General Terms and Conditions of Use License Agreement
1. Definitions
The following definitions will govern these General Terms and Conditions:
- Agreement: Refers to the Use License and Accessory Services Provision Agreement, comprising these General Terms and Conditions as well as the Specific Conditions.
- Specific Conditions: Considered as those establishing the relationship between the Licensee and the Partner, detailing aspects such as price, type of hosting, Accessory Services, or contracted Risk4all modalities.
- The Parties: Refers collectively to the Licensor and the Licensee.
- Licensor: The company authorizing the use of Risk4all, which is Risk4all S.L., registered in the Madrid Commercial Registry with the address at Calle de la Ribera del Loira 38, Building 4, 28042 Madrid, and NIF B88516257.
- Licensee: The individual or legal entity contracting the use license for Risk4all. For corporate groups or equivalent entities contracting Risk4all jointly, the term applies to the entire group. The individual acting on behalf of the Licensee must have sufficient authority to accept these Conditions.
- Partner: The individual or legal entity authorized by the Licensor to distribute Risk4all to the Licensee.
- Risk4all: A Governance, Risk, and Compliance (GRC) software with the functionalities and limitations established in the Agreement.
- Accessory Services: Services linked to Risk4all that the Licensee can optionally contract through the Specific Conditions.
- Users: Individuals or automated processes using the Risk4all licenses acquired by the Licensee.
2. Purpose of the Agreement
The Agreement aims to regulate the granting of Risk4all use licenses by the Licensor, enabling the Licensee to use Risk4all for their organization, subject to the conditions and limitations established in these General Terms and Conditions as well as the Specific Conditions.
The Specific Conditions shall not contradict these General Terms and Conditions without the Licensor’s express written consent.
By accepting the Agreement, the Licensee is granted one or more use licenses for Risk4all, which will be revocable, non-exclusive, temporary, non-sublicensable, non-transferable, and onerous.
Acceptance of these Conditions does not imply the sale or transfer of ownership of Risk4all or any intellectual property rights or any other nature over this tool not expressly regulated in the Agreement.
The Agreement also regulates the provision of Accessory Services that the Licensee may contract through the Partner.
The Licensee agrees to use Risk4all in accordance with the Agreement, applicable legislation, good faith, morals, good customs, and public order.
3. Description of Risk4all and Accessory Services
3.1. Modules, functionalities, and contracting modalities
The available functionalities in each module and the conditions corresponding to each contracting modality are described below:
The Licensee may change the contracting modality at any time, subject to the costs, penalties, and/or deadlines involved, which will be assessed by the Partner.
If the change is to a lower-priced modality, it will not result in a refund of the price difference by the Licensor, notwithstanding what is established in the Specific Conditions agreed with the Partner.
3.2. Accessory Services
Additionally, the Licensee may request the provision of certain Accessory Services from the Partner, which will be provided and invoiced as specified in the Specific Conditions.
The Accessory Services may be subcontracted with specialized companies certified in the product.
4. Subscription and Support
Any Risk4all subscription includes:
- Access to new product versions that are deployed automatically (at least 3 per year). In the on-premise modality, the update procedure is established at the beginning.
- Update of standards and regulations when new versions are published.
- New functionalities.
- Updated user manual.
- Corrective support for malfunctions or bugs in 8×5 mode on working days (Madrid-Spain) from 8 AM to 5 PM and 8 AM to 3 PM in summer via the support account: support@risk4all.com.
5. Usage Limitations and Guarantees
The Licensee agrees to make appropriate use of Risk4all, ensuring the following limitations:
- The Licensee will protect and safeguard access to Risk4all, not transferring or assigning in any way the rights acquired through the Agreement to third parties. The Licensee will not allow any third party outside their organization to use Risk4all.
- The Licensee is prohibited from using Risk4all to provide direct or indirect services to other entities different from the Licensee’s organization or for purposes other than those stated in the Agreement or any other unauthorized purpose by the Licensor.
- Any activity contrary to the internal use of Risk4all as established in the Agreement is prohibited. This includes, but is not limited to, actions such as assignment, sale, sublicensing, reverse engineering, decompilation, reproduction, translation, modification, versioning, commercialization, duplication, transformation, or transmission to any other entity or individual, removal of ownership or authorship marks, etc., without the Licensor’s prior express written authorization.
- Any rights not explicitly mentioned in the Agreement are fully reserved for the Licensor, and the clauses of these General Terms and Conditions cannot be interpreted in a way that is detrimental to the Licensor or contrary to the legal exploitation of the license.
The Licensor reserves the right to carry out necessary checks to verify the proper use of Risk4all and full compliance with the Agreement clauses.
6. Responsibility, Requirements, and Maintenance of Risk4all
Considering the functionalities of Risk4all and the content of the Accessory Services, the Licensor will not assume any liability for direct or indirect damages or losses that the Licensee or other third parties may suffer due to service interruptions, malfunctions, failures, or data losses.
Notwithstanding the above, the Licensor commits to taking the necessary measures and solutions to correct or minimize possible issues experienced by the Licensee, who in no case may claim any amount as compensation or for any other concept due to possible errors, response times, or access problems to Risk4all.
The Licensee will be solely responsible for their Users, exonerating the Licensor from any liability. The Licensee must implement the necessary measures to prevent unauthorized, fraudulent, or irregular use of Risk4all by their Users.
The Licensee will be responsible for ensuring Users comply with the conditions governing Risk4all. This includes, but is not limited to:
- Diligent use of Risk4all by Users.
- Use of inaccurate, false, incomplete, or outdated identifying data, or using false identities or other Users’ identities.
- Lack of operability due to reasons beyond the Licensor’s control.
- Dissemination, storage, publication, or distribution of defamatory, violent, obscene, xenophobic, or discriminatory information.
- Inclusion or use of any software, data, virus, code, or any other device, mechanism, or routine capable of causing damage to Risk4all or other equipment or systems, whether own or third-party.
- Introduction, transmission, or dissemination through Risk4all of any content that infringes third-party rights or is contrary to the law.
For the proper functioning of Risk4all, the Licensor recommends the following technical requirements:
- Internet connection.
- Internet browser.
- Office suites (for reading reports extracted from Risk4all).
The Licensee is solely responsible for ensuring the compatibility of Risk4all with their operating systems and computer equipment.
7. Economic Conditions
7.1. Price and Payment
The Licensee agrees to pay for the Risk4all licenses and contracted Accessory Services as established in the Specific Conditions agreed with the Partner.
7.2. Non-payment
In case of non-payment for a period of three (3) months, the Licensor reserves the right to suspend the Risk4all use licenses and terminate the Agreement early without any right to compensation for the Partner and without prejudice to claiming the pending payment.
8. Intellectual Property
The Licensor is the legitimate owner or licensee of all intellectual and industrial property rights inherent to Risk4all and its contents (including, but not limited to, databases, images, photographs, drawings, graphics, icons, operations, and text, audio, video, and code files) as well as trademarks, logos, trade names, or any distinctive signs that form or have formed part of Risk4all at any time. These materials are protected by Spanish intellectual and industrial property laws.
Any improvement, change, or additional development of Risk4all will be owned by the Licensor, including functionalities developed at the Licensee’s request.
According to the Agreement, the Licensor only grants one or more non-exclusive use licenses to the Licensee. This document does not grant the Licensee any intellectual or industrial property rights over Risk4all beyond what is strictly necessary for its proper use and operation, nor does it imply a waiver of these rights by the Licensor.
Unless the Licensor expressly states in writing otherwise, it is not permitted to reproduce, modify, extract, adapt, publish, transmit, copy, make available or distribute, or otherwise use all or part of the Risk4all content without the prior written authorization of the Licensor. Any use of such content may constitute a violation of the Licensor’s intellectual property rights, reserving the right to take appropriate legal action.
The Licensee may not sell, resell, distribute, or otherwise make available to a third party the content of Risk4all or fragments or other information derived from it in any manner or by any means without the express prior written authorization of the Licensor. Under no circumstances may Risk4all or any of its contents be downloaded or executed in a manner or medium different from what is specified in the Agreement.
The Licensor reserves the right to modify and update Risk4all. The Licensor does not guarantee or certify that the content of Risk4all is accurate, complete, or up-to-date, nor that it is free of errors or omissions.
9. Confidentiality
The Parties agree to maintain the utmost secrecy and confidentiality regarding information classified as confidential, whether technical, commercial, industrial, or of any other nature, provided by the other party due to the provision of services under the Agreement or during its negotiation, execution, or implementation. Confidential information cannot be disclosed, communicated, or provided to third parties without the prior express written authorization of the Licensor.
Confidential information will be considered any information accessed by a party under the Agreement, especially personal information and data of the other party accessed during the execution of the Agreement. This information, along with its copies and/or reproductions, will be considered confidential for the purposes of the Agreement.
Information and data that were public domain or already in the possession of the Parties before initiating the Agreement negotiation, obtained by lawful means according to applicable legislation, will not be considered confidential.
The confidentiality obligation established in the Agreement will be indefinite, remaining in effect even after the termination of the relationship between the Parties for any reason.
Each Party will be responsible for ensuring that its personnel, collaborators, managers, and generally all persons under its responsibility who have access to confidential information and personal data of the other party respect the confidentiality of the information and the obligations related to the processing of personal data even after the termination of the Agreement. Therefore, the Parties will make all necessary warnings and sign all necessary documents with these individuals to ensure compliance with these obligations.
Each Party will keep at the disposal of the other documentation proving compliance with the obligation established in the previous paragraph.
10. Data Protection
10.1. Personal Data of the Licensee’s Representatives and Contacts
The Partner and/or the Licensee will provide the Licensor with personal identification and contact data of the Licensee’s representatives and professional contacts for the proper fulfillment of the Agreement.
The Licensor informs the interested parties that their personal data will be processed to perfect, execute, control, and maintain the Agreement.
The legal basis for processing the data of the interested parties is the necessity for the execution of the Agreement.
Data will be retained during the term of the Agreement and subsequently for the legally required period to address potential liabilities arising from the contractual relationship.
The Licensor will also use the contact data of the interested parties to send, by any provided contact means, (i) functional information about the use, incidents, or updates of Risk4all, and (ii) commercial information about products, services, promotions, news, or events related to information security, privacy, software, technology, and related sectors. When these communications are sent by email, the tool used for sending communications will include links and tiny transparent images associated with the recipient’s email address. This way, when an image is downloaded or a link in the email is accessed, the recipient can know statistically if the email was opened or if a link was accessed. The recipient can reject these uses by configuring their email program to prevent automatic image downloads and not accessing links in received emails. In each commercial communication, the Licensee may oppose receiving such information through the indicated contact means to process their opt-out. The legal basis for this processing is the Licensor’s legitimate interest and the existence of a prior legal relationship, being commercial communications about similar products or services originally contracted by the Licensee. Data will be processed indefinitely for this purpose until the Licensee objects or requests the deletion of their data.
In any case, affected individuals may exercise their rights of access, rectification, deletion, opposition, restriction, and portability before the Licensor by written communication to the address at the beginning of this document or by email to dpo@risk4all.es, sufficiently accrediting their identity, identifying themselves as part or interested in this Agreement, and indicating the right they wish to exercise. If their data protection rights are violated, they may file a complaint with the Spanish Data Protection Agency (www.aepd.es) or the Licensor’s Data Protection Officer (dpo@risk4all.es).
10.2. Processing Assignment
To maintain the Agreement, the Licensor may process personal identification and contact data for which the Licensee is responsible or has been commissioned to process by third parties. For the purposes of the Agreement, the Licensee will be considered the data controller and the Licensor the data processor under Articles 28 and 29 of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 (GDPR).
Each Party is obliged to comply with their respective data protection obligations.
10.2.1. Obligations Assumed by the Licensee
If, for maintaining the Agreement, the Licensee makes available to the Licensor personal identification and contact data for which they are responsible, the Licensee guarantees and states for the record that:
- If the processing includes the collection of personal data on behalf of the Licensee, they will establish the corresponding procedures for data collection, especially regarding the duty of information and, where applicable, obtaining consent from the affected individuals, ensuring these instructions comply with all legal and regulatory requirements of current data protection laws.
- If the processing does not include the collection of personal data on behalf of the Licensee, they guarantee that the personal data the Licensor will access under this Agreement has been obtained and processed in compliance with all legal and regulatory requirements of current data protection laws.
- The Licensee complies with all data protection obligations as the data controller and is aware that the terms of this Agreement do not alter or replace the obligations and responsibilities attributable to the Licensee as the data controller.
- The Licensee will supervise the processing and compliance with data protection regulations by the Licensor.
10.2.2. Obligations Assumed by the Licensor
Consequently, the Licensor assumes the following obligations:
- Access the personal data for which the Licensee is responsible only when necessary for the proper development of the services contracted, such as support or maintenance tasks or, where applicable, for hosting Risk4all.
- Process the data according to the documented instructions received from the Licensee.
- Immediately inform the Licensee if any of the Licensee’s instructions violate current data protection regulations.
- Not use or apply the personal data for which the Licensee is responsible for any purpose other than that indicated in the Agreement or in any other way that breaches the Licensee’s instructions.
- Not disclose, transfer, assign, or otherwise communicate the personal data for which the Licensee is responsible, whether verbally or in writing, electronically, on paper, or through computer access, except with the prior authorization or instruction of the Licensee.
- Except for auxiliary services related to the Licensor’s activity, if subcontracting all or part of the services contracted by the Licensee involving personal data processing, the Licensor must notify the Licensee in writing at least one month in advance, indicating the treatments intended for subcontracting and clearly identifying the subcontractor and their contact details. Subcontracting may proceed if the Licensee does not object within the specified period. The subcontractor, who will also be a data processor, must comply with the obligations established in this document for the data processor and the instructions issued by the data controller. The Licensor will remain fully responsible to the Licensee regarding compliance with the obligations. In relation to this, the Licensee generally authorizes the Licensor from the outset to subcontract the hosting of Risk4all and development and maintenance tasks with companies or entities within the European Union. The Licensee may request information from the Licensor about the services and subcontracted companies or entities at any time.
- Promptly forward to the Licensee within a maximum of two (2) business days any request to exercise the right of access, rectification, deletion, opposition, processing restriction, data portability, and not being subject to automated individual decisions made by an affected person whose data has been processed by the Licensor under this Agreement to allow the Licensee to address it within the timeframes established by current regulations.
- Make available to the Licensee all necessary information to demonstrate compliance with its obligations and to facilitate audits or inspections conducted by the Licensee or another authorized auditor.
- If the Licensor must transfer or allow access to personal data for which the Licensee is responsible to a third party under Union or Member State law applicable to the Licensor, they will inform the Licensee of this legal requirement before proceeding unless prohibited for public interest reasons.
- Once the contractual relationship between the Licensee and Licensor ends, the Licensee must provide precise instructions on the data’s disposition, choosing between returning, transferring to another service provider, or completely destroying it unless legally required to retain the data, in which case it cannot be destroyed.
- Implement and apply appropriate technical and organizational measures to ensure a level of security that prevents alteration, loss, unauthorized processing, or access, considering the state of technology, the nature of the data stored, and the risks to which they are exposed, as provided in Article 32 of the GDPR. The Appendix to this license includes details of the security measures applied to the system when data is hosted by the Licensor’s providers.
- In the event of a personal data security breach in the information systems used by the Licensor to provide the services under the Agreement, the Licensor must notify the Licensee without undue delay and, in any case, within a maximum of 72 hours of becoming aware of the breach, along with all relevant information for documenting and communicating the incident as provided in Article 33.3 of the GDPR.
11. Duration and Termination of the Agreement
11.1. Effective Date and Term
The Licensor will confirm the effective date of the Use License by email.
Unless otherwise specified in the specific conditions, the Use License will have a term of one (1) year from the effective date.
11.2. Early Termination of the Agreement
Either Party may suspend or definitively terminate the Agreement if the other Party breaches any of the clauses established in the Agreement severely and/or repeatedly. In this context:
- Severe breach: Causes direct damage or harm to the other party, or, without causing direct damage or harm, is not remedied within three (3) months.
- Repeated breach: Occurs more than three times within one (1) year.
Early termination of the Agreement for any of the causes established in this Clause does not exempt the Parties from fulfilling their pending obligations under the Agreement. Early termination of the Agreement will not result in the refund of the Price or any proportional part thereof.
12. Assignment of the Agreement
Neither Party may assign, encumber, transfer, or otherwise dispose of the Agreement or any rights or obligations contained therein without the prior written consent of the other Party.
In such a situation, the assigning party must inform the other party one (1) month in advance, during which the other party may proceed with the early termination of the Agreement.
13. Miscellaneous
- If any clause of the Agreement is declared invalid or void, it will be modified to the extent possible to fulfill the Parties’ intent. In any case, all other clauses of the Agreement will be considered valid and enforceable in their entirety.
- The Licensee may request information about other Partners or the assignment of a new Partner at any time.
- The Licensee may request a trial or demonstration license for Risk4all’s functionality. Such a trial or demonstration will be conducted in test environments that do not guarantee the confidentiality, security, or persistence of information. Therefore, the Licensee should not use real or confidential data during the trial period.
- The Parties declare themselves independent entities, and nothing in the Agreement implies an agency, collaboration, or joint-venture relationship.
- Signing the Agreement does not imply a waiver of any rights that each Party may have under applicable law at any time.
- The Parties declare that the General Terms and Specific Conditions, along with any subsequent annexes or addenda, constitute the sole valid agreement and principal instrument of the relationship between them, rendering any prior provisions contrary to these void unless expressly and in writing agreed otherwise.
- The Parties may add amendments, modifications, and annexes to the Agreement, which will be binding from the effective date as long as they are in writing, signed or accepted by an authorized representative of the Parties, and incorporated into the Agreement.
- The Agreement will be accepted through the means provided by the Partner or mutually agreed upon between the Licensee and the Partner.
- The Agreement was originally drafted in Spanish. In case of any contradiction between the Spanish version and its translation into any other language, the Spanish version will apply.
- By accepting the Agreement, the Licensee agrees to fully and unreservedly adhere to all clauses stipulated at the time of contracting and guarantees:
- That they have read, understand, and accept these General Terms and Specific Conditions.
- That the person who accepted the Agreement has sufficient representation capacity to bind the Licensee to the Agreement terms.
- The Licensee will always have access to these General Terms before starting the contracting procedure and may store and/or reproduce them on a durable medium.
- By accepting the Agreement, and without prejudice to confidentiality conditions, the Licensee authorizes the Licensor to use their logo and brand or trade name to promote Risk4all on their website, promotional or informational emails, and any commercial material online or on paper; all free of charge and without territorial or temporal limitation. In online materials, the logo or brand may act as a link to the Licensee’s website. The Licensee’s representative guarantees sufficient capacity to formalize this authorization. The Licensee may revoke this authorization at any time by written communication to the Licensor.
14. Applicable Law and Jurisdiction
The Agreement will be governed and interpreted according to Spanish law.
For any issues arising from the interpretation and execution of the Agreement clauses, both Parties, expressly waiving any other jurisdiction that may correspond to them, submit to the jurisdiction and competence of the courts and tribunals of Madrid Capital (Spain).
Appendix – Technical and Organizational Security Measures
Risk4all implements the following technical and organizational measures to ensure the security of personal data for which the Licensee is responsible, applicable to all hosted modalities by the Licensor:
- Information security policy.
- User regulations.
- Roles and responsibilities for security.
- Risk assessment at planned intervals or when there are significant changes.
- System architecture documentation.
- Capacity management for key components (CPU, disk, memory, and network).
- Access control policy.
- Access management by unique identifiers and passwords.
- Role-based access management/security groups.
- Segregation of functions and tasks through the separation of environments and independent users.
- Asset inventory.
- Base security configurations for each architecture element.
- Monthly vulnerability analysis and annual penetration testing.
- Regular patching and updates.
- Incident management procedure.
- Logging user and administrator activities.
- Daily system and data backups.
- Data Processing Center located in Madrid (Spain).
- Availability: 99.99%.
- Connectivity availability: 99.5%.
- Hardware availability: 99%.
- ISO/IEC 27001 – ISO 22301 certified providers.
- Firewall and IDS.
- Staff security awareness and training.
- Secure development training.
- Separate development, testing, and production environments.
- Simulated test data, ensuring the same security measures.
For more information on these security measures, please request details from Risk4all via the contact form on this website.