Terms of Use

1) Terms of Service

VERSION: 5/2025

AREA OF APPLICATION: these terms of service (the “Agreement”) govern the Customer’s Use of the Service (as defined herein).

Upon submitting a subscription order or by accepting an offer from Sandvik, or an Approved Source, you accept the terms and conditions of this Agreement on behalf of the Customer, you represent and warrant that: (i) you have full legal authority to bind the Customer to this Agreement; (ii) you have read and understand this Agreement; (iii) you agree, on behalf of the Customer, to this Agreement; and (iv) you agree, on behalf of the Customer, to ensure that all individual users of the Service will comply with applicable sections of this Agreement as well as the Acceptable Use Policy. If you do not have the legal authority to bind the Customer, do not click to accept, or sign a main agreement or similar referring to this Agreement or Use the Software.

By clicking accept, signing a main agreement or similar referring to this Agreement, or Using the Software, the Customer agrees to be bound by the Agreement and the Agreement enters into force (the “Effective Date”).

1. DEFINITIONS

“Acceptable Use Policy” means the acceptable use policy for the Service, as available on the Homepage or through the Service as updated by Sandvik from time to time.

“Approved Source” means a reseller, distributor or other entity authorized by Sandvik to sell the Service.

“Customer” means the legal entity subscribing to the Service under this Agreement.

“Customer Data” refers to any Customer’s user data (such as user IDs, password etc.), tool and machine data, information about vendors, manufacturers, customers, prices and all other data or information uploaded by the Customer into the Service.

“Derived Data” means anonymized and aggregated data (such as metadata, generated data and by-product data) obtained and collected by Sandvik in connection with Customer’s Use of the Service.

“Documentation” means the most recent written or online (i) user manuals, (ii) e-learning modules or other training materials, (iii) technical requirements on the Customer’s IT environment (e.g. infrastructure and network requirements), or (iv) other documentation applicable to the Service which Sandvik may make available through the Service, its Approved Sources and/or on the Homepage from time to time.

“Global Trade Laws and Regulations” means the customs, import, export, re-export, trade control and sanctions laws, regulations and orders applicable to a transaction including but not limited to the customs and export control laws and regulations of the UN, US, EU, UK, China and any country in which the Products are manufactured, received and used

“Homepage” means https:// toolhivesolutions.com.

“Manufacturer Data” means tool data, machine data and any other know-how or information made available by Sandvik to the Customer via the Service.

“Products” means the products and services described in the Agreement and any other product or service that Sandvik agrees to make available under this Agreement.

“Sandvik” means Sandvik Machining Solutions AB, reg.no. 556692-0053, a limited liability company incorporated under the laws of Sweden having its registered office at SE-811 81 Sandviken, Sweden.

“Service” means the complete software offering made available by Sandvik, including the Toolhive Software (in any applicable version), Documentation, Manufacturer Data, as well as other functionality and associated services (including infrastructure and support services), as further and exhaustively described in the Documentation.

“Subscription Details” means the allowed level of usage and other details of the subscription as included in the order confirmation, including term, type and quantity of Toolhive Software, and from time-to-time applicable payment terms and price list.

“Territory” means the country in which the Customer has its legal seat at the time of entering into of this Agreement.

“Third Party Services” means software, software services, materials provided by third parties as part of or otherwise used together with the Service as specified in Section 2.5.

Toolhive Software” means the Toolhive software consisting of, inter alia, the interface and administration portal made available to the Customer under this Agreement, as further specified in the Documentation.

“Use” or “Using” means to download, install, activate, access or otherwise use the Service or any part thereof.

2. SUBSCRIPTION

2.1. Upon submitting a purchase order or by accepting an offer from Sandvik, or an Approved Source, (including acceptance of this Agreement), and full payment of the applicable subscription fee for the initial term, the Customer will be provided with access to the Service in accordance with the terms of this Agreement.

2.2. Subject to payment of the applicable fees and compliance with this Agreement, and during the Customer’s subscription period set out in the Subscription Details, Sandvik grants to Customer a limited, non-exclusive, non-sub-licensable, non-transferable, revocable right to Use the Service solely for Customer’s internal operations in the Territory and in accordance with the Subscription Details, the Acceptable Use Policy and the Documentation and this Agreement. Customer and its Affiliates are not entitled to further rights associated with the Sandvik Service, such as ownership, copyright, patent, trademark, or other usage rights not explicitly granted under the Agreement. For the avoidance of doubt, Use of Third Party Services is not included in the subscription (see Section 2.5 below).

2.3. The Subscription Details will identify the term and duration of Customer’s subscription period.

2.4. The Service may contain certain Third Party Services, which is provided and licensed solely under the terms and conditions provided by its respective suppliers. Third Party Services provided or made accessible together with the Service are further described in the Documentation, including links to relevant terms and conditions. Sandvik assumes no liability whatsoever for Third Party Services, or any errors in the Service (or any other liability whatsoever) that may occur as a result of Third Party Services. Further, the Customer may, if the Service supports such functionality, add additional Third Party Services not provided or made accessible together with the Service. Sandvik does not support or endorse the use of any Third Party Services not listed in the Documentation.

2.5. Sandvik may offer the Service to the Customer at no charge for a limited period e.g. for trial use (“Free Trial”) as set out in the Subscription Details. The Customer’s use of a Free Trial is subject to any additional terms that Sandvik may specify and is only permitted during the term designated by Sandvik in the Subscription Details (such term not to exceed a maximum period of 30 days unless otherwise specified). Following the Free Trial period, the Customer’s access to, and right to use, the Service will expire, and the Customer must submit an order for a paid subscription to receive continued or renewed access to the Service.

2.6. Sandvik may offer Customers access to a Service which is not yet an official product and has not been commercially released for sale by Sandvik (the “Beta Service”). Where specified in the purchase order that the Customer is provided access to a Beta Service, the following shall apply and shall have precedence over any conflicting terms in this Agreement: Customer acknowledges and agrees that: (a) the Beta Service is not yet an official product and has not been commercially released for sale by Sandvik; (b) the Beta Service may not operate properly, be in final form or be fully functional; (c) the Beta Service may contain errors, design flaws or other problems; (d) it may not be possible to make the Beta Service fully functional; (e) Sandvik may update, improve, modify or otherwise change the Beta Service at Sandvik’s discretion and without prior notice to the Customer; (f) the information obtained using the Beta Service may not be accurate and may not accurately correspond to information extracted from any database or other source; (g) use of the Beta Service may result in unexpected results, loss of data or communications, project delays or other unpredictable damage or loss; (h) Sandvik is under no obligation to release a commercial version of the Beta Service; (i) any Customer Data uploaded or created during use of the Beta Service and/or Derived Data may, in Sandvik’s sole discretion, be migrated to a subsequent version of the Service, if released; and (j) Sandvik may choose at any time to abandon development of the Beta Service without any obligation or liability to the Customer. 

3. RESTRICTIONS OF USE

3.1. To the maximum extent permitted by any mandatory provision of applicable legislation, Customer shall not (and shall not allow any third party to) during the term of this Agreement or at any time thereafter:

3.1.1. transfer, sublicense, or assign the Customer’s rights under this Agreement to any other person or entity, except for the employees, contractors, representatives and officers of the Customer who have been designated by the Customer as users pursuant to this Agreement and subject to the Acceptable Use Policy;

3.1.2. modify, adapt or create derivative works of any part of the Service or reverse engineer, decompile, decrypt, disassemble or otherwise attempt to derive any source code, underlying ideas, algorithms, libraries, file formats, data, databases or programming interfaces for the Service;

3.1.3. distribute, publish, or otherwise make any Manufacturer Data, Documentation or other part or functionality of the Service available to third parties, whether as an application service provider, or on a rental, service bureau, hosted service, cloud service or other similar basis; or

3.1.4. remove, modify, or conceal any product identification, copyright, proprietary, intellectual property notices or other marks on or within the Service or Manufacturer Data.

4. OWNERSHIP AND USE OF INTELLECTUAL PROPERTY RIGHTS

4.1. Sandvik or its licensors retain ownership of all intellectual property rights in and to the Service, including copies, improvements, enhancements, derivative works and modifications thereof. Any intellectual property rights created by, or arising as a result of, the Customer’s use of the Service shall vest with Sandvik.

4.2. The Customer’s rights to Use the Service are limited to those expressly granted by this Agreement and any applicable Subscription Details. No other rights with respect to any part of the Service or any related intellectual property rights are granted or implied.

5. RIGHT OF USE 

5.1. It is the Customer’s responsibility to ensure that a user account for the Service is set-up, as per the instructions in the Documentation. 

5.2. The Service shall be operated by Sandvik using the infrastructure of a trusted cloud hosting provider. Customer shall be responsible for the internet connection to access and use the Service and ensure that the hardware and software required for this purpose are in place (e.g., PC, network connection, browser) and that all other technical requirements are fulfilled as described in the Documentation, on the Homepage or in another agreement or document between the Customer and Sandvik, or an Approved Source.

5.3. Sandvik reserves the right to suspend the Service, and to take all other actions permitted by law in the event Customer fails to pay in full when due all amounts to Sandvik or to an Approved Source as applicable.

5.4. The Customer shall be solely responsible for all activities by individual users who the Customer designates to Use the Service. All Use of the Service must be in strict compliance with the Acceptable Use Policy and this Agreement. The Customer undertakes to indemnify and hold Sandvik, or any Approved Source, harmless and upon Sandvik ´s request defend Sandvik, or an Approved Source, from any claim, proceeding, liability, loss, cost or expense inflicted upon or incurred by Sandvik, or an Approved Source, resulting from any use of the Service by the Customer’s users or by a third party who has obtained, lawfully or unlawfully, access to the Service (including content) thereof from the Customer or the Customer’s users (or through any passwords or other access credentials provided to or used by the Customer or the Customer’s users), including, but not limited to, claims from third parties, damages, lost profits and additional subscription fees for Sandvik, or an Approved Source, or other costs, including reasonable attorney's fees.

5.5. The Customer assumes sole responsibility for all data and results obtained from its use of the Service, and for conclusions or courses-of-action drawn from such use, and for maintaining validation, error correction, back up and reconstruction of its own data input to, or output by, the Service.

5.6. Customer has no right to copy and thus has no right to a backup copy of the source code. All rights in the Service defined under the Agreement remain entirely with Sandvik 

5.7. The Customer is responsible for ensuring that its Use of the Service as well as Third Party Services complies with all relevant terms and conditions as well as applicable legislation, including (without limitation) laws related to manufacturing and export restrictions, and will indemnify Sandvik, and any Approved Source, against any damages, claims, losses and costs resulting from any such incorrect or illegal use.

5.8. Notwithstanding any terms in the Agreement to the contrary, the Parties agree to the global trade compliance obligations as provided in Appendix 1. The Parties agree that wherever there is any conflict between this Appendix 1 and the Agreement (including other appendices), the provisions of this Appendix 1 will prevail, and the Agreement (including other appendices) will be construed accordingly.

6. DISCLAIMER AND NO WARRANTY

6.1. EXCEPT FOR ANY SPECIFICALLY AGREED UPON LIMITED WARRANTY AS EXHAUSTIVELY SET FORTH IN THE ORDER DETAILS AND/OR THE DOCUMENTATION, THE SERVICE IS PROVIDED "AS IS", "AS AVAILABLE" AND "WITH ALL FAULTS". TO THE FULLEST EXTENT PERMISSIBLE BY LAW, SANDVIK DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES OR ENDORSEMENTS OF ANY KIND WHATSOEVER, EXPRESS OR IMPLIED, AS TO: (A) THE TOOLHIVE SOFTWARE; (B) THE DOCUMENTATION; (C) SECURITY ASSOCIATED WITH THE TRANSMISSION OF INFORMATION TO SANDVIK ; OR (D) THIRD PARTY SERVICES AND/OR OTHER ASSOCIATED SERVICES PROVIDED OR MADE AVAILABLE AS PART OF OR TOGETHER WITH THE SERVICE. IN ADDITION, SANDVIK HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, TITLE, CUSTOM, TRADE, QUIET ENJOYMENT, SYSTEM INTEGRATION AND FREEDOM FROM COMPUTER VIRUS.

6.2. SANDVIK DOES NOT REPRESENT OR WARRANT THAT ANY PART OF THE SERVICE OR THIRD PARTY SERVICES WILL BE AVAILABLE, ERROR-FREE OR UNINTERRUPTED; THAT INCIDENTS OR DEFECTS WILL BE CORRECTED; OR FREE FROM ANY HARMFUL COMPONENTS, INCLUDING, WITHOUT LIMITATION, VIRUSES OR MALWARE. SANDVIK DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES THAT MANUFACTURER DATA OR THE INFORMATION, DATA OR RECOMMENDATIONS FROM THE SERVICE ARE ACCURATE, COMPLETE, OR USEFUL.

6.3. THE CUSTOMER ACKNOWLEDGES THAT ITS USE OF THE SERVICE AND THIRD PARTY SERVICES IS AT ITS SOLE RISK. SANDVIK DOES NOT WARRANT THAT THE CUSTOMER’S USE OF THE SERVICE, THIRD PARTY SERVICES OR OTHER RESULT FROM THE SERVICE, IS LAWFUL IN ANY PARTICULAR JURISDICTION, AND SANDVIK SPECIFICALLY DISCLAIMS SUCH WARRANTIES. SOME JURISDICTIONS LIMIT OR DO NOT ALLOW THE DISCLAIMER OF IMPLIED OR OTHER WARRANTIES SO THE ABOVE DISCLAIMER MAY NOT APPLY TO THE CUSTOMER TO THE EXTENT SUCH JURISDICTION'S LAW IS APPLICABLE TO THE CUSTOMER AND THESE TERMS.

7. DATA COLLECTION AND MANAGEMENT

7.1. General

7.1.1 The overall principles and framework for the collection and use of data in connection with the Service are described in the Documentation and/or the Homepage from time to time.

7.2. Customer Data

7.2.1 In connection with providing the Service, Sandvik and its Affiliates will collect, store, and process Customer Data. Sandvik and its Affiliates undertake to implement security solutions in accordance with generally accepted industry standards designed to protect Customer Data within Sandvik’s control from destruction, unauthorized access or disclosure, as specified in the Documentation. Customers are encouraged to implement its own backup solutions for Customer Data. The Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data and warrants that it has all rights necessary to submit any Customer Data or Feedback. 

7.2.2 Sandvik or its Affiliates make no claim to ownership of the Customer Data. Customer authorizes Sandvik and its Affiliates, and grants a non-exclusive, worldwide, royalty-free license, to use, copy and modify Customer Data (i) to provide the Service and to allow Sandvik or its Affiliates to perform in accordance with this Agreement (including, but not limited to, conducting maintenance and providing customer support or other services on Customer’s request); (ii) to analyze, develop and improve the Service or other products or services (including to generate Derived Data); and (iii) as otherwise required to comply with applicable laws or regulations. The licenses granted herein shall remain in force until Customer chooses to remove Customer Data or deletes its Account where such Customer Data is stored. Any use of Customer Data by Sandvik is subject to the terms of this Agreement and any applicable data protection laws and regulations.  

7.3. Derived Data

7.3.1. The Customer agrees and acknowledges that Sandvik may, and Sandvik reserves the right to, create, obtain, collect, store, process and use Derived Data generated through the Customer’s Use of the Service, such as metadata and other information about the Customer’s use of the Service, downloads, in-app purchases, Customer Data, and/or other data; provided, however, that neither the Customer nor particular users shall be identifiable in or from such Derived Data. For the avoidance of doubt, Derived Data will not contain any Personal Data (as defined in the General Data Protection Regulation (EU) 2016/679).

7.3.2. All rights, title and interest in relation to Derived Data will be exclusively retained by Sandvik and may be freely used for Sandvik or its affiliates’ own business purposes including the development, optimization, improvement, marketing, scheduling, and support of (i) the Service; and (ii) other current and future (a) software, services, and systems; (b) processes; and (c) support (i) – (ii) jointly referred to as the “Purpose”).

7.3.3. The Customer agrees that the Derived Data may be shared with third parties for the Purpose, provided that neither the Customer nor particular users are identifiable from such Derived Data. The customer also acknowledges and agrees that Sandvik will not provide any copies of (or information about) Derived Data to Customer, and that Sandvik will not be required to return or destroy any such Derived Data (upon termination of this Agreement, Account Deletion, cease of Beta Service or otherwise).

8. PERSONAL DATA PROCESSING

• 8.1. In the provision of the Service, Sandvik may process Personal Data (as defined in the General Data Protection Regulation (EU) 2016/679) related to people employed or otherwise engaged by the Customer, e.g. in relation to hosting, support and maintenance, user accounts and information and data connected thereto. Customer will be the data controller for such processing of Personal Data and Sandvik will be engaged by Customer as a data processor pursuant to the General Data Protection Regulation (EU) 2016/679. Pursuant to such engagement, the parties hereby agree a separate schedule to this Agreement, the Data Processing Agreement (DPA) which shall govern the processing of personal data under this Agreement as set forth at XX

9. FEEDBACK

9.1. The Customer agrees that any submission of feedback, suggestions, ideas, or other information or materials regarding the Service that the Customer provides, whether by email, in meetings or otherwise (“Feedback”) is at Customer’s own risk and that Sandvik has no obligations (including without limitation obligations of confidentiality) with respect to such Feedback, unless otherwise specifically agreed in writing. The Customer represents and warrants that the Customer has all rights necessary to submit the Feedback. If the Customer elects to provide Feedback to Sandvik, the Customer understands and agrees that Sandvik may use such Feedback and that the Customer provides Sandvik an irrevocable right and ability to reproduce, perform, display, distribute, adapt, modify, re-format, create derivative works of, and otherwise commercially or non-commercially exploit any and all Feedback whether or not in connection with the operation and maintenance of the Service. In the event Sandvik elects to use any Feedback provided by the Customer, no compensation is payable, or any credit required in relation to the Customer.

10. AVAILABILITY, SUPPORT AND CHANGES

10.1. Sandvik will make commercially reasonable efforts to keep the Service available and accessible at all times. Nonetheless, interruptions and incidents will occur and Sandvik hereby disclaims any and all obligations or guarantees to keep the Service available. Sandvik may upon Customer’s request offer a separate Service Level Agreement (SLA).

10.2. Sandvik, or its Approved Source, may provide professional services subject to separate agreements, for example in relation to installation, integrations, training or other agreed services.

10.3. Subject to the terms in this Agreement, the Service includes support services to the extent described on the Homepage from time to time.

10.4. Sandvik may update, improve, modify or otherwise change the Service at Sandvik discretion and without prior notice to the Customer. Such changes and modifications to the Service may include changes to the functionality, quality and/or scope of the Service. The Customer acknowledges that such changes and modifications, or other maintenance work, may lead to down-time and decreased availability in the Service.

11. INFRINGEMENT INDEMNITY

11.1. Sandvik shall defend the Customer against any third party claim that the Customer’s permitted use of the Service, including Manufacturer Data, infringes any intellectual property rights in the EU as of the Effective Date, and shall indemnify the Customer for any amounts awarded against the Customer in judgment or settlement of such claims subject to the limitations in this Section 11 and Section 12, provided that (i) Sandvik is given prompt notice of any such claim; (ii) the Customer provides reasonable co-operation to Sandvik in the defense and settlement of such claim; and (iii) Sandvik is given sole authority to defend or settle the claim.

11.2. In the defense or settlement of any claim, Sandvik may procure the right for the Customer to continue using the Service, replace or modify the Service so that they become non-infringing or, if such remedies are not reasonably available in Sandvik sole discretion, terminate this Agreement with immediate effect. The Customer shall, in case of such termination by Sandvik be obliged to stop using the Service and the Customer will, as full and final compensation, obtain a refund equal to any prepaid subscription fee pro rata to any remaining period of time for which Customer has subscribed to use the Service according to the Subscription Details.

11.3. In no event shall Sandvik, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged infringement is based on or results from:

11.3.1. a modification of the Service (or any part thereof) by anyone other than Sandvik,

11.3.2. the Customer’s use of the Service (or any part thereof) in breach of this Agreement, the Acceptable Use Policy, the Documentation or in a manner contrary to the instructions given to the Customer by Sandvik,

11.3.3. any Customer Data,

11.3.4. the Customer’s use of the Service (or any part thereof) after notice of the alleged or actual infringement from Sandvik or any appropriate authority; or

11.3.5. the use of or combination with any Third Party Services or with any models, designs, plans, instructions, specifications, diagrams or the like not provided by Sandvik, provided that such use of or combination with the models, designs, plans, instructions, specification, diagrams or the like are the basis for the infringement claim.

11.4. Sandvik liability under this Section will be reduced proportionately to the extent the liability was caused or contributed to by an act or omission of the Customer or any of its personnel.

11.5. The foregoing state the Customer’s sole and exclusive rights and remedies, and Sandvik including Sandvik ‘employees’, ‘agents’ and ‘sub-contractors’ entire obligations and liability, for any alleged or proven infringement of any intellectual property rights.

12. LIMITATION OF LIABILITY

12.1. NOTHING IN THIS AGREEMENT EXCLUDES THE LIABILITY OF EITHER PARTY (I) FOR FRAUD OR FRAUDULENT MISREPRESENTATION; OR (II) FOR DEATH OR PERSONAL INJURY CAUSED BY GROSS NEGLIGENCE OR WILFUL MISCONDUCT.

12.2. SUBJECT TO SECTION 12.1: IN NO EVENT WILL SANDVIK BE LIABLE FOR THE FOLLOWING, REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OR INABILITY TO USE THE SERVICE OR OTHERWISE, EVEN IF SANDVIK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES: (A) INDIRECT, INCIDENTIAL, EXEMPLARY, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES; (B) LOSS OR CORRUPTION OF DATA/INFORMATION OR INTERRUPTED OR LOSS OF BUSINESS; OR (C) LOSS OF REVENUE, PROFITS, GOODWILL OR ANTICIPATED SALES OR SAVINGS. FURTHER, SANDVIK AND ITS LICENSORS WILL NOT UNDER ANY CIRCUMSTANCES BE LIABLE FOR ANY LOSS, DAMAGE OR INJURY WHETHER TO PERSONS, MACHINES, TOOLS, WORKPIECES, OTHER TANGIBLE PROPERTY OR ANY MONETARY LOSS OR DAMAGE, THAT COULD HAVE BEEN AVOIDED BY THE USER’S COMPLIANCE WITH THE ACCEPTABLE USE POLICY AND PROPER USE OF THE SERVICE.

12.3. SUBJECT TO SECTION 12.1: SANDVIK TOTAL LIABILITY IN CONTRACT (INCLUDING IN RESPECT OF THE INDEMNITY IN SECTION 11.1), TORT (INCLUDING NEGLIGENCE OR BREACH OF STATUTORY DUTY) MISREPRESENTATION, RESTITUTION OR OTHERWISE, ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THIS AGREEMENT SHALL BE LIMITED TO THE TOTAL AMOUNT PAID BY CUSTOMER FOR THE SERVICE TO WHICH THE CLAIM RELATES DURING THE 12 MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CLAIM AROSE.

13. TERM OF THE AGREEMENT, CANCELLATION AND TERMINATION

13.1. This Agreement is effective as of the Effective Date and shall continue until terminated in accordance herewith or as set forth in the Subscription Details. For the avoidance of doubt, the Agreement will be automatically renewed for additional subscription period(s) unless either party gives notice of termination in accordance with the online procedures set out on the Homepage or in the Subscription Details.

13.2. Termination:

13.2.1. Either party may terminate this Agreement if the other party: (a) fails to cure any material breach (including, but not limited to, late payment by Customer) of this Agreement within thirty (30) days after receipt of written notice of such breach; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against such party (and not dismissed within thirty (30) days thereafter).

13.2.2. Sandvik may terminate this Agreement in case of a change of control of Customer (whereby ‘control’ shall mean more than 50 % of the votes or shares in Customer), provided that such change, in Sandvik ´s reasonable opinion, materially and adversely affects the commercial relationship between the Customer and Sandvik or any of its affiliates.

13.2.3. Sandvik may terminate this Agreement for convenience by giving at least six (6) months’ prior notice.

13.3. Effect of Expiration or Termination:

13.3.1. In the event of Sandvik termination for convenience under Section 13.2.3, Sandvik shall refund any prepaid subscription fee pro rata to any remaining period of time for which Customer has subscribed to use the Service.

13.3.2. Upon expiration or termination of this Agreement, regardless of cause, the Customer shall cease any and all use of the Service, and, if requested by Sandvik, destroy or return all copies of Documentation and so certify to Sandvik in writing.

13.3.3. Upon expiration or termination of this Agreement, regardless of cause, Sandvik (i) may immediately suspend and revoke the Customer’s right to access and Use the Service, and (ii) undertakes not to delete Customer Data during a period of thirty (30) days from the date of expiration or termination, and (iii) undertakes to provide the Customer the opportunity to download such data in a reasonable format during said period without additional charge.

13.4. In addition to the termination rights above, the Customer acknowledges that Sandvik is entitled, temporarily or permanently, to suspend the Customer and/or particular users in accordance with what is set out in the Acceptable Use Policy and in Section 5.3 above.

13.5. Any provision that by the very nature of which should survive, shall survive any termination or expiration of this Agreement.

14. CONFIDENTIAL INFORMATION

14.1. The Customer undertakes to treat as confidential and not disclose any information contained or embodied in the Toolhive Software, Third Party Services made available by Sandvik, Documentation and/or any other material provided by Sandvik in connection with the Service (hereinafter collectively referred to as the "Sandvik Confidential Information") to any third party or use such Sandvik Confidential Information for any other purpose than for the due performance of this Agreement provided that this Section 14 shall not extend to any Customer Data or other information which (i) was rightfully in the possession of the Customer prior to the commencement of the negotiations leading to the Agreement or which is already public knowledge or becomes so at a future date (otherwise than as a result of a breach of this Agreement); (ii) was or is independently developed by the Customer or its representatives as proven by its written records; (iii) was disclosed to the Customer or its representatives by a third party not under any obligation to keep such Sandvik Confidential Information confidential, provided that the Customer shall not corroborate Sandvik Confidential Information disclosed to it by a third party or otherwise further disseminate such Sandvik Confidential Information; or (iv) must be revealed due to law or by order of a judicial or governmental authority or by any applicable stock exchange regulations or the regulations of any other recognized market place, provided that the Customer notifies Sandvik of the demand for disclosure promptly and as far in advance of the date of disclosure as circumstances reasonably allow (provided such notice is legally permitted) as to allow Sandvik to seek protective order or other appropriate remedy.

14.2. The Customer shall not without the prior written consent of Sandvik divulge any part of the Sandvik Confidential Information to any person except to (i) the Customer's employees and third party consultants on a strict need to know basis; (ii) the Customer's auditors and any other persons or bodies having a right, duty or obligation to know the business of the Customer and then only in pursuance of such right, duty or obligation; and (iii) any person who is from time to time appointed by the Customer to maintain any equipment on which the Service is being used (in accordance with the terms of this Agreement) and then only to the extent necessary to enable such person to properly maintain such equipment.

14.3. Sandvik undertakes to treat as confidential and not disclose any Customer Data and any other materials provided by the Customer (hereinafter collectively referred to as the "Customer Confidential Information") to any third party outside Sandvik group of companies, or use such Customer Confidential Information except as explicitly stated in this Agreement, provided that this Section 14 shall not extend to any information which (i) was rightfully in the possession of Sandvik prior to the commencement of the negotiations leading to the Agreement or which is already public knowledge or becomes so at a future date (otherwise than as a result of a breach of this Agreement); (ii) was or is independently developed by Sandvik or its representatives as proven by its written records; (iii) was disclosed to Sandvik or its representatives by a third party not under any obligation to keep such Customer Confidential Information confidential, provided that Sandvik shall not corroborate Customer Confidential Information disclosed to it by a third party or otherwise further disseminate such Customer Confidential Information; or (iv) must be revealed due to law or by order of a judicial or governmental authority or by any applicable stock exchange regulations or the regulations of any other recognized market place, provided that Sandvik notifies the Customer of the demand for disclosure promptly and as far in advance of the date of disclosure as circumstances reasonably allow (provided such notice is legally permitted) as to allow the Customer to seek protective order or other appropriate remedy.

14.4. Sandvik shall not without the prior written consent of the Customer divulge any part of the Customer Confidential Information to any person except to (i) Sandvik or its affiliates’ employees and third party consultants on a strict need to know basis; (ii) Sandvik auditors and any other persons or bodies having a right, duty or obligation to know the business of Sandvik and then only in pursuance of such right, duty or obligation; and (iii) any person who is from time to time appointed by Sandvik to provide, develop, design, configure, support, maintain or otherwise use the Service and then only to the extent necessary to perform such task.

14.5. Each Party undertakes to ensure that the people and bodies mentioned in this Section 14 are made aware prior to the disclosure of any part of the Confidential Information that the same is confidential and that they owe a duty of confidence to the other Party in accordance with this Section 14.  Each Party shall be responsible for the acts and omissions of such people and bodies to whom such Party divulges such information, with respect to any access, use, protection or disclosure of such information, as if such Party had engaged in such acts and omissions.

15. PURCHASES THROUGH AN APPROVED SOURCE

15.1. If the Customer has purchased the Service through an Approved Source (such as a reseller), the following terms shall apply and have precedence over any other terms set out in this Agreement unless otherwise specified:

15.1.1. Instead of paying Sandvik, the Customer will pay the applicable fees directly to the Approved Source, as agreed between the Customer and the Approved Source. Sandvik may suspend or terminate the Customer’s right to Use the Service if Sandvik does not receive the corresponding payment from the Approved Source.

15.1.2. The Customer’s Subscription Details (setting out e.g. the Toolhive Software which the Customer is entitled to use, the term of the subscription, the number of end users etc.) will be as stated in the order placed with Sandvik by the Approved Source in accordance with the agreement between the Customer and the Approved Source, and the Approved Source is responsible for the accuracy of any such order as communicated to Sandvik .

15.1.3. The Approved Source is not authorized to modify this Agreement or make any promises or commitments on Sandvik behalf, and Sandvik is not bound by any obligations to the Customer other than as set forth in this Agreement.

15.1.4. If the Customer is entitled to a refund under this Agreement, then unless otherwise specified, Sandvik will refund any applicable fees to the Approved Source and the Approved Source will be solely responsible for refunding the appropriate amounts to the Customer.

15.1.5. For purposes of calculating the liability cap in Section 12.3, the amount paid or payable by the Approved Source to Sandvik for the Customer’s use of the Service under this Agreement will be deemed the amount actually paid or payable by the Customer to Sandvik under this Agreement.

15.1.6. The Customer is responsible for determining whether the Approved Source may serve as an administrator of the Service (e.g. assisting with setting up end user accounts, managing inventory, placing orders) and for any related rights or obligations in the Customer’s applicable agreement with the Approved Source. As between Sandvik and the Customer, the Customer is solely responsible for any access by an Approved Source to the Customer’s accounts.

16. GENERAL

16.1. Assignment: Neither this Agreement nor any rights or obligations of the Customer hereunder shall be assignable or transferable by the Customer, and any purported assignment or transfer in violation of the foregoing shall be null and void. This Agreement will bind and inure to the benefit of each party’s permitted successors and assignees. Sandvik may assign this Agreement in whole or in part in its sole discretion.

16.2. Severability: If any provision of this Agreement shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited to the minimum extent necessary so that this Agreement shall otherwise remain in effect.

16.3. Amendments: This Agreement may be supplemented, modified or amended unilaterally by Sandvik at any time (provided that such amendments will not apply retroactively) by way of applicable Sandvik online terms or Sandvik website terms accepted by the Customer from time to time (including shrink-wrap, click-wrap, click-through, click-accept or by continuing to use the Services after due notification). If the Customer do not agree to the supplemented, modified or amended Agreement, the Customer must stop using the Service.

16.4. Construction and Interpretation: The original of this Agreement has been written in English. Customer waives any rights it may have under the law of its country to have this Agreement written in the language of that country. This Agreement shall be equally and fairly construed without reference to the identity of the party preparing this document as the parties have agreed that each participated equally in negotiating and preparing this Agreement or have had equal opportunity to do so. The parties waive the benefit of any statute, law or rule providing that in cases of uncertainty, contract language should be interpreted most strongly against the party who caused the uncertainty to exist.  The headings and titles to the articles and sections of this Agreement are inserted for convenience only and shall not be deemed a part hereof or affect the construction or interpretation of any provision hereof.

16.5. Entire Agreement: This Agreement (including the Acceptable Use Policy, the Subscription Details and the Documentation) is the complete and exclusive statement of mutual understanding of the parties and supersedes and cancels all previous written and oral agreements and communications relating to the subject matter of this Agreement. 

17. GOVERNING LAW AND ARBITRATION

17.1. The Agreement shall be governed by and construed and enforced in accordance with the substantive laws of Sweden without regard to its principles of conflicts of laws.

17.2. Any and all dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators. The seat of the arbitration shall be Stockholm, Sweden, and the language of the proceedings shall be English.

17.3. The Parties undertake and agree that all arbitral proceedings conducted with reference to this Agreement will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed during such arbitral proceedings. Information covered by this confidentiality undertaking may not, in any form whatsoever, be disclosed by a Party to a third party without the prior written consent thereto of the other Party, save for to the extent that such disclosure is required mandatory under mandatory law or statute.

***

APPENDIX 1 – GLOBAL TRADE COMPLIANCE AND END USE/USER ASSURANCE

Notwithstanding any terms in the Agreement to the contrary, the Parties agree to the following.

Global Trade Compliance and End Use/User Assurance

i. For the purpose of this Agreement “Global Trade Laws and Regulations” means customs, import, export, re-export, trade control and economic or financial sanctions laws, regulations and orders, always including such laws, regulations and orders of the UN, US, EU and UK, but also, as applicable, such laws, regulations and orders of any country in which the Products are manufactured, received, used, exported from, imported to, or as otherwise applicable.

ii. For the purpose of this Agreement “Prohibited Countries” means Afghanistan, Belarus, Iran, North Korea, Russia, Syria, Crimea and non-government-controlled areas of the Donetsk, Kherson, Luhansk and Zaporizhzhia oblasts of Ukraine. Sandvik reserves the right to amend the list of Prohibited Countries by written notice to the Customer. 

iii. For the purpose of this Agreement “Listed Person” means any person or entity, specially designated, blocked or otherwise individually listed or targeted under Global Trade Laws and Regulations.

iv. The Customer represents and warrants that:

1. none of the Customer, its affiliates, or any of their respective officers or directors, is a Listed Person, or is owned to 50 % or more, directly or indirectly, individually or in the aggregate, or is otherwise controlled by one or more, Listed Person(s);
2. the Customer has not engaged in, is not engaging in, and will not engage in any business involving a Listed Person, or any entity owned to 50% or more, directly or indirectly, individually or in the aggregate, or otherwise controlled by one or more, Listed Person(s); and
3. the Customer has not engaged in, is not engaging in, and will not engage in any transaction that circumvents, evades, or avoids, or has the purpose or effect of circumventing, evading, or avoiding, or attempts to violate, any Global Trade Laws and Regulations.

v. The Customer hereby agrees to observe and comply fully, and use the Products in full compliance, with all Global Trade Laws and Regulations. The Customer agrees that no Products provided by Sandvik shall be, directly or indirectly, sold, exported, re-exported, transferred, retransferred or otherwise released or disposed to any person or entity, legal or natural, in breach of Global Trade Laws and Regulations. The Customer shall not take any actions in furtherance of this Agreement that would cause Sandvik to violate any Global Trade Laws and Regulations to which Sandvik is subject.

vi. Without limitation to the generality of the foregoing, the Customer shall not, directly or indirectly, sell, export, re-export, transfer, retransfer or otherwise release or dispose any Products:

a. without securing all licenses and/or authorizations necessary under the Global Trade Laws and Regulations from the relevant governmental authority;

b. to, or for the benefit of, a Listed Person;

c. to, via, or otherwise for use in, Prohibited Countries;

d. for any purpose connected with chemical, biological or nuclear weapons, or missiles capable of delivering such weapons, or for any nuclear explosive or unsafeguarded nuclear fuel cycle activity; or

e. for military end-use or to a military end-user, including military intelligence end-uses and end-users, without obtaining Sandvik’s prior approval.

vii. The Customer shall impose the obligations above in this Appendix in all subsequent transactions involving the Products. Further, the Customer shall establish and maintain adequate internal controls and mechanisms to (i) detect conduct by third parties in its downstream commercial chain, including possible resellers, that violates, or frustrates the purpose of, Global Trade Laws and Regulations; and (ii) ensure it obtains sufficient knowledge about end-user to determine whether for each contract, the Products, could be destined for an end-use which is not permitted under this Agreement.

viii. The Customer agrees to, as promptly as possible and in any event within five (5) business days, notify Sandvik in writing of actual or suspected breaches of any of the obligations above in this Appendix and shall to the best of its abilities, cooperate with Sandvik to facilitate compliance with Global Trade Laws and Regulations and will upon request, provide Sandvik with copies of all documentation relating to any business dealings involving the Products, including but not limited to, end-user certifications. Further, the Customer shall provide all information relating to requests for any Products, that the Customer suspects could violate or circumvent Global Trade Laws and Regulations, or where the provision of Products would breach the Customer’s commitments under the obligations above in this Appendix, including requests from or on behalf of a Listed Person or attempts to acquire any Products in violation of Global Trade Laws and Regulations.

ix. If the Customer, in whole or in part, breaches any of the obligations above in this Appendix or (to the furthest extent permissible under applicable law) in Customer’s reasonable opinion any such breach is likely to occur, the Parties agree that: (i) Sandvik shall be under no obligation to fulfil outstanding payments, deliveries, orders or alike; (ii) Sandvik shall not be liable toward the Customer or any third party for any subsequent non-performance by Sandvik under this Agreement; and (iii) that the Customer shall indemnify and hold Sandvik harmless from any claims or losses relating to such non-performance. Any failure by the Customer to comply, in whole or in part, with this Appendix, is to be considered a material breach of this Agreement which will entitle Sandvik to terminate the Agreement with immediate effect. Further, Sandvik is entitled to terminate the Agreement with immediate effect upon written notice if either Party’s ability to fulfil an obligation under this Agreement is materially affected by the imposition of restrictions in Global Trade Laws and Regulations.

2) Acceptable Use Policy

Sandvik TOOLHIVE Service
Version 4/2024

1. Subject Matter and Scope 

1.1 This Acceptable Use Policy (the “AUP”) applies for any and all access and use of the TOOLHIVE software and any associated content, such as instructions, manuals, e-learning tools, and other add-on services like item data downloads from 3rd party and any other information provided through the service (collectively, the “Service”). 

1.2 The purpose of this AUP is to set out a code of conduct and a use policy for all individuals using the Service, meaning employees (including outsourced employees), agents, contractors, representatives and officers (each, a “User”) of legal entities (or, where relevant, affiliates or subsidiaries of such entity) having entered into an agreement with Sandvik and accepted the terms of service regarding the Service (a “Customer”). 

1.3 Access to and use of the Service by the User is subject to the correct subscription and permissions as stated in the Terms of Service between Sandvik and the Customer, as well as the proper creation by the Customer or a User of at least one user account (“Account”). 

1.4 To the maximum extent permitted under applicable law, Sandvik will not enter into any contractual relationship with the User and Sandvik will not assume any obligations or liability in relation to the User (see also Clause 6). 

2. Registration and Access 

2.1 Access to the Service requires the User to log in to an Account using the credentials provided by Sandvik and/or the Customer. It is possible to create further accounts for individual Users. The User may contact the assigned administrator of the Customer for further information on how to set-up further Accounts and any terms and conditions associated therewith. 

2.2 Access credentials and login details are personal and must only be used by the User, or a group of Users as decided by the Customer. The User is required to carefully store personal access credentials, not share them with anyone except as permitted by the Customer and protect them from unauthorized access. Sandvik may enable log-in to an Account by way of other methods, including, but not limited to, pin codes or QR codes which methods shall be considered credentials for the purposes of this AUP. 

2.3 The User shall not: a) gain access to the Service by any means other than the Account or other permitted means; b) circumvent or disclose the User authentication or security of the Account, the Service or any host, network, or account related thereto; or c) pretend a false identity with the purpose of misleading others or to gain unlawful or unauthorized access to the Account or the Service.

3. Use of the Service 

3.1 In using the Service, the User shall: a) duly use the Service only as instructed by the Customer, and always on behalf of the Customer; b) before accessing the Account and the Service, during use and when transferring data, take all reasonable precautions against security attacks and to prevent viruses, trojan horses or other programs or malware that may damage the software; c) comply with all applicable national and international export and re-export control regulations including, but not limited to, those of the European Union, of the United States of America and regulations of any other country or jurisdiction which may apply; d) notify Sandvik promptly about any possible unauthorized use of personal access credentials, misuse or theft of the Account and any security risk (e.g. vulnerability) related to the Account or the Service, and of any possible or actual violation of this AUP; e) inform Sandvik promptly of any errors in the functionality of the Account or the Service or the information provided therein; and f) notify Sandvik promptly if the User erroneously has access to data that is obviously not intended to be accessed by the User. 

3.2 In using the Service, the User shall not: 

a) access or use the Service for any purpose except for Customer’s internal business purposes, and in particular not for the purpose of building a competitive product or service or copying its features or User interface nor in the operation of a service bureau, outsourcing or time-sharing service; 

b) allow the Service to access, directly or indirectly, in any manner whatsoever, any third party database except for such database access which is provided by Sandvik as part of the Service; 

c) breach or defeat system or network security measures such as authentication, authorization, confidentiality, intrusion detection or monitoring; 

d) copy, sell, resell, license, transfer, assign, sublicense, rent, lease, or otherwise make available the Service in whole or in part to any affiliate of Customer or third party (unless expressly permitted in accordance with a) above); 

e) translate, disassemble, decompile, reverse engineer or otherwise modify or attempt to discover the source code of the Service or any associated hardware provided by Sandvik (except to the extent permitted pursuant to applicable law); 

f) create derivative works of, or based on, any parts of the Service; 

g) interfere with or disrupt the integrity or performance of the Service or other equipment or networks connected to the Service, and in particular not transmit any content containing viruses, trojan horses or other programs that may damage the software; 

h) use the Service in a way that could damage, disable, overburden, impair or compromise Sandvik's systems, infrastructure or security or interfere with other Users; 

i) harm other persons; 

j) infringe personal rights, intellectual property rights, copyrights or any other proprietary rights of Sandvik or any other party; 

k) change or remove any notices and notations from the Service that refer to intellectual property rights or brand names; 

l) access the Service from any location prohibited by Export Laws or if otherwise prohibited for the User by Export Laws and the User shall not grant access to a person or entity listed on a sanctioned party list, including without limitation European Union Sanctions List, US Specially Designated National (SDN) lists, US Denied Persons List. “Export Laws” means all national and international export and re-export control regulations including, but not limited to, those of the European Union, of the United States of America and regulations of any other country or jurisdiction which may apply; or 

m) make any use of the Service that violates Sandvik’s rights or any applicable local, state, national, international or foreign law, treaty, or regulation.

3.3 To the extent the User uploads suggestions, recommendations, feature requests or other feedback onto the Service, Sandvik may exploit them free of charge to develop, improve and sell any of its products and services. 

4. Compliance and Suspension 

4.1 The User acknowledges that Sandvik or a third party on Sandvik’s behalf may monitor the User’s access to and use of the Account and the Service for Sandvik’s internal business purposes, e.g. to the extent required to ensure compliance with this AUP, and to develop and improve Sandvik’s products and services. 

4.2 Sandvik may immediately suspend any User’s or Customer’s access to and use of the Service if, according to Sandvik’s reasonable judgment, this AUP have been breached, or for other objectively serious reasons, temporarily or permanently. 

4.3 User is responsible for violations of this AUP by anyone using the Service with User’s permission or on an unauthorized basis as a result of User’s failure to use reasonable security precautions to protect login details to the User’s Account. User’s use of the Service to assist another person in an activity that would violate this AUP if performed by User is a violation of the AUP. 

4.4 Sandvik will process personal data about Users in accordance with applicable privacy law and the relevant privacy notice(s). 

5. Confidentiality 

5.1 The User may have access to Sandvik's and its partners’ confidential information through the Account. The User must observe and comply with any confidentiality notices or restrictions provided in the Service. Confidential information may only be used for the purpose of access to and use of the Account and the Service and in accordance with this AUP. 

5.2 The User is required to immediately inform Sandvik as soon as the User becomes aware of an imminent breach of Sandvik's or its partners’ confidentiality interests or that such a breach has taken place or upon existence of such a suspicion. 

6. Liability 

6.1 Sandvik assumes no liability towards the User including, without limitation, for defects in the Account or the Service and the information contained therein, particularly for their accuracy, correctness, freedom of property rights and copyright of third parties, completeness and/or usability. 

6.2 Nothing in this AUP shall limit or exclude Sandvik's liability to the User to the extent that liability cannot be limited or excluded according to mandatory applicable law. 

7. General 

7.1 In the event any provision of this AUP is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. 

7.2 This AUP and the rights granted hereunder may be assigned by Sandvik to any entity within or outside the Sandvik Group, however an assignment by the User is not permitted and any purported assignment or transfer in violation of the foregoing shall be null and void.

3) Data Processing Agreement Inside EU

PARTIES:

This data processing agreement (the "DPA") is made on the date on which the terms of the DPA are accepted by the customer and become legally binding and enforceable between the parties (the "Effective Date"):

1. SANDVIK Machining Solution AB, reg. no. 556692-0053, a company incorporated under the laws of Sweden, ("Sandvik"); 

Address: SE-811 81 Sandviken, Sweden

Contact person: Gerrit Kremer

E-mail: gerrit.kremer@sandvik.com

and, on the other hand, 

1. the Customer, as further specified in the Master Agreement between Sandvik and the Customer,

(each a "Party" and together the "Parties"). 

By submitting an online subscription order, the Customer accepts this DPA as an integral part of the Master Agreement.

For the Customer’s details, including contact details to contact person of the Customer, see the Master Agreement between the Parties.

Background AND UNDERTAKINGS

A. The Parties have entered into a license agreement (the "Master Agreement") under which Sandvik will provide certain services (the "Services") to the Customer. Within the scope of the Master Agreement, Sandvik will (as a processor) process personal data on behalf of the Customer (as a controller), as detailed in the Instructions in Schedule 1 of this DPA. This DPA constitutes a schedule to the Master Agreement and forms an integral part of the Master Agreement.

B. Within the scope of this DPA, the Customer is, as applicable:  (i)  The controller of the Customer's personal data which Sandvik processes as a processor on behalf of the Customer; or (ii) Has been instructed by and obtained the authorization of the relevant Customer Affiliate to agree to the processing of personal data by Sandvik as set out in this DPA, meaning that the Customer and the relevant Customer Affiliates are the controllers of the personal data which Sandvik processes as a processor on behalf of the Customer and the relevant Customer Affiliates; or (iii)  Together with any Customer Affiliate that has entered into applicable scope of works/order forms with Sandvik, which outlines the content, scope and purposes of the Services that Sandvik shall provide to the Customer and the relevant Customer Affiliate, are the controllers of the personal data which Sandvik processes as a processor on behalf of the Customer and the relevant Customer Affiliate. For the avoidance of doubt, the applicable scope of work/order form shall constitute a separate agreement between the Customer Affiliate and the Sandvik entity party to the scope of work/order form. Accordingly, breach of the scope of the work/order form by either party shall not constitute a breach of this DPA and likewise, a breach of this DPA by any party shall not constitute a breach of the scope of work/order form.

C. If Sandvik determines the purposes and means of any processing of the Customer’s personal data, such as when developing the Services or in order to provide statistics, Sandvik becomes the controller for such processing and is, consequently, solely responsible for the lawfulness of such processing as controller under Applicable Data Protection Laws.

D. This DPA regulates transfers of personal data from Sandvik located within the EU/EEA to the Customer located within the EU/EEA.

E. This DPA also regulates transfers of personal data from Sandvik located within the EU/EEA to the Customer located outside the EU/EEA, provided that the Customer, including the processing of personal data carried out by the Customer under this DPA, is subject to a binding adequacy decision issued by the EU Commission in accordance with Article 45 of the GDPR. If such adequacy decision of whatever reason no longer is valid or applicable in relation to the Customer and/or the processing of personal data under this DPA, the Parties shall, in addition to this DPA, automatically be bound by the Model Clauses in its relevant parts.

F. Where any provision of this DPA requires the Parties to notify or otherwise communicate with each other, such notification or communication shall be made to the e-mail addresses specified in this preamble of the DPA above for the Customer identified under paragraph (2) on page 1, unless otherwise agreed in writing by relevant employees of the Parties.

G. Notwithstanding any priority clauses in the Master Agreement and with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Master Agreement, the provisions of this DPA shall prevail with regard to the Parties’ data protection obligations. In the event of any conflict or inconsistency between the provisions below and the Model Clauses (where such Model Clauses are applicable), the terms of the Model Clauses shall apply in accordance with Clause 5 of the Model Clauses.

Introduction

1. Definitions

Lower case terms used but not defined in this DPA, such as "controller", "processor", "personal data", "processing" and "personal data" shall have the same meaning as in Article 4 of the GDPR. Additional definitions used in this DPA are outlined below. 

Obligations of the parties

2. Instructions

   2.1 Sandvik shall only process personal data on behalf of the Customer in accordance with the Instructions by the Customer and Applicable Data Protection Laws.

   2.2 In the event the Customer provides additional documented instructions regarding processing of personal data, Sandvik is entitled to remuneration for any costs incurred by Sandvik as a result of such additional instructions. In such case, Sandvik may send a quote of the additional costs to the Customer.

   2.3 If Sandvik notifies the Customer that an additional instruction is not feasible or the Customer notifies Sandvik that it does not accept the quote for the additional Instruction, the Customer may terminate, wholly or partly (if possible), the affected Services sixty (60) days after notifying Sandvik to terminate the affected Services. Sandvik will refund a prorated portion of any prepaid charges for the period after such termination date.

3. Technical and organisational security measures

   3.1 Sandvik will provide and maintain appropriate technical and organizational security measures for the processing of Customer’s personal data, which measures are intended to protect such personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing. In this connection, the parties agree that:

   3.1.1 further details on the technical and organizational security measures that will be implemented and maintained by Sandvik in processing the personal data are described or referred to in Schedule 2; and

   3.1.2 the technical and organizational measures will be subject to technical progress, development and improvements for the protection of personal data. Accordingly, Sandvik reserves the right to modify such measures provided that Sandvik continues to ensure a level of security appropriate to the particular risks involved in the processing. 

   3.2 In the processing of the Customer’s personal data, Sandvik: (i) will only rely on personnel who are contractually or by statutory obligation bound to maintain confidentiality; and (ii) ensure that access to personal data processed is limited to those personnel who require such access to perform the Services.

4. Documentation and compliance

   4.1 Upon request, Sandvik shall provide the Customer with documentation reasonably necessary to demonstrate compliance with Applicable Data Protection Laws.

   4.2 The Customer may conduct an inspection or audit of the technical and organizational measures that Sandvik has implemented to fulfil its obligations under this DPA and Sandvik will provide such other information as possible to demonstrate compliance with article 28 of the GDPR provided that: (i) the documentation in section  above cannot reasonably demonstrate compliance with Applicable Data Protection Laws; or (ii) a competent supervisory authority requires inspection of Sandvik. The Customer shall notify Sandvik sixty (60) days in advance prior to conducting such inspection. 

   4.3 For the avoidance of doubt, an inspection or audit carried out in accordance with this section 4 shall only comprise such information that is strictly necessary in order for the Customer to determine whether Sandvik takes appropriate technical and organizational measures to fulfil its obligations under this DPA and shall under no circum­stances comprise any other information e.g. regarding  Sandvik’s business operations, other Customers of Sandvik or intellectual property, which is not relevant to Sandvik’s processing of personal data on behalf of the Customer under this DPA. 

   4.4 The Parties acknowledge and agree that any on-site inspection must be conducted by a third-party auditor jointly appointed by both Parties. The Customer shall ensure that such third party undertakes confidentiality in relation to any information that the third party receives within the scope of the inspection, such confidentiality undertaking being not less restrictive than the confidentiality undertaking in section 10 below. Further, the inspection must occur during normal business hours and only in a manner that causes minimal disruption to Sandvik’s business. The Customer shall be liable for any breach of such confidentiality undertaking by the third party. Any and all costs and expenses related to the inspection shall be borne by the Customer, including any potential costs and expenses in­curred by Sandvik due to Sandvik’s participation in such inspection.

5. Use of sub-processors

   5.1 The Customer hereby gives Sandvik a general written authorization to engage sub-processors to process personal data on behalf of the Customer. Sandvik shall ensure the sub-processor has entered into a data processing agreement with obligations no less restrictive than those set out in this DPA. Sandvik shall be liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Sandvik. 

   5.2 All sub-processors engaged by Sandvik as of the Effective Date are provided in Schedule 1 of this DPA www.toolhivesolutions.com. Sandvik will provide Customer with notification of any new Sub-processor before authorizing such new Sub-processor to process the personal data, at least thirty (30) days in advance of such change. Sandvik shall provide the Customer with a process to obtain notice of any new or changed sub-processors. The notification to the Customer shall include the same information of a new or changed sub-processor as set out in Schedule 1 of this DPA regarding currently engaged sub-processors.

   5.3 The Customer may object to the addition or replacement of a sub-processor provided that such objection is reasonable and based on data protection grounds. If Sandvik is unable to accommodate the Customer’s objection, the Customer may terminate, wholly or partly (if possible), the affected Services by notifying Sandvik within thirty (30) days of Sandvik’s notice. Sandvik will refund a prorated peterortion of any pre-paid charges for the period after such termination date.

   5.4 Where the Customer does not object to the change within thirty (30) days of the notice by Sandvik, Sandvik may engage the sub-processor for the processing of personal data on behalf of the Customer.

6. International transfers

   6.1 The Customer agrees that where Sandvik engages a sub-processor for carrying out specific processing activities (on behalf of the Customer) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, Sandvik and the sub-processor can ensure compliance with the GDPR, for example by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

7. Cooperation and assistance

   7.1 Sandvik will report to the Customer without undue delay any request received by Sandvik from a competent supervisory authority or a data subject relating to the processing of personal data under this DPA. 

   7.2 Taking into account the nature of the processing, Sandvik will assist the Customer in complying with its obligation to respond to requests of data subjects under Applicable Data Protection Laws, by appropriate technical and organizational measures provided that the information is available to Sandvik, and such information is not otherwise available to the Customer. 

   7.3 The Customer acknowledges that Sandvik has no responsibility to interact directly with any data subject or supervisory authority in respect of any request, demand or order (except as expressly provided under Applicable Data Protection Laws) or as otherwise agreed by the Parties in writing. 

   7.4 Sandvik shall, upon the Customer's request and taking into account the nature of the processing and the information available to Sandvik, provide information to the Customer in order to allow the Customer to fulfil its legal obligations to carry out data protection impact assessments (DPIAs) and prior consultations with the relevant supervisory authority under Applicable Data Protection Laws in relation to the processing of personal data covered by the Services.

   7.5 Sandvik shall have a right to reasonable compensation for any assistance provided to the Customer pursuant to this Section 7, or otherwise as according to a separate agreement between the Parties.

8. Notification of personal data breach

   8.1 In the event of a personal data breach involving personal data processed on behalf of the Customer and subject to this DPA, Sandvik shall notify the Customer, in writing without undue delay, after becoming aware of the personal data breach.

   8.2 Taking into account the nature of processing and the information available to Sandvik, Sandvik shall assist the Customer in fulfilling its responsibilities under Articles 33 and 34 of the GDPR by doing the following:

   8.2.1 Sandvik will investigate the personal data breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by Sandvik or a Sandvik sub-processor, take steps to prevent a recurrence;

   8.2.2 As information is collected or otherwise becomes available, to the extent legally permitted, Sandvik will provide the Customer with a description of the personal data breach, the type of the personal data to which the breach relates, and, other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to Sandvik.

   8.3 The Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices to the affected data subjects.

   8.4 To the extent that a personal data breach is caused by the Customer, a Customer Affiliate or anyone acting for the Customer, Sandvik will inform the Customer of the personal data breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, a Customer Affiliate or anyone acting for the Customer.  Further assistance to investigate such a personal data breach is subject to the prior agreement of the Parties.

9. Request from a competent supervisory authority

   In case a competent supervisory authority or other regulator requests: 

   a) information from Sandvik regarding the processing of personal data under this DPA; or

   b) that Sandvik shall disclose personal data processed on behalf of the Customer under this DPA,

   Sandvik shall, without undue delay, notify the Customer of any requests in accordance with this Section 9.  The Parties shall thereafter consult regarding the competent supervisory authority's request. This obligation does not apply if Sandvik is prohibited under applicable law to notify or consult with the Customer regarding the supervisory authority's request. Sandvik may not act on the Customer's behalf as agent for the Customer or otherwise. 

Final provisions

10. Confidentiality

Without any prejudice to any confidentiality undertaking included in the Master Agreement, the Parties agree to keep the contents of this DPA confidential, unless a Party is legally obligated to disclose its contents.

11. Term and termination

This DPA is effective during the same term as the Master Agreement and for such additional period that Sandvik processes personal data on behalf of the Customer.

12. Return of personal data

Upon termination of the Master Agreement, Sandvik shall delete or anonymize the personal data that Sandvik processes on behalf of the Customer or, upon the Customer’s written request, return such personal data to the Customer, unless Sandvik is legally obligated to continue to store the personal data. If the Customer does not provide any instruction within thirty (30) days following the termination of the Master Agreement or the DPA, the personal data shall be deleted or anonymized by Sandvik without undue delay.

13. Survival of certain terms 

Section 10 (Confidentiality), section 12 (Return of personal data), section 14 (Liability), section 15 (Severability), section 16 (No waiver), section 18 (Governing law), and section 19 (Disputes) shall survive the termination of this DPA for any reason.

14. Liability

    14.1 Each Party shall be liable for any administrative fines by a competent supervisory authority imposed on the Party in question due to the Party's failure to fulfil its obligations under this DPA or Applicable Data Protection Laws.

    14.2 Liability for any claims for damages from data subjects concerned shall be governed by Article 82 of the GDPR. All other indirect, consequential, special or incidental cost, loss or damage of any kind are excluded.

    14.3 Notwithstanding what is stated above, Sandvik’s total liability for any administrative fines, damages or other direct, indirect, consequential or incidental cost, loss or damage of any kind caused by breach of this DPA shall be limited to the amount paid by the Customer, identified in the preamble of this DPA under “Parties” paragraph (2) above on page 1, to Sandvik under the Master Agreement within 12 months prior to the date the claim arose.

15. Severability

If any provision of this DPA is or becomes invalid, illegal or unenforceable under applicable law, the validity, legality and enforceability of the remainder of the DPA shall not be affected. Instead, the deficient provision shall be replaced with a new provision permitted by applicable law and having an effect as close as possible to the deficient provision.

16. No waiver

Delay by either Party to exercise a right or remedy under this DPA shall not affect such Party's right to enforce such right or remedy at a later time. A waiver by a Party of any breach of a provision under this DPA shall not be construed to be a waiver by such Party in relation to subsequent breaches of such or other provisions in this DPA.

17. Changes

If changes to Applicable Data Protection Laws or if binding judgements or the Services are changed in such a way which requires amendments to this DPA, Sandvik has a unliteral right to make necessary updates to this DPA by notifying the Customer in advance of such changes. If the Customer has not objected in writing to such proposed changes within thirty (30) days from when the notification was sent by Sandvik, the Parties agree that the proposed changes to the DPA shall enter into force with immediate effect. For the avoidance of doubt, this Section 17 does not apply to changes regarding sub-processors as such changes are governed by Section 5.

18. Governing law

This DPA is governed by Swedish law, without giving effect to any principles of conflicts of law.

19. Disputes

Any dispute controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof shall be settled in accordance with the dispute resolution clause included in the Master Agreement, unless the Parties agree otherwise. 

ADDITIONAL DEFINITIONS 

The following additional defined terms are used in this DPA:

SCHEDULE 1 

Instruction regarding the processing of personal data for the provision of the Services 

This Schedule 1, together with the Master Agreement, sets out the Customer's Instructions with respect to Sandvik's (and its sub-processors) processing of personal data in connection with provision of the Ser-vices. 

DETAILED DESCRIPTION OF THE PROCESSING OF PERSONAL DATA 

Purpose and nature of the processing: 

Provide the Hosting Services 

Provide personnel of the customer and users of the services with access to the relevant Sandvik services. By way of example; [setting up and administering user accounts, allowing the customer to manage access internally to the relevant services, storing personal data in the services, as well as providing other features within the relevant services]. 

Frequency of the transfer: Regularly

Purpose and nature of the processing: 

Provide support and maintenance 

Provide support and maintenance services to the customer. By way of example; receive and manage support tickets from personnel of the customer and users of the services, perform trouble shooting and take other necessary support measures, including take follow-up actions. 

Frequency of the transfer: Regularly

Used for communication and marketing of the product and new features 

Send information about the product, new features and updates to customers and or potential customers. Used for digital marketing to potential customers that have shown interest in the product by signing up for a demo, trial or newsletter on the Toolhive website, or that have registered a product subscription.

PLACE OF PROCESSING

Personal data is processed by Sandvik within the EU/EEA. For information where Sandvik’s sub-processors that Sandvik has engaged to provide the Services process personal data, please see the list below.

SUB-PROCESSORS 

As of the Effective Date, Sandvik engages the following sub-processors:

CHANGES TO THIS INSTRUCTION 

The Parties agree that Sandvik from time to time is entitled to make non-material updates or changes to these Instructions to reflect the processing of personal data carried out by Sandvik (and its sub-processors) in connection with the provision of the Services.

SCHEDULE 2 

Technical and organisational measures including technical and organisational measures to ensure the security of the data 

Toolhive Technical and Organizational Security Measures 

Toolhive implements and maintains technical and organizational security measures to protect customer assets and data. We recognize that data security is crucial for our clients' business success. We are fully committed to maintaining a high level of privacy and security within our systems, policies, and business operations. This includes, but is not limited to, secure software development, secure data centers, host hardening, and network security. We are constantly working on improving our security posture. 

Please note that security is a collaborative effort. Do not hesitate to contact us if you have any questions. 

Toolhive is primarily built on technologies provided by Microsoft and hosted in their data centers. Information entered into the application, such as users, devices, items, transactions, and events, is protected by security controls managed by Microsoft. Our contract with Microsoft, along with our own controls, ensures that customer data is secured according to best practices. Microsoft offers a comprehensive set of compliance offerings that comply with national, regional, and industry-specific requirements governing the collection and use of data. 

For more information on these security measures, please visit Microsoft Azure Trusted Cloud. 

Certain customer data related to subscription management and payments is stored in our ERP and our in-voicing and subscription system, Chargebee. Some support data, such as basic customer information and incidents related to a customer, is stored in TopDesk and Hubspot. Data stored in these systems primarily includes Customer Account Manager and related contact details.

Physical Security 

Data Center Security 

Microsoft Azure operates in data centers managed and operated by Microsoft or their partners. These geo-graphically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The data centers are managed, monitored, and administered by Microsoft operations staff, who have years of experience in delivering the world’s largest online services with 24x7 continuity. 

The Azure network architecture provides connectivity from the Internet to the Azure data centers. Any workload deployed (IaaS, PaaS, and SaaS) on Azure leverages the Azure data center network. 

For more information on Azure infrastructure security, please visit Azure Infrastructure Security. 

Access Control to Premises and Facilities 

Microsoft employs a layered approach to physical security to reduce the risk of unauthorized users gaining physical access to data and data center resources. Data centers managed by Microsoft have extensive layers of protection, including access approval at the facility’s perimeter, the building’s perimeter, inside the build-ing, and on the data center floor. 

For more information on Azure physical security, please visit Azure Physical Security.

Developer Security

Access Control to Systems
Developers from external partner companies are assigned to development projects in DevOps after the Development partner has signed a Non-Disclosure Agreement (NDA). To gain access to the development system, external developers use Sandvik’s corporate Identity Provider with personalized accounts and two-factor authentication.

System administrators and operators are authenticated via Sandvik’s corporate Identity Provider using personalized accounts and two-factor authentication. Authorization is implemented using the Azure role-based access control (Azure RBAC) system, providing fine-grained access management to system resources in Microsoft Azure.

The Microsoft DevOps build process is connected using Azure App Registrations with a security model based on certificates or keys.

Passwords for system administrators, system operators, and system users follow rules for length and complexity, including lower and upper case characters, special characters, and numbers.

Access Control to Back-End Data
Access to customer data by the development team is denied by default. When access to data related to a support case is needed, the necessary information for the given support case is provided by through elevated access permissions which is logged and auditable.

Access to customer data is controlled by Sandvik’s corporate Identity Provider using personalized accounts and two-factor authentication.

Data Security
Azure provides customers with strong data security, both by default and as customer options. This includes data segregation, at-rest data protection, in-transit data protection, data redundancy, and data destruction.
For more information on Azure data protection, please visit Azure Data Protection.

Data Storage
Stored data is encrypted at the storage level in the Microsoft Azure environment. This applies to active, backed-up, and archived data residing in the Microsoft Azure environment. In certain cases, data may be encrypted at the database, data record, or document level.

Data is segregated per tenant (user or organization) using logical isolation mechanisms.

Data in Transit
Data in transit is protected using secured network communications and VNETs where applicable. All incoming and outbound traffic is encrypted using TLS 1.2.

Additionally, "encryption by default" using MACsec (an IEEE standard at the data-link layer) is enabled for all Azure traffic traveling between Azure data centers to ensure the confidentiality and integrity of customer data.
Access from external systems is done via the Microsoft Azure Gateway service, which adds an additional layer of security when accessing data.

Data Deletion
In a multi-tenant environment such as Microsoft Azure, careful attention is taken to ensure that one customer’s data does not "leak" into another customer’s data. When a customer deletes data, no other customer (including, in most cases, the customer who once owned the data) can gain access to that deleted data. Data destruction techniques vary depending on the type of data object being destroyed, whether it be storage or databases.

Data Back-Ups
As Toolhive is a cloud solution, we use Microsoft Azure SaaS storage (SQL, Blob storage, and Cosmos DB) as part of the application landscape. These SaaS services can be recovered to any point up to 30 days back. For specific customers, we can recover deleted objects as a service (if no exports have been made by customers that can be used to import).

Our backups are stored in the same region as the application runs (West Europe Netherlands). At this time, all backups are region-specific, meaning each deployment region maintains its own independent backup system.

Application Security

Operational Practices
Role-Based Access Control (RBAC) is used at all levels in the application landscape of Toolhive to manage accounts and operationally control users in the application.

Toolhive website

The customer can do the following on the site: 
1) The customer can contact us using the contact form. To do so, they must provide at least their name and e-mail address. 
2) The customer can request a software demo from us using the form. To do so, they must provide at least their name and e-mail address. 
3) The customer can subscribe to our newsletter to receive regular updates from us. To do so, they must provide at least their name and e-mail address. 
4) If the customer is interested in our e-book or one-page, they can receive a free copy in exchange for their name and e-mail address. To do this, the customer fills out the short form and receives the e-book/one-pager in return. 
5) The customer can test our product in a free version. To do so, they must provide their name and e-mail address. 
6) The customer can buy our product online and must provide additional information such as company, address and payment details to complete the registration.

Customer Management Portal (CMP)
Sales Unit (Distributor) account administrators can create trial customers, active customers, manage the number of licenses, order add-ons, and cancel accounts. They have access to the customer data of the customers registered with them as Sales Unit.

Upon first sign-up, a Customer Account Manager is created (an end customer user who needs to approve SaaS T&C before the account is accessible). The user finishes the sign up process and approves T&C in the product onboarding flow before the account is activated. 

Product interface

The system forsees the following roles:

• Account owner/customer
• User

The account owner can

• Sign up for, add or upgrade a subscription.
• Cancel a subscription
• Manage payments zfv
• Invite users to the application
• Cancel seats/users
• Re-invite or switch permissions from one to another user

Login
The user and the account owner can log into the system via the website and the login dialogue with username/email and password.

All users which have access to the app can

• Define a password
• Use their email address, first name, last name as login credentials
• Reset/ Change their password

Deletion of data

• if a customer does not extend his trial subscription, their account gets suspended after validity
• in this case, they can still sign into the account management
  o    change their password
  o    extend their subscription by initiate payment process/ switch to a paid subscription
• we store all data for a period of 180 days after the subscription got suspended
• the customer can sign up at any time within that period to upgrade their subscription to a paid subscription
• if they do not sign up within that period, all data/ the complete account will be automatically deleted
• the customer gets two reminder emails in between to inform them about this process
• the customer gets a final email after their account has been deleted
   

What you can do on your side

Manage your account within the product interface in Account management settings. The general rule should always be that individuals should not have access to more information and permissions than they need for their daily work. Ensure to revoke access when employees leave the company or change their position.

• Do not share accounts.
• Ensure to use the change password setting when new users are created. This forces first-time sign-in users to change their password.

Secure Network Communications, Platform, and Infrastructure Security

How We Work

Toolhive is a cloud-based solution that operates within a secure Azure Virtual Network (VNet). The application and its integration endpoints are accessible to external users and systems through an Azure Application Gateway, which provides secure traffic management and firewall protection.

• Logging & Security Monitoring:
  o    The Azure Application Gateway logs are actively monitored, and security events are analyzed to detect and respond to potential anomalies.
• Firewall & Access Control:
  o    A Wireless Application Firewall (WAF) is enabled for real-time threat protection.
  o    Fixed IP addresses are used for all incoming and outgoing network requests to improve security.
• Secure Communication & Port Requirements:
  o    Toolhive enforces encrypted HTTPS (TLS 1.2+) communication for all data transmissions.
   

Incident Response

How We Work
Our Toolhive team monitors the health of services and responds to any customer-reported incidents based on SLA. If a security incident occurs, with any potential leaked data, our customers will be informed according to GDPR rules. All relevant traffic logs are collected and analyzed using Azure’s built-in monitoring and security tools. Automated anomaly detection helps identify potential security incidents, which are then reviewed internally by the Toolhive team.

What You Can Do on Your Side
If an incident occurs, activate your business continuity plan.

Support Services

How We Work
Toolhive uses primarily internal resources for first-line technical support to customers. To provide support, they will have access to the necessary customer data in the Toolhive application. The user grants the support function access to the relevant personal data when registering and accepting T&C of the Toolhive solution.

When a Sales unit account administrator (distributor/reseller) has registered the customer via CMP, they can provide non-technical customer support. External support partners are listed as sub-processors of personal data and must be approved by the customer as an account administrator in CMP. This is part of the process when a customer signs up to a subscription license from a reseller.

For data support services, data needs to be shared (if our service partner should support on manually importing tool data into your tool library). In these cases, we use secure file transfer and avoid all email conversations containing data.

What You Can Do on Your Side
Ensure that if you grant any external users access to your account, this user is deleted or access is revoked once the service has been performed. Also, ensure not to send sensitive information like user lists and similar data over email to a service partner.

Training

How We Work
All Toolhive employees receive cybersecurity training through Sandvik’s Security Awareness program.

What You Can Do on Your Side
Educate your employees in cybersecurity best practices. Remember that your employees are the best protection against cybercrimes.

Software Development and Application Security
The Toolhive development teams work agilely and according to Microsoft Azure DevOps, using a multi-environment setup and fully automated deployment pipelines.

OWASP Top 10:2021 Open Web Application Security Project

Compliance

Data Privacy (GDPR and Other Relevant Privacy Laws)
Toolhive is fully GDPR compliant. All personally identifiable information is managed separately from production data and will be deleted according to the retention rules of Toolhive.

Since Toolhive is part of Sandvik, we have a privacy compliance program together with the group. If you want to read our privacy policy, learn more about our cookie management, or make a personal data request, please visit our common privacy page.

Data privacy — Sandvik Group (home.sandvik)

Frameworks
At Sandvik and Toolhive we are working towards NIST Cybersecurity Framework.

4) Data Processing Agreement Outside EU

PARTIES: 

This data processing agreement (the "DPA") is made on the date on which the terms of the DPA are accepted by the customer and become legally binding and enforceable between the parties (the "Effective Date"): 

    (1) SANDVIK Machining Solution AB, reg. no. 556692-0053, a company incorporated under the laws of Sweden, ("Sandvik");

Address: SE-811 81 Sandviken, Sweden 

Contact person: Gerrit Kremer 

E-mail: gerrit.kremer@sandvik.com

and, on the other hand, 

(1) the Customer, as further specified in the Master Agreement between Sandvik and the Customer, (each a "Party" and together the "Parties"). 

By submitting an online subscription order, the Customer accepts this DPA as an integral part of the Master Agreement. 

For the Customer’s details, including contact details to contact person of the Customer, see the Master Agreement between the Parties.

BACKGROUND AND UNDERTAKINGS

A. The Parties have entered into a license agreement (the "Master Agreement") under which Sandvik will provide certain services (the "Services") to the Customer. Within the scope of the Master Agreement, Sandvik will (as a processor) process personal data on behalf of the Customer (as a controller), as detailed in the Instructions in Schedule 1 of this DPA. This DPA constitutes a schedule to the Master Agreement and forms an integral part of the Master Agreement.

B. The Parties agree that the EU Commission has adopted Standard Contractual Clauses (2021/914) (the "Model Clauses") for the transfer of personal data to third countries outside the EU/EEA. The Model Clauses include Module 4 which applies to processor-to-controller transfers to ensure an essentially equivalent level of protection for the personal data where the controller is established in a third country and not directly subject to the GDPR under Article 3.2 of the GDPR, but engages a processor established within the EU/EEA which is subject to the GDPR.

C. Within the scope of this DPA, the Customer is, as applicable:  (i)  The controller of the Customer's personal data which Sandvik processes as a processor on behalf of the Customer; or (ii) Has been instructed by and obtained the authorization of the relevant Customer Affiliate to agree to the processing of personal data by Sandvik as set out in this DPA, meaning that the Customer and the relevant Customer Affiliates are the controllers of the personal data which Sandvik processes as a processor on behalf of the Customer and the relevant Customer Affiliates; or (iii)  Together with any Customer Affiliate that has entered into applicable scope of works/order forms with Sandvik, which outlines the content, scope and purposes of the Services that Sandvik shall provide to the Customer and the relevant Customer Affiliate, are the controllers of the personal data which Sandvik processes as a processor on behalf of the Customer and the relevant Customer Affiliate. For the avoidance of doubt, the applicable scope of work/order form shall constitute a separate agreement between the Customer Affiliate and the Sandvik entity party to the scope of work/order form. Accordingly, breach of the scope of the work/order form by either party shall not constitute a breach of this DPA and likewise, a breach of this DPA by any party shall not constitute a breach of the scope of work/order form.

D. If Sandvik determines the purposes and means of any processing of the Customer’s personal data, such as when developing the Services or in order to provide statistics, Sandvik becomes the controller for such processing and is, consequently, solely responsible for the lawfulness of such processing as controller under Applicable Data Protection Laws.

E. Where any provision of this DPA requires the Parties to notify or otherwise communicate with each other, such notification or communication shall be made as per the Master Agreement, unless otherwise agreed in writing by relevant employees of the Parties.

INTRODUCTION

1. Model Clauses

The Parties agree that Module 4 of the Model Clauses, included in Schedule 2, shall apply to Sandvik's processing of personal data on behalf of the Customer with the additions below. For the purposes of the Model Clauses, Sandvik is the "data exporter" and the Customer is the "data importer".

2. Definitions

Lower case terms used but not defined in this DPA, such as "controller", "processor", "personal data", "processing" and "personal data" shall have the same meaning as in Article 4 of the GDPR. Additional definitions used in this DPA are outlined below.

3. Priority

In the event of any conflict or inconsistency between this DPA and the Master Agreement, the terms of this DPA shall prevail and in the event of any conflict or inconsistency between the provisions below and the Model Clauses included in Schedule 2, the terms of Schedule 2 shall apply in accordance with Clause 5 of the Model Clauses.

4. Docking clause

The Parties agree that the docking clause in Clause 7 of the Model Clauses shall not apply.

OBLIGATIONS OF THE PARTIES

5. Instructions

5.1 Sandvik shall only process personal data on behalf of the Customer in accordance with the Instructions by the Customer and Applicable Data Protection Laws.

5.2 In the event the Customer provides additional documented instructions regarding processing of personal data, Sandvik is entitled to remuneration for any costs incurred by Sandvik as a result of such additional instructions. In such case, Sandvik may send a quote of the additional costs to the Customer.

5.3 If Sandvik notifies the Customer that an additional instruction is not feasible or the Customer notifies Sandvik that it does not accept the quote for the additional Instruction, the Customer may terminate, wholly or partly (if possible), the affected Services sixty (60) days after notifying Sandvik to terminate the affected Services. Sandvik will refund a prorated portion of any prepaid charges for the period after such termination date.
 

6. Technical and organisational security measures

With reference to Clause 8.2 of the Model Clauses, the Parties agree that Sandvik shall implement the technical and organisational security measures set out in Schedule 3 of the DPA. In this connection, the technical and organizational measures will be subject to technical progress, development and improvements for the protection of personal data. Accordingly, Sandvik reserves the right to modify such measures provided that Sandvik continues to ensure a level of security appropriate to the particular risks involved in the processing.

7. Documentation and compliance

7.1 With reference to Clause 8.3 of the Model Clauses, the Customer may conduct an inspection or audit of the technical and organizational measures that Sandvik has implemented to fulfil its obligations under this DPA and Sandvik will provide such other information as possible to demonstrate compliance with article 28 of the GDPR provided that the  documentation provided to the Customer pursuant to Clause 8.3 (b) cannot reasonably demonstrate compliance with this DPA; or (ii) a competent supervisory authority requires inspection of Sandvik. The Customer shall notify Sandvik sixty (60) days in advance prior to conducting such inspection.

7.2 For the avoidance of doubt, an inspection or audit carried out in accordance with section 7.1 above shall only comprise such information that is strictly necessary in order for the Customer to determine whether Sandvik takes appropriate technical and organizational measures to fulfil its obligations under this DPA and shall under no circumstances comprise any other information, e.g. regarding Sandvik’s business operations, other Customers of Sandvik or intellectual property, which is not relevant to Sandvik’s processing of personal data on behalf of the Customer under this DPA.

7.3 The Parties acknowledge and agree that any on-site inspection must be conducted by a third-party auditor jointly appointed by both Parties. The Customer shall ensure that such third party undertakes confidentiality in relation to any information that the third party receives within the scope of the inspection, such confidentiality undertaking being not less restrictive than the confidentiality undertaking in section 12 below. Further, the inspection must occur during normal business hours and only in a manner that causes minimal disruption to Sandvik’s business. The Customer shall be liable for any breach of such confidentiality undertaking by the third party. Any and all costs and expenses related to the inspection shall be borne by the Customer, including any potential costs and expenses incurred by Sandvik due to Sandvik’s participation in such inspection.

8. Use of sub-processors

8.1 The Customer hereby gives Sandvik a general written authorization to engage sub-processors to process personal data on behalf of the Customer. Sandvik shall ensure the sub-processor has entered into a data processing agreement with obligations no less restrictive than those set out in this DPA.

8.2 All sub-processors engaged by Sandvik as of the Effective Date are provided in Schedule 1 of this DPA www.toolhivesolutions.com . Sandvik will provide Customer with notification of any new Sub-processor before authorizing such new Sub-processor to process the personal data, at least thirty (30) days in advance of such change. Sandvik shall provide the Customer with a process to obtain notice of any new or changed sub-processors. The notification to the Customer shall include the same information of a new or changed sub-processor as set out in Schedule 1 of this DPA regarding currently engaged sub-processors.

8.3 The Customer may object to the addition or replacement of a sub-processor provided that such objection is reasonable and based on data protection grounds. If Sandvik is unable to accommodate the Customer’s objection, the Customer may terminate, wholly or partly (if possible), the affected Services by notifying Sandvik within thirty (30) days of Sandvik’s notice. Sandvik will refund a pro-rated portion of any pre-paid charges for the period after such termination date.

8.4 Where the Customer does not object to the change within thirty (30) days of the notice by Sandvik, Sandvik may engage the sub-processor for the processing of personal data on behalf of the Customer.

9. Cooperation and assistance

9.1 With reference to Clause 10 of the Model Clauses, Sandvik will report to the Customer without undue delay any request received by Sandvik from a competent supervisory authority or a data subject relating to the processing of personal data under this DPA.

9.2 Taking into account the nature of the processing, Sandvik will assist the Customer in complying with its obligation to respond to requests of data subjects under the local law applicable to the Custom-er, by appropriate technical and organizational measures provided that the information is available to Sandvik, and such information is not otherwise available to the Customer.

The Customer acknowledges that Sandvik has no responsibility to interact directly with any data subject or supervisory authority in respect of any request, demand or order (except as expressly provided under Applicable Data Protection Laws) or as otherwise agreed by the Parties in writing.

9.3 Sandvik shall have a right to reasonable compensation for any assistance provided to the Customer under Clause 10 of the Model Clauses as well as this section 9, or otherwise as according to a separate agreement between the Parties.

10. Notification of personal data breach

10.1 With reference to Clause 8.2(b) of the Model Clauses, the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected data subjects.

10.2 Taking into account the nature of processing and the information available to Sandvik, Sandvik shall assist the Customer in fulfilling its responsibilities under Articles 33 and 34 of the GDPR by doing the following:

10.2.1 Sandvik will investigate the personal data breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by Sandvik or a Sandvik sub-processor, take steps to prevent a recurrence;

10.2.2 As information is collected or otherwise becomes available, to the extent legally permitted, Sandvik will provide the Customer with a description of the personal data breach, the type of the personal data to which the breach relates, and, other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to Sandvik.

10.3 To the extent that a personal data breach is caused by the Customer, Customer Affiliate or anyone acting for the Customer, Sandvik will inform the Customer of the personal data breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, Customer Affiliate or anyone acting for the Customer. Further assistance to investigate such a personal data breach is subject to the prior agreement of the Parties.

11. Request from a competent supervisory authority

In case a competent supervisory authority or other regulator requests:

a) information from Sandvik regarding the processing of personal data under this DPA; or

b) that Sandvik shall disclose personal data processed on behalf of the Customer under this DPA,

Sandvik shall without undue delay notify the Customer of any requests in accordance with this above. The Parties shall thereafter consult regarding the competent supervisory authority's request. This obligation does not apply if Sandvik is prohibited under applicable law to notify or consult with the Customer regarding the supervisory authority's request. Sandvik may not act on the Customer's behalf as agent for the Customer or otherwise.

FINAL PROVISIONS

12. Confidentiality

With reference to Model Clause Section 8.2(c) and without any prejudice to any confidentiality undertaking included in the Master Agreement, the Parties agree to keep the contents of this DPA confidential, unless a Party is legally obligated to disclose its contents.

13. Term and termination

With reference to Clause 16 of the Model Clauses, this DPA is effective during the same term as the Master Agreement and for such additional period that Sandvik processes personal data on behalf of the Customer.

14. Return of personal data

With reference to Clause 8.1(d) of the Model Clauses and upon termination of the Master Agreement or this DPA, Sandvik shall delete or anonymize the personal data that Sandvik processes on behalf of the Customer or, upon the Customer’s written request, return such personal data to the Customer, unless Sandvik is legally obligated to continue to store the personal data. If the Customer does not provide any instruction within thirty (30) days following the termination of the Master Agreement or the DPA, the personal data shall be deleted or anonymized by Sandvik without undue delay.

15. Survival of certain terms

Section 12 (Confidentiality), section 14 (Return of personal data), section 16 (Liability), section 17 (Severability), section 18 (No waiver), section 20 (Governing law), and section 21 (Disputes) shall survive the termination of this DPA for any reason.

16. Liability

16.1 Each Party shall be liable for any administrative fines by a competent supervisory authority im-posed on the Party in question due to the Party's failure to fulfil its obligations under this DPA or Applicable Data Protection Laws.

16.2 Liability for any claims for damages from data subjects concerned shall be governed by Clause 12 of the Model Clauses. All other indirect consequential, special or incidental cost, loss or damage of any kind are excluded.

16.3 Notwithstanding what is stated above, Sandvik’s total liability for any administrative fines, damages or other direct, indirect, consequential or incidental cost, loss or damage of any kind caused by breach of this DPA shall be limited to the amount paid by the Customer under the Master Agreement, to Sandvik within 12 months prior to the date the claim arose.

17. Severability

If any provision of this DPA is or becomes invalid, illegal or unenforceable under applicable law, the validity, legality and enforceability of the remainder of the DPA shall not be affected. Instead, the deficient provision shall be replaced with a new provision permitted by applicable law and having an effect as close as possible to the deficient provision.

18. No waiver

Delay by either Party to exercise a right or remedy under this DPA shall not affect such Party's right to enforce such right or remedy at a later time. A waiver by a Party of any breach of a provision un-der this DPA shall not be construed to be a waiver by such Party in relation to subsequent breaches of such or other provisions in this DPA.

19. Changes

If changes to Applicable Data Protection Laws or if binding judgements or the Services are changed in such a way which requires amendments to this DPA, Sandvik has a unliteral right to make necessary updates to this DPA by notifying the Customer in advance of such changes. If the Customer has not objected in writing to such proposed changes within thirty (30) days from when the notification was sent by Sandvik, the Parties agree that the proposed changes to the DPA shall enter into force with immediate effect. For the avoidance of doubt, this Section 19 does not apply to changes regarding sub-processors as such changes are governed by Section 8.

20. Governing law

This DPA is governed by Swedish law, without giving effect to any principles of conflicts of law.

21. Disputes

21.1 Any dispute controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof shall be settled in accordance with the dispute resolution clause included in the Master Agreement, unless the Parties agree otherwise.

21.2 Notwithstanding the above, any dispute, any controversy or claim arising out of or relating to the Model Clauses, or the breach, termination or validity thereof, shall be resolved in accordance with what is stated in Clause 18 of the Model Clauses.

ADDITIONAL DEFINITIONS

The following additional defined terms are used in this DPA:

 SCHEDULE 1

Instruction regarding the processing of personal data for the provision of the Services

This Schedule 1, together with the Master Agreement, sets out the Customer's Instructions with respect to Sandvik's (and its sub-processors) processing of personal data in connection with provision of the Services.

DETAILED DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

Purpose and nature of the processing:

Provide the Hosting Services

Provide personnel of the customer and users of the services with access to the relevant Sandvik services. By way of example; [setting up and administering user accounts, allowing the customer to manage access internally to the relevant services, storing personal data in the services, as well as providing other features within the relevant services].

Frequency of the transfer: Regularly

Purpose and nature of the processing:

Provide support and maintenance

Provide support and maintenance services to the customer. By way of example; receive and manage support tickets from personnel of the customer and users of the services, perform trouble shooting and take other necessary support measures, including take follow-up actions.

Frequency of the transfer: Regularly

Used for communication and marketing of the product and new features

Send information about the product, new features and updates to customers and or potential customers. Used for digital marketing to potential customers that have shown interest in the product by signing up for a demo, trial or newsletter on the Toolhive website, or that have registered a product subscription.

PLACE OF PROCESSING

Personal data is processed by Sandvik within the EU/EEA. For information where Sandvik’s sub-processors that Sandvik has engaged to provide the Services process personal data, please see the list below.

SUB-PROCESSORS

As of the Effective Date, Sandvik engages the following sub-processors:

CHANGES TO THIS INSTRUCTION

The Parties agree that Sandvik from time to time is entitled to make non-material updates or changes to these Instructions to reflect the processing of personal data carried out by Sandvik (and its sub-processors) in connection with the provision of the Services.

SCHEDULE 2

Standard contractual clauses for international transfers – Module 4 – Processor to Controller (Model Clauses)

STANDARD CONTRACTUAL CLAUSES (EU) 2021/914

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider con-tract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 13;

(iv) Clause 15.1(c), (d) and (e);

(v) Clause 16(e);

(vi) Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data , the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

N/A.

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

N/A.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an ap-plication of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data ex-porter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to ad-dress the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, un-der the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pur-suant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to pro-vide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data re-quested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimization

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the re-quest is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek inter-im measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as re-quired under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Com-mission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Par-ties agree that this shall be the law of Sweden

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of Sweden

APPENDIX TO MODEL CLAUSES

ANNEX I

A. LIST OF PARTIES

Data exporter(s): Please see the preamble of the DPA.

Data importer(s): Please see the preamble of the DPA.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Please see Schedule 1 of the DPA.

Categories of personal data transferred

Please see Schedule 1 of the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Please see Schedule 1 of the DPA.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Please see Schedule 1 of the DPA.

Nature of the processing

Please see Schedule 1 of the DPA.

Purpose(s) of the data transfer and further processing

Please see Schedule 1 of the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Please see Schedule 1 of the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

N/A.

SCHEDULE 3

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Toolhive Technical and Organizational Security Measures

Toolhive implements and maintains technical and organizational security measures to protect customer assets and data. We recognize that data security is crucial for our clients' business success. We are fully committed to maintaining a high level of privacy and security within our systems, policies, and business operations. This includes, but is not limited to, secure software development, secure data centers, host hardening, and network security. We are constantly working on improving our security posture.

Please note that security is a collaborative effort. Do not hesitate to contact us if you have any questions.

Toolhive is primarily built on technologies provided by Microsoft and hosted in their data centers. Information entered into the application, such as users, devices, items, transactions, and events, is protected by security controls managed by Microsoft. Our contract with Microsoft, along with our own controls, ensures that customer data is secured according to best practices. Microsoft offers a comprehensive set of compliance offerings that comply with national, regional, and industry-specific requirements governing the collection and use of data.

For more information on these security measures, please visit Microsoft Azure Trusted Cloud.

Certain customer data related to subscription management and payments is stored in our ERP and our in-voicing and subscription system, Chargebee. Some support data, such as basic customer information and incidents related to a customer, is stored in TopDesk and Hubspot. Data stored in these systems primarily includes Customer Account Manager and related contact details.

Physical Security

Data Center Security

Microsoft Azure operates in data centers managed and operated by Microsoft or their partners. These geo-graphically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The data centers are managed, monitored, and administered by Microsoft operations staff, who have years of experience in delivering the world’s largest online services with 24x7 continuity.

The Azure network architecture provides connectivity from the Internet to the Azure data centers. Any workload deployed (IaaS, PaaS, and SaaS) on Azure leverages the Azure data center network.

For more information on Azure infrastructure security, please visit Azure Infrastructure Security.

Access Control to Premises and Facilities

Microsoft employs a layered approach to physical security to reduce the risk of unauthorized users gaining physical access to data and data center resources. Data centers managed by Microsoft have extensive layers of protection, including access approval at the facility’s perimeter, the building’s perimeter, inside the build-ing, and on the data center floor.

For more information on Azure physical security, please visit Azure Physical Security.

Developer Security

Access Control to Systems

Developers from external partner companies are assigned to development projects in DevOps after the Development partner has signed a Non-Disclosure Agreement (NDA). To gain access to the development system, external developers use Sandvik’s corporate Identity Provider with personalized accounts and two-factor authentication.

System administrators and operators are authenticated via Sandvik’s corporate Identity Provider using personalized accounts and two-factor authentication. Authorization is implemented using the Azure role-based access control (Azure RBAC) system, providing fine-grained access management to system resources in Microsoft Azure.

The Microsoft DevOps build process is connected using Azure App Registrations with a security model based on certificates or keys.

Passwords for system administrators, system operators, and system users follow rules for length and complexity, including lower and upper case characters, special characters, and numbers.

Access Control to Back-End Data

Access to customer data by the development team is denied by default. When access to data related to a support case is needed, the necessary information for the given support case is provided by through elevated access permissions which is logged and auditable.

Access to customer data is controlled by Sandvik’s corporate Identity Provider using personalized accounts and two-factor authentication.

Data Security

Azure provides customers with strong data security, both by default and as customer options. This includes data segregation, at-rest data protection, in-transit data protection, data redundancy, and data destruction.

For more information on Azure data protection, please visit Azure Data Protection.

Data Storage

Stored data is encrypted at the storage level in the Microsoft Azure environment. This applies to active, backed-up, and archived data residing in the Microsoft Azure environment. In certain cases, data may be encrypted at the database, data record, or document level.

Data is segregated per tenant (user or organization) using logical isolation mechanisms.

Data in Transit

Data in transit is protected using secured network communications and VNETs where applicable. All incoming and outbound traffic is encrypted using TLS 1.2.

Additionally, "encryption by default" using MACsec (an IEEE standard at the data-link layer) is enabled for all Azure traffic traveling between Azure data centers to ensure the confidentiality and integrity of customer data.

Access from external systems is done via the Microsoft Azure Gateway service, which adds an additional layer of security when accessing data.

Data Deletion

In a multi-tenant environment such as Microsoft Azure, careful attention is taken to ensure that one customer’s data does not "leak" into another customer’s data. When a customer deletes data, no other customer (including, in most cases, the customer who once owned the data) can gain access to that deleted data. Data destruction techniques vary depending on the type of data object being destroyed, whether it be storage or databases.

Data Back-Ups

As Toolhive is a cloud solution, we use Microsoft Azure SaaS storage (SQL, Blob storage, and Cosmos DB) as part of the application landscape. These SaaS services can be recovered to any point up to 30 days back. For specific customers, we can recover deleted objects as a service (if no exports have been made by customers that can be used to import).

Our backups are stored in the same region as the application runs (West Europe Netherlands). At this time, all backups are region-specific, meaning each deployment region maintains its own independent backup system.

Application Security

Operational Practices

Role-Based Access Control (RBAC) is used at all levels in the application landscape of Toolhive to manage accounts and operationally control users in the application.

Toolhive website

The customer can do the following on the site:

1) The customer can contact us using the contact form. To do so, they must provide at least their name and e-mail address.

2) The customer can request a software demo from us using the form. To do so, they must provide at least their name and e-mail address.

3) The customer can subscribe to our newsletter to receive regular updates from us. To do so, they must provide at least their name and e-mail address.

4) If the customer is interested in our e-book or one-page, they can receive a free copy in exchange for their name and e-mail address. To do this, the customer fills out the short form and receives the e-book/one-pager in return.

5) The customer can test our product in a free version. To do so, they must provide their name and e-mail address.

6) The customer can buy our product online and must provide additional information such as company, address and payment details to complete the registration.

Customer Management Portal (CMP)

Sales Unit (Distributor) account administrators can create trial customers, active customers, manage the number of licenses, order add-ons, and cancel accounts. They have access to the customer data of the customers registered with them as Sales Unit.

Upon first sign-up, a Customer Account Manager is created (an end customer user who needs to approve SaaS T&C before the account is accessible). The user finishes the sign up process and approves T&C in the product onboarding flow before the account is activated.

Product interface

The system foresees the following roles:

• Account owner/customer
• User

The account owner can

• Sign up for, add or upgrade a subscription.
• Cancel a subscription
• Manage payments
• Invite users to the application
• Cancel seats/users
• Re-invite or switch permissions from one to another user

Login

The user and the account owner can log into the system via the website and the login dialogue with username/email and password.

All users which have access to the app can

• Define a password
• Use their email address, first name, last name as login credentials
• Reset/ Change their password

Deletion of data

• if a customer does not extend his trial subscription, their account gets suspended after validity
• in this case, they can still sign into the account management
  o    change their password
  o    extend their subscription by initiate payment process/ switch to a paid subscription
• we store all data for a period of 180 days after the subscription got suspended
• the customer can sign up at any time within that period to upgrade their subscription to a paid subscription
• if they do not sign up within that period, all data/ the complete account will be automatically deleted
• the customer gets two reminder emails in between to inform them about this process
• the customer gets a final email after their account has been deleted
   

What you can do on your side

Manage your account within the product interface in Account management settings. The general rule should always be that individuals should not have access to more information and permissions than they need for their daily work. Ensure to revoke access when employees leave the company or change their position.

• Do not share accounts.
• Ensure to use the change password setting when new users are created. This forces first-time sign-in users to change their password.

Secure Network Communications, Platform, and Infrastructure Security

How We Work

Toolhive is a cloud-based solution that operates within a secure Azure Virtual Network (VNet). The application and its integration endpoints are accessible to external users and systems through an Azure Application Gateway, which provides secure traffic management and firewall protection.

• Logging & Security Monitoring:
  o    The Azure Application Gateway logs are actively monitored, and security events are analyzed to detect and respond to potential anomalies.
• Firewall & Access Control:
  o    A Wireless Application Firewall (WAF) is enabled for real-time threat protection.
  o    Fixed IP addresses are used for all incoming and outgoing network requests to improve security.
• Secure Communication & Port Requirements:
  o    Toolhive enforces encrypted HTTPS (TLS 1.2+) communication for all data transmissions.
   

Incident Response

How We Work
Our Toolhive team monitors the health of services and responds to any customer-reported incidents based on SLA. If a security incident occurs, with any potential leaked data, our customers will be informed according to GDPR rules. All relevant traffic logs are collected and analyzed using Azure’s built-in monitoring and security tools. Automated anomaly detection helps identify potential security incidents, which are then reviewed internally by the Toolhive team.

What You Can Do on Your Side
If an incident occurs, activate your business continuity plan.

Support Services

How We Work
Toolhive uses primarily internal resources for first-line technical support to customers. To provide support, they will have access to the necessary customer data in the Toolhive application. The user grants the support function access to the relevant personal data when registering and accepting T&C of the Toolhive solution.

When a Sales unit account administrator (distributor/reseller) has registered the customer via CMP, they can provide non-technical customer support. External support partners are listed as sub-processors of personal data and must be approved by the customer as an account administrator in CMP. This is part of the process when a customer signs up to a subscription license from a reseller.

For data support services, data needs to be shared (if our service partner should support on manually importing tool data into your tool library). In these cases, we use secure file transfer and avoid all email conversations containing data.

What You Can Do on Your Side
Ensure that if you grant any external users access to your account, this user is deleted or access is revoked once the service has been performed. Also, ensure not to send sensitive information like user lists and similar data over email to a service partner.

Training

How We Work
All Toolhive employees receive cybersecurity training through Sandvik’s Security Awareness program.

What You Can Do on Your Side
Educate your employees in cybersecurity best practices. Remember that your employees are the best protection against cybercrimes.

Software Development and Application Security
The Toolhive development teams work agilely and according to Microsoft Azure DevOps, using a multi-environment setup and fully automated deployment pipelines.

OWASP Top 10:2021 Open Web Application Security Project

Compliance

Data Privacy (GDPR and Other Relevant Privacy Laws)
Toolhive is fully GDPR compliant. All personally identifiable information is managed separately from production data and will be deleted according to the retention rules of Toolhive.

Since Toolhive is part of Sandvik, we have a privacy compliance program together with the group. If you want to read our privacy policy, learn more about our cookie management, or make a personal data request, please visit our common privacy page.

Data privacy — Sandvik Group (home.sandvik)

Frameworks
At Sandvik and Toolhive we are working towards NIST Cybersecurity Framework.

¹ Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision

² This includes whether the transfer and further processing involves personal data revealing racial or eth-nic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

³ As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to in-ternal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion.