against an international standard created by the American Institute of Certified Public Accountants (AICPA) in accordance with the Trust Services Principles.
2. Cluster level security: Cluster access is only available to YetiForce S.A. employees with proper permissions and competence for managing virtual environments. Access can also be granted to third parties that perform infrastructure security audits or supervise correct operation of the cluster in accordance with standards.
3. Operating system level security: YetiForce​ Sp. z o.o implements good practices described by Center​ of Internet Security​ according to the recommendations for each system: https://www​.cisecurity.org/cis-benchmarks/​. The configuration also results from experience and good practices developed within the YetiForce S.A. Company. All servers are regularly updated to maintain a uniform and secure environment.
4. Application level security: YetiForce Sp z o.o. develops its software according to standards, i.e.:
   1. https://insight.sensiolabs.com/what-we-analyse
   2. https://www.owasp.org/index.php/OWASP_Proactive_Controls
   3. https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
   4. https://www.php-fig.org/psr/
   5. And undergoes independent monthly audits for each new version of the YetiForce system.
5. Backup copies: The Customer is provided with access to backups (read only) from the past 7 days via backup panel available in the application. Each backup is encrypted, and the key to the copy is sent via email. All backups for a single server are encrypted using the same password. 

Technical support

1. Hardware and network level (SLA 99.95%) - problems at this level are addressed directly by OVH Sp. z o.o. based on reports sent by YetiForce S.A. Terms and conditions for support services are listed in the OVH Terms & Conditions related to dedicated servers: https://www.ovh.pl/pomoc/regulaminy  (in Polish), and SLA conditions are listed at: ​https://www.ovh.pl/serwery_dedykowane/sla.xml?range=BIGDATA  (in Polish).
2. Operating system level (SLA 99%) - problems at this level are addressed directly by YetiForce S.A.
3. Application level (SLA 99%) - problems at this level are addressed directly by YetiForce S.A. Support at this level applies only to problems related to the operation of the YetiForce application and is not used to provide the customer with services related to training and support as far as customization and configuration of the YetiForce system is concerned because this type of support requires a separate paid SLA available at https://yetiforce.com.

The Customer commits not to use the technical support excessively so as not to interfere with the regular operation of technical support (e.g. the customer will not report the same issue multiple times if the first reported problem has not yet been solved).

The Customer can report technical issues only directly to YetiForce S.A. via email sent to: SLA@yetiforce​.com, or via the customer portal available at: https://yetiforce.com/ portal.

YetiForce S.A. commits to exercise due diligence to ensure stability, uninterrupted operation and high quality of services offered.

YetiForce S.A. is not responsible for technical problems or technical restrictions of the hardware used by the Customer, which prevent the Customer from using the service.

Fees

1. The Private Cloud service is paid according to the price list at ​https://yetiforce.com. An exception to that is the free testing period that can last up to 30 days from the moment YetiForce is installed upon the Customer’s order.
2. Payments for the service are done upfront, according to a document issued by YetiForce S.A., or on the basis of the payments panel built into the application.
3. In case the payment is 21 days overdue the server will be shut down and the Customer will be notified. If the payment is not made within 30 days, the server will be removed. Removing the server simultaneously terminates this agreement between the Parties.
4. The Customer can request a backup of the entire application before the server is removed, that is during the 30 day period of waiting for the payment. The backup is free and access to it is sent to the Customer electronically.
5. The Customer has the right to extend the service period by the amount of time equal to the service downtime, and to a 5% discount for each hour of service downtime (but not more than 100% of the monthly fee for the Service) beyond the time described in the Technical Support section.

Personal data protection

1. The Customer may provide personal data in order to use the Services, as well as while using them, for example by completing the forms and conducting correspondence with YetiForce.
2. Providing personal data is voluntary, but necessary to use the Services. It will not be possible to use the Services without providing personal data..
3. Any personal data provided by the Customer or collected by YetiForce S.A. about the Customer are processed in a manner consistent with the requirements set out in Polish law, and above all in accordance with regulation 2016/679 of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of individuals with regard to the processing of personal data, and on the free movement of such data, and repealing Directive 95/4/EC, hereinafter referred to as "GDPR".
4. YetiForce S.A. is the Administrator of the abovementioned personal data.
5. YetiForce S.A. may entrust the processing of collected Customers’ personal data to another entity on the basis of the entrustment agreement of personal data processing between the parties, if necessary, to provide the Customer with the Service.
6. The Customer has the right to access their personal data and may verify or correct them, as well as delete them by sending a request to YetiForce S.A..
7. The Customer also has the right to limit processing and the right to transfer personal data. If personal data are processed contrary to legal requirements, then the Customer will have the right to file a complaint with the supervisory authority.
8. The Customer also has the right to object to the processing of personal data for reasons related to the specific situation of the Customer, if the personal data will be processed on the basis of legitimate interests. The Customer is also entitled to object to the processing of their personal data in each case if they are processed for the purposes of direct marketing.
9. YetiForce processes Clients' personal data and uses them to the extent and for the purpose necessary to perform the Services, including to inform about the operation of the tool, the possible ways of using it by the Customer and necessary actions, such as payments, invoices, etc.
10. The legal basis for the processing of personal data are Art. 6 clause 1 lit. b and art. 6 clause 1 lit. f, GDPR. The legitimate interest of YetiForce S.A. is marketing of own services.
11. YetiForce S.A., based on the additional and optional consent given by the Customer, he has the right to send marketing information to the email address provided. The aforementioned consent may be revoked by the Customer at any time. In the event of such consent, the legal basis for the processing of personal data will also be Art. 10 of the Act of 18.07.2002 on the provision of electronic services and art. 172 of the Telecommunications Act of 16.07.2004.
12. Personal data will be processed throughout the time needed to provide the Services to the Customer, and after their completion for the time needed to prove the correct performance of the obligations of YetiForce S.A. on behalf of the Customer. This period corresponds to the length of the limitation period for claims. Personal data processed in the field of marketing activities will be processed as long as they are conducted by YetiForce S.A. or the Customer's objection to further processing of personal data for marketing purposes or withdrawal of consent to send marketing information to the email address. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal of consent.
13. YetiForce uses technical measures required by current legislation on the protection of personal data to prevent the unauthorized acquisition and modification of personal data sent electronically.
14. The Customer cannot use the services anonymously or under a pseudonym. 
15. Customers' personal data will not be transferred to countries outside the European Economic Area.
16. The Customer has the right to receive a copy of their personal data.

Outsourcing of personal data processing 

1. Administrator of personal data: Customer
2. Personal Data Processor: Vendor
3. Further entities processing personal data: Trusted Partners
   1. OVH Sp. z o.o., ul. Swobodna 1, 50-088 Wrocław, VAT ID: 8992520556 [Cloud Infrastructure]
   2. Follow You Piotr Kujawka, ul. Ogrodowa 4B, 72-006 Mierzyn, VAT ID: 558-17-08-765 [Cloud infrastructure audits and maintenance].

The scope of the agreement

1. The entrustment agreement is concluded because of the launch of the Vendor's cloud service for the Customer. The processing of personal data connected with the performance of the agreement is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR" ).
2. On the basis of the entrustment agreement, the Customer entrusts the Vendor [Processor] and the Vendor's Partners to process the personal data referred below. Changing the scope of entrusting processing does not require an annex, but only the consent of both Parties expressed in writing or electronically (including e-mail) by persons authorized to represent the Parties. 
   1. The scope and purpose of entrusting personal data
      1. Personal data stored in the Customer's YetiForce system relate primarily to data of companies, partners, suppliers, contacts, contracts, orders, invoices, and Customer employees' data.
   2. List of further processing parties
      1. Trusted Partners
3. The processor shall process personal data only in order to implement the Agreement and to the extent necessary to perform it, and only during its term.
4. The processor is obliged to process personal data to comply with the GDPR, other applicable law and the Agreement.

Obligations of the Parties

1. The processor is obliged to:
   1. use all technical and organizational measures adequate to the risk level to secure personal data on the principles set out in art. 32 GDPR; 
   2. help the Administrator in fulfilling the obligations specified in art. 32-36 GDPR, taking into account the nature of processing and information available to the processor;
   3. process personal data only on the Administrator's documented instruction, unless such obligation is imposed on him by applicable national or EU law; in this case, before the processing begins, the processor informs the Administrator of this legal obligation, provided that this law does not prohibit the provision of such information due to important public interest; the provision of technical support is considered to be a documented instruction of the administrator;
   4. help the Administrator to the extent possible, through appropriate technical and organizational measures, fulfill the obligation to respond to the requests of the data subject in the exercise of his rights set out in Chapter III of the GDPR;
   5. ensure that persons authorized to process personal data agree to maintain confidentiality unless they are persons obliged to maintain confidentiality under the Act;
   6. delete or return personal data and delete the copy, unless mandatory provisions of law provide otherwise, after the termination of the Agreement, depending on the Administrator's request.
2. The processor is entitled to further entrust the processing of personal data to further processors [Trusted Partners]. The processor will inform the Administrator of any intended change in the list of further processors in the manner adopted for communication in the scope of the agreement. The Administrator has the opportunity to object to such a change within the next 14 days. The processor ensures that it will only use the services of such further processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR, as well as protects the rights of data subjects. The processor is obliged to ensure that further processors are subject to at least the same obligations as imposed on the processor in the Agreement. The Administrator acknowledges that the lack of consent to a change in the list of further processors may result in the inability of the processor to continue to perform the Agreement, of which the processor will inform the Administrator immediately.
3. The processor will provide the Administrator with information necessary to perform his duties related to entrusting the processing of personal data. The processor will allow the Administrator to perform audits, including inspections, within a period agreed by the Parties in the scope of entrusting the processing of personal data by the processor and ensure cooperation in this regard. Each Party shall bear its own cost for the audit, irrespective of its result. The Administrator is obliged to keep all information obtained in the audit confidential, including audit results, as well as to ensure that the persons involved in conducting the audit also undertake confidentiality in this regard. The confidentiality obligation applies throughout the term of the Agreement and indefinitely after its termination. In the event that the preceding sentence proves to be invalid or ineffective, the confidentiality obligation will apply for the duration of the Agreement and for a period of 10 years after its termination.
4. The processor is obliged to ensure that each person processing personal data on his behalf processes it only on the instructions of the Administrator.

Data transfer

1. The processor will not transfer personal data outside the territory of the European Economic Area, unless it obtains separate permission from the Administrator in this respect, which the Administrator will not refuse without justified reasons, and such transfer will take place in accordance with the provisions of the GDPR. In any case, the transfer will take place solely in order to perform the Agreement.

Responsibility

1. Notwithstanding the provisions of the Agreement, the total contractual and tort liability of the processor in relation to the processing of personal data under the Agreement is limited to the monthly amount of the Private Cloud service, which was purchased by the Customer, unless the applicable law provides otherwise.