Terms and conditions for the use of the Iconfirm services

Version 2021.01.01

Table of contents

1. Background and purpose

1.1 Iconfirm AS (“ICONFIRM”), Oslo, Norway with company registration number 917 751 994 is a company dedicated to data privacy and compliance to the EU General Data Protection Regulation (GDPR) and has developed a suite of services to meet the new requirements. This document governs the terms of use of the ICONFIRM services (hereinafter the "Service”). The Service is described in more detail in Appendix 1.

1.2 As from 2021.01.01, this standard subscription agreement regulates the terms of use of the Service ("Agreement").

1.3 When a subscription is made through and confirmed by one of ICONFIRMs partners, the subscriber (“Customer”) will have access to and the right to use the Service for as long as the Customer holds a valid subscription.

1.4 ICONFIRM and Customer are hereinafter jointly referred to as "parties" and individually as a "Party"

1.5 The parties' rights and obligations are governed by this Agreement and supersedes any previous agreements between the Parties regarding the use of the Service.

1.6 The Agreement is valid from the date a subscription to the Service is made.

1.7 The agreement includes the following Appendices:

Appendix 1 The ICONFIRM service
Appendix 2 Subscriptions & Recommended retail price
Appendix 3 Data Processing Agreement
Appendix 4 Third Party Vendors/Data Processors at the time of entering into this Agreement

In case of conflict, the Agreement's main part precedes the individual Appendix.

^ Tilbake til toppen


2. Definitions

The service: The service as described in Appendix 1.
Essential Functions The Service's main functionality is the Collaboration platform covering:
i) Vendor/customer management (incl Data Processing Agreements)
ii) Subject rights requests management
iii) Consent management
iv) Incident management
v) Data Processing management
Saas: Software as a Service; Software provided as a service over the Internet and not as a downloadable product.
API: Application Programming Interface. Interface Services that can be made available for integration with Customer's own solutions. The function of the API will depend on the integration that is selected.
Data Subject: A private person for whom the Customer is the Data Controller and where the Service is used to process his / her personal information.
Uptime: The availability of the Service. This is generally 24 hours a day, 365 days a year, but with a maintenance window for scheduled downtime between kl. 18-06 Norwegian time. Such uptime does not cover Support, which is specifically regulated in section 4.3 below.
Maintenance Window: Maintenance window is the time when maintenance on the Service will be made. The usual maintenance window for the Service is between kl. 18-06 Norwegian time.
Downtime: Refers to a period when Essential Functions, or the Service as a whole is unavailable. Downtime within the Maintenance Window of the Service is not considered as “Downtime”.
Data Controller The entity determining the purpose and through which means personal data is being processed. The Customer is the Data Controller and responsible for the Customer's use of the Service.
Data Processor: The entity who processes personal information on behalf of the Data Controller. ICONFIRM is a data processor for the Customer.
Third Party Vendors

Refers to third party vendors, data processors and other sub contractors that at any time assist ICONFIRM with the fulfilment of this Agreement. 

  ^ Tilbake til toppen

3. Customer use of the Service

3.1 Terms of use

3.1.1 By using the Services, Customer agrees to all of the terms and conditions of these ICONFIRM Terms and Conditions, including the limitations on liability set forth herein and the provisions governing ICONFIRM’s ability to modify these Terms and Conditions set forth in Section 8.1. IF CUSTOMER DOES NOT AGREE WITH ALL OF THE TERMS AND CONDITIONS SET FORTH HEREIN, CUSTOMER IS NOT PERMITTED TO USE THE SERVICES.

3.1.2 The Customer, upon subscribing to the Service, receives a limited, revocable, non-exclusive and non-transferable right to use the Service in accordance with the Agreement.

3.1.3 The Service is provided as "Software as a Service" (SaaS), and is made available through the Internet. The Customer is responsible for having the necessary equipment for accessing and further use of the Service.

3.1.4 The Customer pays a subscription for rights of access and usage of the Service, as described in Section 3.2 of the Agreement. The price for use of the Service is to be agreed with ICONFIRM or ICONFIRM partner arranging and managing the subscription. The subscription is scalable, and can be upgraded for extended features. The Customer can access the service through the website https://www.iconfirm.eu/. Additional integration with Customer's own systems can be established through access to ICONFIRMs API web service. The use of the APIs provided is entirely managed by the Customer. The Customer will not get a physical copy of the software for download.

3.1.5 The Customer shall be given login rights for the Service.

3.1.6 The Service is offered as a standardized service, without customizations, and entitles the Customer access to the Service as it is delivered at any given time. The right of use is not linked to any particular version, to a given functionality or to a particular time. The right to use the Service does not require delivery of any future versions or functionality.

3.2 Subscription and additional features
3.2.1 ICONFIRM offers the Customer a SaaS subscription. The Customer can choose from;
- ICONFIRM Data Controller or Data Processor subscription.
- Iconfirm may at any time introduce additional modules or content that can be subscribed to as add-ons or upgrades.

3.2.2 Subscriptions and additional features are described in more detail in Appendix 2.

3.2.3 The Customer can adjust the subscription and add-ons at any time. Changes are done in writing and will take effect from the following month.

3.2.4 In the case of upgrading and downgrading, payment will consequently be amended in accordance with Appendix 2 and section 3.3 below.

3.3 Payment
3.3.1 Initial payment for use of the Service shall be made at the signing of this Agreement and thereafter a monthly subscription payment in advance. Custom development and advisory will be invoiced in arrears.

3.3.2 Taxes and fees will be added to invoice according to at any time current rates and fees.

3.3.3 In case of late payment, the applicable late interest rates in accordance with the Norwegian Act relating to Interest on Overdue Payments of 1976 will apply at the current interest rate, from 14 days after maturity.

3.3.4 From 30 days after maturity, ICONFIRM has the right to close Customer's access to the Service until payment occurs.

^ Tilbake til toppen


4. Delivery of the Service

4.1 Availability
4.1.1 ICONFIRM is responsible for making the Service available to the Customer upon signature of the Agreement.

4.1.2 ICONFIRM cannot guarantee that the Service is available at all times. ICONFIRM will strive for an uptime of 99% outside of the general Maintenance Window. Uptime and General Maintenance Window are defined in Point 3 of the Agreement.

4.1.3 ICONFIRM is not responsible for Downtime caused by Third Party Vendors. ICONFIRM shall, as far as possible, notify the Customer of any planned Downtime of Third Party Vendors.

4.1.4 ICONFIRM may, at any time, make improvements, add, modify or remove functionality, or correct any errors or omissions in the Service. ICONFIRM can do this without obligation or liability because of such act or omission. ICONFIRM nevertheless undertakes to limit Downtime as far as possible. ICONFIRM has a duty to maintain Essential Functions for the duration of the Agreement.

4.2 Maintenance
4.2.1 ICONFIRM is responsible for maintenance of the Service. Maintenance is carried out regularly and when needed. The Customer is not entitled to demand maintenance of the Service.

4.2.2 Testing and maintenance of the software shall be such that it affects the Service to the least extent possible.

4.2.3 From time to time, ICONFIRM may require additional maintenance windows in addition to the standard. Such scheduled Downtime will be notified on the Services welcome page at least 7 days before and is not included in the calculation of availability.

4.2.4 In cases where maintenance causes Downtime, which is necessary to safeguard the security of the Service, such notice may be omitted. The same applies to extraordinary cases where it is not possible to provide such notice.

4.3 Support
4.3.1 Main line of support is provided either directly or through the ICONFIRM partner managing the subscription.

4.3.2 ICONFIRM offers technical support via email to support@iconfirm.eu The technical support is limited to:
- Critical advice on Essential Functions
- Reporting errors in the Service
- Problems with access to the Service provided by ICONFIRM

4.3.3 The technical support provided by ICONFIRM is included in the subscription fee and is not separately billed. Additional training and support can is provided by ICONFIRM or ICONFIRM partner arranging the subscription as per 4.3.1 above as per separate agreement.

4.3.4 ICONFIRM will respond to requests for technical support within 24 hours. For inquiries about Essential Functions, ICONFIRM will respond within 1 hour unless such requests are filed between 18:00 and 06:00 Norwegian time.

4.3.5 Support do not include;
- connection of the Service API with Customer's internal systems,
- Customer's customizations,
- administration of user access rights,
- text for use in the Service
- and any other issue for which the Customer is responsible.

4.4 Third Party Vendors
4.4.1 ICONFIRM reserves the right to use any Third Party Vendors in providing the Service and to fulfil any obligation in accordance with this Agreement. Current Third Party Vendors used for the fulfilment of this Agreement are shown in Appendix 4.

4.4.2 ICONFIRM can change Third Party Vendors at any time at its own discretion.

4.4.3 ICONFIRM shall notify the Customer of any change of Third Party Vendors.

^ Tilbake til toppen

5. Responsibility

5.1 Limited liability
5.1.1 When providing the Service as a Data Processor, ICONFIRM will process personal information in accordance with EU-law, the laws of the Kingdom of Norway and other applicable mandatory rule of law.

5.1.2 ICONFIRM assumes responsibility for damage caused to data subjects due to breach of applicable privacy requirements in accordance with EU-law, the laws of the Kingdom of Norway and other applicable mandatory rule of law, provided ICONFIRM has acted in conflict with instructions from or agreement with the Data Controller. The processing of personal data is further regulated in Appendix 3.

5.1.3 The Customer is responsible for its own operating system and vendors, and for adjustments made in their own systems to deploy the Service.

5.1.4 The service is self-service and the Customer is responsible for own use. This includes, but is not limited to, configuration of the system, wording of the texts, obtaining valid consents from the data subject etc. It is recommended that all texts to be configured by the Customer is reviewed by appropriate legal experts.

5.1.5 The Customer is responsible that all texts (such as notifications, privacy notices, consents) that are configurable in the solution fulfils the regulatory requirements relevant to Customer’s business. ICONFIRM may provide example texts, but these are merely for illustration purposes and Customer must add, rephrase or erase information to make it suitable to reflect Customer’s own business. The Customer is responsible for having knowledge of current and relevant regulations regarding the processing of personal data, consent management and related requirements.

5.1.6 The Customer is responsible for necessary Customer internal training for the use of the Service. ICONFIRM personnel have limited access to the Customer's data unless specifically granted by the Customers dedicated administrator.

5.1.7 ICONFIRM is not responsible for the unlawful use of the Service or for illegal content placed in the Service by the Customer or anyone provided by the Customer.

5.2 Information Security
5.2.1 ICONFIRM has implemented technical and organizational security measures to protect data against loss, abuse and unauthorized change. Such measures have been implemented to correspond to a level of security that is in proportion to the risk of data processing, including personal data, and considering the cost of implementation.

5.2.2 ICONFIRM provides regular backup of data stored through the Service.

5.2.3 ICONFIRM seeks to prevent security threats, including data being available to unauthorized third parties.

5.2.4 ICONFIRM performs risk assessments of third party deliveries to the Service.

5.2.5 Information security measures are described in more detail in the data processing agreement

5.3 Processing of personal data
5.3.1 The Customer is the Data Controller in relation to the processing of Personal data of own data subjects. ICONFIRM is a Data Processor for the Customer. The parties undertake to enter into a separate data processor agreement, enclosed with this Agreement in Appendix 3.

^ Tilbake til toppen

6. Limited rights and obligations

6.1 Rights to the Service

6.1.1 The Customer, upon entering into the Agreement, receives a limited, revocable, non-exclusive and non-transferable right to use the Service.

6.1.2 ICONFIRM retains all rights to the Service regardless of whether the rights are registered or not. This includes property rights and intellectual property rights such as copyright, patents, trademarks, design, product design, source code, databases, business plans, know how, ideas and other types of rights.

6.1.3 The Customer shall, without undue delay, inform ICONFIRM in writing if the Customer becomes aware of third party infringement to ICONFIRM's trademarks or other intellectual property rights.

6.1.4 The Customer is entitled, and encouraged, to use the ICONFIRM logo, which is a registered, combined trademark, on its own websites. The prerequisite for such use of the logo is that it simultaneously links the website https://www.iconfirm.eu/ to the logo.

6.1.5 The Customer has ownership of all own data uploaded in the Service. This includes obtained consents, texts, documents, etc. as the Customer himself delivers to the Service. ICONFIRM cannot retrieve or use such data, texts or documents for its own purposes.

6.2 The Customer’s duty to manage access control
6.2.1 The Customer is responsible for managing their own access control to the Service. This includes:
- That only employees who have a defined need can access the Service,
- That all defined users should be unique individuals with delegated authority and assigned rights. If utilizing the APIs for an integrated solution, the Customer is responsible to ensure adequate access control in own systems to identify which individuals have taken action in the Service.
- That the Customer's Access Control List is continuously updated.

6.3 Transfer of the Agreement and third party use
6.3.1 The Customer cannot transfer the subscription to another legal entity without the prior written consent of ICONFIRM. Such consent shall not be unreasonably withheld. This also applies to Customer internal transfers following reorganizations or restructurings.

6.3.2 Customer is not entitled to grant third parties access to the Service without ICONFIRM's written consent. This means that the Customer cannot provide access to use, obtaining consent, retrieving information, etc., to persons other than their own employees. Consent cannot be denied without a proper basis.

6.3.3 ICONFIRM may require payment for any third party's use of the Service.

6.4 Confidentiality / Secrecy
6.4.1 The Parties are mutually bound to maintain confidentiality of the following information regardless of medium and form, provided that the information is obtained in relation to this Agreement and the information is not publicly known: know-how, show how, technical specifications, methods, terms, business assessments and analysis, business plans, budgets, strategies , financial information trade secrets, information that may be subject to intellectual property protection, or personal data

6.4.2 The confidentiality obligation applies 10 years after the termination of the Agreement.

6.4.3 The duty of confidentiality applies to the Parties' employees, subcontractors and third parties acting on behalf of the Parties during execution of the Agreement. The Parties may only transmit confidential information to such subcontractors and third parties to the extent that this is necessary for the execution of the Agreement and provided that they are bound to confidentiality identical to this Agreement.

6.4.4 The confidentiality obligation under this provision does not prevent the disclosure of information that may be required provided by law.

6.5 Indemnification
6.5.1 The Customer undertakes to indemnify ICONFIRM for any third party claims relating to the Customer's processing of data and use of the Service in violation of any third party's rights.

6.5.2 If Customer becomes aware of any third parties claiming trade mark infringement or other intellectual property rights of a third party, the Customer shall promptly notify ICONFIRM thereof.

^ Tilbake til toppen

7. Breach of the Agreement

7.1 Refunds
7.1.1 For Downtime, not caused by Third Party Vendors, the Customer may be entitled to a refund. Refund is given for a full day if the Service has had more than 240 minutes of continuous Downtime. If Downtime exceeds 1 day, the refund will be made for each additional day at commencement of the day. Refund is granted for a maximum of 29 days.

7.1.2 Refunds are calculated according to standardized rates depending on the subscription and are described in more detail in Appendix 2.

7.1.3 Customer is not entitled to any other form of refund for breach of Uptime.

7.2 Termination
7.2.1 If the Parties fail to fulfil their obligations under the Agreement, each Party shall have the right, subject to prior written notice, to withhold their respective duties until the other Party's obligations are fulfilled.

7.2.2 In the case of material breach, after giving the defaulting Party reasonable time to bring the issue in order, the other Party has the right to terminate all or parts of the Agreement with immediate effect. Such termination must be delivered in writing.

7.2.3 Significant material breach can always be declared by ICONFIRM when Customers:
- Use the Service beyond the purpose of the Agreement.
- Placing of illegal material in the Service.
- Violation of copyright and other intellectual property rights etc.
- Payment breach over 60 days from maturity.
- Transfer of viruses or other security-related events from the Customer to ICONFIRM.
- Third Party Use and Transfer of the Agreement without written consent.

7.2.4 Significant material breach can be declared by both Parties in the events where is:
- Confidentiality breach.
- Opening of debt negotiations, insolvency, bankruptcy, or any other form of creditorship, unless otherwise provided by law.

7.2.5 If the Service loses Functions of essential importance to the Service over a period of one month, the Customer is entitled to terminate the Agreement. Cancellation of the Agreement will only be effective for future services.

7.2.6 Upon temporary suspension of the Service due to lack of payment, ICONFIRM is obliged to provide individual and temporarily access so that the Customer can retrieve their own data, but not for a longer period than necessary and until payment occurs. Upon termination of the Agreement, ICONFIRM undertakes to provide individual and temporarily access to the Service until the Customer has obtained his own data but for no longer than 45 days.

7.3 Compensation
7.3.1 Each Party is entitled to compensation for direct loss if the loss is due to negligence by the other Party. However, this does not apply if the loss is due to circumstances that the injured party itself is responsible for.

7.3.2 No Party is responsible for indirect or consequential loss, such as lost profit, loss of data, lost efficiency gains etc. If the Customer violates ICONFIRM's rights to the Service described in section 6, the confidentiality clause in section 6.4, acts that affect the reputation of ICONFIRM or act grossly negligently or intentionally, the Customer is also liable for indirect loss.

7.3.3 In all cases, Customer's claim against ICONFIRM is limited to 100% of Customers payments to ICONFIRM for the last 12 months (exclusive of VAT).

7.3.4 Customer claims for damages on data subjects are governed by the responsibility of a Data Processor according to prevailing data protection regulations and as described in section 5.1.1

^ Tilbake til toppen

8. Termination or amendment of the Agreement

8.1 Amendments
8.1.1 ICONFIRM has the right to change the terms of this Agreement with 60 days written notice. The Agreement with Attachments shall be available in the latest version by logging in to the Customer at https://www.iconfirm.eu/.

8.1.2 Updated terms are accepted by the Customer for continued use of the Service at the end of the 6o days and no notice of termination has been given within these 60 days. If the Customer does not approve the updated terms, the Agreement will expire three (3) months after the expiry of the 60 day deadline.

8.1.3 Amendments to Data Processor Agreement in Appendix 3 shall be in writing, signed and attached to this Agreement.

8.2 Duration / Termination
8.2.1 The Agreement runs from signing up to the expiration of notice period upon termination by one of the parties.

8.2.2 ICONFIRM can terminate the Agreement with 12 months written notice.

8.2.3 The Customer can terminate the Agreement with 6 months written notice.

8.3 Competence transfer and obligations upon termination of the Agreement
8.3.1 Termination of the Agreement does not discharge any of the Parties from their duty to pay due amounts as well as adherence with obligations relating to loyalty, intellectual property, confidentiality and liability.

8.3.2 Upon termination of the Agreement, ICONFIRM is obliged to contribute to the transfer of data to another supplier and / or return all data that the Customer has uploaded to the Service in the extent possible and reasonable. Such transferring shall be instructed in writing upon termination and be done within a reasonable period (e.g. 45 days).

8.3.3 In cases where such transmission involves more than one hour of work for ICONFIRM, ICONFIRM is entitled to additional compensation for the costs incurred according to the price stated in Appendix 2 for technical consultation / advice.

^ Tilbake til toppen

9. Force Majeure and extraordinary events

9.1 The parties are not liable for any damage or loss of any kind arising from extraordinary events beyond the Parties control, neither at the Parties nor at any third party. This assumes that the parties could not predict and reasonably have avoided or overcome the consequences of the incident.

9.2 The Parties' obligations are suspended for as long as the extraordinary situation persists.

9.3 Such extraordinary events include, but is not limited to, war, rebel, blockade, natural disasters, strikes, lock-outs, hacker attacks, viruses etc.

9.4 In such force majeure situations, the parties may only withdraw from the Agreement with the consent of the affected party or if the situation lasts or is expected to last for more than 90 days from the date the situation occurred and only after 30 days written notice.

^ Tilbake til toppen

10. Governing Law. Jurisdiction. Disputes

10.1 The Agreement and any dispute connected with it is governed by Norwegian law.

10.2 In the event of a dispute between the Parties concerning the validity, interpretation or execution of the Agreement and the dispute cannot be resolved by negotiation, the dispute shall be brought before the ordinary courts. Oslo District Court is adopted as a court of law.

^ Tilbake til toppen


System configuration, administration and subsequent use is entirely managed by the Customer.


Subscriptions content Data Controller Data Processor
Document data processing activities v v
List ‘recipients’ of data (internal, data processors/third parties) and tag to the relevant data processing activities v v
Define specific ‘privacy notices’ and ‘consents’ for the different data processing activities v v
Risk module for Risk assessments and Data Protection Impact Assessment (DPIA)



Data subject privacy portal for notifications, consents and rights requests dashboard
- Obtain consents/confirmations verified by witnesses (parents/guardians)



Manage data subject rights requests - Dashboard v v
Internal & external notifications of tasks and events v v
Overview per Data subject with individual audit trails & tasks v v
Authenticate Data subjects with third party verification (e.g. BankID) v v
Incident module v v
API access



Manage multiple subscriptions (Multi-user) v v
Access to templates for text illustrations (currently only in Norwegian) v v
Advanced data processing v v
Separate interface and log-in for recipients                            v v
Autogenerate Data Processing agreements
- Separate log in for maintenance of relevant information by counterpart
v v
Register system as global solution, selectable by other data controllers
- Notify or obtain consents for change of sub-processors
- Upload security documentation/audit reports  


^ Tilbake til toppen


The pricing is linked to selected subscription. An overview of functionality and subscription is shown in Appendix 1 and the price structure below. The use of integration APIs or connectors are recommended to ensure data integrity between the systems.

Prices are determined on a case by case basis by the ICONFIRM partners, but for guidance, the company has a recommended retail price as per below. Due to the variation in SMS and authentication costs across countries, the prices shown are excluding such costs which will be added.

Price structure (recommended retail price).

Monthly price (NOK)* Controller Processor


Price upon request.

Special pricing programmes available for SMEs and Municipalities/Public sector

* Does not cover charges from third party authentication nor SMS traffic

The price is calculated per month and based on the aggregated number of active records held. All prices are quoted exclusive of taxes.


The prices described above are valid from 01.11.2020.

Payment Terms

Payment terms are 14 days after invoicing or to be agreed with the ICONFIRM Partner.

In the case of non-payment, ICONFIRM has no delivery obligation and may choose to close all or part of the Service. In such case, however, ICONFIRM is obliged to allow the customer to access his data in line with what is regulated in section 7.2.6


For Downtime, the Customer may be entitled to a refund provided that the end user is eligible for, and is claiming, such refund, Refund is given for a full day if the Service has had more than 240 minutes of continuous. If Downtime exceeds 1 day, the refund will be made for each additional day at commencement of the day. Refund is granted for a maximum of 29 days. The refund is calculated, based on the subscription of the month where the Downtime happened. Refund is only pertaining to the monthly fee, transactional costs per obtained consent is payable.

The customer must make a written request within 14 days to claim such a refund.


^ Tilbake til toppen

APPENDIX 3 - Data processor agreement (draft)


^ Tilbake til toppen

APPENDIX 4 - Third party vendors/Data processors

Company Country Functionality Data access Example
Microsoft Ireland/
Azure cloud solution Encrypted storage of all personal data.  
SMS teknik AB Sweden Solution provider SMS notifications End-user phone number and actual text message and url link "Your number is provided as part of obtaining consent, if correct please press the link below: [URL]"
Link Mobility AS Norway Solution provider SMS notifications End-user phone number and actual text message and url link "Your number is provided as part of obtaining consent, if correct please press the link below: [URL]"
SendGrid USA, (Model clause agreement in place) Solution Provider e-mail notifications End user eMail address, e-mail content and url link.

Mail from "no-reply@ICONFIRM.EU": Title: "Samtykke/CONSENT". Text:


Signicat AS Norway Potential solution provider for Authentication Data subjects Social security number or date of birth and mobile number to provide level 4 Authentication  
Uptime-Comperio AS Norway and Estonia Software development No access to customer specific personal data. Confidentiality agreement.  


^ Tilbake til toppen