Skip to content
Zefort Logo
  • Product
    • Product TourWhat can Zefort do for you?
    • Zefort SignThe easiest e-signature solution around
    • Document AutomationCreate Contract Templates with Document Automation
    • IntegrationsGet things done with Zefort integrations
    • SecuritySecurity and compliance are our top priorities
  • Demo
  • Solutions
    • Legal teamsReduce manual work, manage risks & liabilities better
    • ProcurementControl important contracts, documents and best practices
    • HR teamsEmployment contracts & appendices in a single, secure location
    • Sales teamsSign customer contracts and appendices easily
    • Company administrationArchive all administrative documents easily and safely
  • Pricing
  • Customers
  • Resources
    • Blog & guides
    • Events & webinars
    • Knowledge base
    • What’s new?
    • Partnerships
    • Developers
  • About
    • Company
    • Careers
    • Contact us
  • Sign in
  • View demo
  • en
    • en
    • fi
    • se

General Terms and Conditions for ZEFORT’S Services

Last Updated Date 30th April 2025

1. GENERAL

1.1 These general terms and conditions (the “Terms”) apply to the Agreement between Zefort Oy (“Zefort”) and the Customer regarding Zefort's Services. They constitute an appendix to the Agreement and form an integral part of the Agreement. In the event of a conflict between these Terms and the provisions of the Agreement, the provisions of the Agreement shall prevail.

1.2. Zefort may amend the Terms from time to time at its own discretion. In case the amendments significantly impact the rights or responsibilities of the Customer, Zefort shall notify the Customer of such changes thirty (30) days before such changes enter into force. If the Customer does not accept the changes, the Customer shall notify Zefort hereof within ten (10) days of receipt of the notification of the changes. Each Party may then, at their own discretion, terminate the agreement.

For other changes, such as changes of a technical nature, which do not significantly impact the rights or responsibilities of the Customer, Zefort has the right to inform the Customer by notifying of the changes on its website or other communication channel as it deems appropriate. Such changes shall take effect at a time to be determined by Zefort. The changes become binding on the Customer unless the Customer notifies Zefort before the changes take effect that it does not accept the changes. If the Customer does not accept the changes, the Parties shall have the right to terminate the Agreement upon thirty (30) days’ notice.

1.3. The Service supplied by Zefort enables contract lifecycle management, electronic agreement signing and verification, sending agreements to your contracting parties for signature, archiving agreements and utilizing electronic forms.

2. DEFINITIONS

Affiliates: Party’s officers, directors, employees, agents, service providers, licensors, sub-contractors and entities which are controlled by, controlling or under common control with such entity.

Agreement: The agreement between Zefort and the Customer under which the Customer engages Zefort to supply the Services.

Content: Any Customer documents, content and data stored and processed by Zefort for the Services.

Customer: Zefort’s customer under the Agreement.

eIDAS: Electronic Identification, Authentication, and Trust Services Regulation, Regulation (EU) No 910/2014

Data protection legislation: The data protection legislation framework applicable to the Controller, including but not limited to the General Data Protection Regulation (EU) 2016/679 (the GDPR) applicable from 25 May 2018. The data protection legislation includes applicable national law of the country where the Controller is registered that regulates the processing of Personal Data.

Zefort Sign: Refers to agreement signing with the aid of the mobile identification mechanisms or other electronic identification methods approved by eIDAS, or a separate signature mechanism determined by Zefort and provided by a third party.

a) Electronic signature (or Simple Electronic signature) means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

b) Advanced electronic signature means an electronic signature which meets the requirements set out in Article 26 in eIDAS. Advanced electronic signature is uniquely linked to the signatory; is capable of identifying the signatory; is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

External Solution: Refers to any third-party software or service not developed or maintained by Zefort, which can be integrated with the Zefort CLM platform. Examples of External Solutions are external e-signature solutions (such as DocuSign) and destination storage solutions of Zefort’s Cloud Data Mirror (such as Azure and AWS).

GPT: Refers to Generative Pre-trained Transformer, an AI language model capable of generating human-like text based on extensive training data. Examples of such services include ChatGPT, an artificial intelligence language model developed by OpenAI and offered by Microsoft as part of their Azure OpenAI Service. GPT provides conversational capabilities within the services for customers who have subscribed to this option.

Party/Parties: Zefort and/or the Customer.

Production Environment: An instance of the system which is used by Customer for live support of its business.

Service: The Services supplied by Zefort to the Customer under the Agreement, facilitating the management of contracts, electronically signing agreements and storing them in the electronic Zefort archive, as well as utilizing electronic forms.

Test Environment: An instance of the system which is used for testing and evaluating the system or components of the system separately from the Production Environment.

Working Day: Monday to Friday excluding public holidays in the applicable territory where the Service is provided by Zefort.

Zefort: Trade name of Zefort Oy.

Controller, Data Subject, Personal Data, Processor, Processing, Personal Data Breach, Supervisory Authority and Third Party have the meanings described in the GDPR.

3. CUSTOMER'S RESPONSIBILITY

3.1. The Customer is responsible for all handling of electronic identification, user names and passwords and undertakes in particular to not disclose the electronic identification, user names and/or passwords to any unauthorized person or otherwise allow any unauthorized person to access the Services under the Customer’s electronic identification, user names and/or passwords. If the Customer has reason to believe that an unauthorized person has gained access to the Customer’s user names and/or passwords the Customer must immediately inform Zefort. The Customer is responsible for ensuring that all the Customer’s personnel comply with the provisions of this section.

3.2 The Customer is responsible for all use of the Services under the usernames and/or passwords provided to Customer by Zefort.

3.3 The Customer is responsible for properly configuring the Services. Zefort log-in credentials are for Customer’s internal use only and the Customer may not sell, transfer or sublicense them to any other entity or person, except in situation where the customer may disclose their log-in credentials to their affiliates or third-party consultants performing work on the Customer’s behalf.

3.4 The Customer shall take care of acquiring and maintaining hardware, software and telecommunication links required by the Services as well as of other technical equipment relating to the use of the service and costs related to them. Zefort recommends using the newest browser versions to maintain user’s data security and general functionality of the Services.

3.5 The Customer is responsible for the quality of all content provided to Zefort.

3.6 Regardless of delivery method (which may include but is not limited to delivery via e-mail or by the Customer uploading content directly to Zefort’s servers) the transfer of content from the Customer to Zefort is at the Customer’s risk.

3.7 The Customer is responsible for ensuring that exporting the Services to a country of operation does not violate any prohibitions or permits and service features are applied according to a country and agreement domain specific requirements.

3.8. The Customer bears the responsibility of verifying the legality of the electronic signature within the jurisdiction where it is utilized. Zefort is not liable if a legal act is deemed invalid due to the usage of Zefort Sign. Certain legal transactions, such as the sale of real estate, require the signature to be made in a standard form, in which case the electronic signature may not be valid.

3.9 The Customer guarantees that it owns or otherwise controls all necessary rights to the Content for the purpose of Zefort providing the Services. The Customer shall indemnify and hold harmless Zefort from any claims regarding infringements of a third party’s rights attributable to the Content. The Customer agrees to not provide Zefort with any Content (including but not limited to by uploading Content to Zefort’s servers) which (i) contains viruses, corrupted data, malicious software or other programs that may harm computers or other property or (ii) is defamatory, constitutes agitation against an ethnic group, infringes the rights of any third party or is otherwise unlawful. Zefort has the right to immediately remove from Zefort’s servers any Content that Zefort in its sole discretion deems is in breach of this section or the Terms otherwise. Zefort shall without undue delay notify the Customer thereof.

3.10 The Customer may not use Zefort Product, Service or Technology in any manner or for any purpose other than as expressly permitted by this Agreement. The Customer may not attempt to, (a) modify, alter, tamper with, repair, or otherwise create derivative works of any software included in the Services (except to the extent software included in the Services are provided to the Customer under a separate license that expressly permits the creation of derivative works), (b) reverse engineer, disassemble, or decompile the Services or apply any other process or procedure to derive the source code of any software included in the Services, (c) access or use the Services in a way intended to avoid incurring fees or exceeding usage limits or quotas, or (d) resell or sublicense the Services (except agreed under a separate license that expressly permits the resell or sublicense of Zefort services). All licenses granted to the Customer in this Agreement are conditional on Customer’s continued compliance with this Agreement, and will immediately and automatically terminate if Customer does not comply with any term or condition of this Agreement. During and after the term, the Customer will not assert, nor will authorize, assist, or encourage any third party to assert, against Zefort or any of Zefort’s affiliates, customers, vendors, business partners, or licensors, any patent infringement or other intellectual property infringement claim regarding any Services the Customer have used.

4. ZEFORT'S RESPONSIBILITY

4.1 If the Parties have entered into a Service Level Agreement (SLA), Zefort’s responsibility for Services is regulated in such SLA. These Terms shall equally apply to such SLA, unless otherwise stated therein.

4.2 If the Parties have not entered into a SLA, Zefort assumes no liability for the accessibility or other functionality of the Services.

4.3 Zefort will, as part of the Services
(i) operate the Service with ISO 27001 certification, ensuring robust information security management.
(ii) provide the Client with Zefort’s standard customer support services during Working Days;
(iii) follow its back-up processes by taking back-ups of Content and
(iv) notify the Client if it becomes aware of any information security incidents affecting the security of the Service or the Content.

4.4. The Service is typically available 24 hours a day. Nonetheless, Zefort reserves the right to temporarily suspend the Service or parts of it for maintenance, installation, modification, excessive system load, or similar reasons, without assuming liability for any damages incurred.

4.5. Zefort consistently endeavors making its Services accessible to all users.

5. PROPRIETARY RIGHTS

5.1 All copyright, patent or other intellectual property rights attributable to the Services are owned by or licensed to Zefort. The Services, and any software included therein, may only be used by the Customer and its affiliates during the Term and as described in the Agreement and may only be copied or otherwise reproduced by the Customer to the extent it is permitted by Zefort in writing.

5.2 Without limiting the generality of the foregoing, in the event that Zefort as part of the Services delivers any services, material or applications tailored for the Customer (“Customer Applications”), Zefort shall be the sole owner of all such Customer Applications and the Customer may only use the Customer Applications during the term of the Agreement. The Customer may not use any Customer Applications upon expiry of the Agreement without Zefort’s prior written consent.

5.3 For clarity, neither Party shall acquire any right under the Agreement to the other Party’s trademarks, product trademarks, distinctive marks and other symbols which are used in connection with the Services and any use of such marks or symbols of the other Party requires such Party’s prior written consent. All Content is, and shall remain, the property of the Customer.

6. DATA PROCESSING AND PERSONAL DATA

6.1. In the processing of personal data, Zefort complies with Data Protection Legislation and processes personal data in accordance with its current Data Privacy Statement. Matters related to data processing and personal data are further described in the Personal Data Processing Annex which is an integral and inseparable part of these Terms. An up-to-date version of the Personal Data Processing Annex is available at is available here.

7. GPT FUNCTIONALITY AND LIMITATIONS

7.1 Zefort provides the Customer with an option to access to GPT (such as ChatGPT) as part of the Services, subject to the Customer's subscription including the GPT integration. GPT is an artificial intelligence language model that offers conversational capabilities.

7.2 The Customer acknowledges that GPT is a machine learning model and its responses are generated based on patterns and examples in the training data. While GPT strives to provide accurate and helpful responses, it may not always be correct or suitable for every situation. The Customer agrees to use the information provided by GPT at their own risk and to independently verify any important information or decisions based on GPT's responses.

7.3 Zefort reserves the right to improve and update the integration of GPT over time, but does not guarantee any specific level of performance, features, or availability of GPT. Zefort may also modify or discontinue the integration of GPT into the Services at its discretion. Zefort shall notify the Customer of any material modifications or discontinuation at least 30 days in advance.

7.4 The Customer understands that responses provided by GPT may not be suitable for use in certain sensitive or critical applications where accuracy and reliability are of utmost importance. The Customer agrees to use GPT responses in such applications at their own risk.

7.5 When utilizing the GPT functionality within Zefort, Zefort will send the Customer's chat question along with relevant sections or the entirety of the corresponding contract language to GPT. All details regarding how data provided by the Customer to ChatGPT through Zefort’s GPT integration are processed, used, and stored are described in GPT’s privacy statement. The Customer agrees to review and comply with GPT’s privacy statement prior to using the Services.

7.6 If the Customer has a valid subscription for the GPT integration, they are granted the right to use the service for reasonable use, defined as utilizing it within customary and ordinary parameters without engaging in excessive or abusive behavior. Zefort reserves the right to determine reasonable use and may suspend access if usage exceeds these levels.

8. INTEGRATING ZEFORT WITH EXTERNAL SOLUTIONS

8.1 Zefort provides customers with the option to integrate the Zefort services with external solutions ("External Solutions") to enhance their contract management processes. Such integrations may involve sharing data or establishing connections between Zefort and External Solutions.

8.2 The Customer acknowledges and agrees that when integrating Zefort with External Solutions, they bear full responsibility for the information security and data protection of the external system. The Customer must exercise due diligence in configuring the integration correctly and maintaining the External Solution in a manner that ensures the security and integrity of their data.

8.3 Zefort shall not be liable for any breaches, data leaks, or security incidents that may arise from the Customer's use of External Solutions or any misconfiguration or improper maintenance of such solutions.

8.4 It is the Customer's obligation to review and comply with the privacy policies, terms of service, and security practices of the External Solution providers. Zefort shall not be responsible for the security practices, data handling, or compliance measures of these External Solutions.

8.5 Zefort may offer support and guidance in the integration process, but such assistance does not absolve the Customer of their responsibility for the security of the External Solution.

8.6 Zefort reserves the right to discontinue or limit the integration with any External Solution at its sole discretion if it deems the integration poses potential security risks or adversely impacts the performance or integrity of the Zefort services.

9. CHANGES

9.1 Zefort may change, discontinue, or deprecate any of the Service offerings (including the Service offerings as a whole) or change or remove features or functionality of the Service offerings from time to time. Zefort will notify the Customer of any material change to or discontinuation of the Service offerings. However, if Zefort changes, discontinues or deprecates its Service offerings [any APIs (Application Programming Interface)] for the Services from time to time, Zefort will use commercially reasonable efforts to continue supporting the previous version of any API changed, discontinued, or deprecated for 12 months after the change, discontinuation, or deprecation (except if doing so (a) would pose a security or intellectual property issue, (b) is economically or technically burdensome, or (c) is needed to comply with the law or requests of governmental entities).

10. FEES AND PAYMENT TERMS

10.1 The fees shall be set out in the Agreement and Appendices.

10.2 All fees shall be invoiced in the currency set out in the Agreement.

10.3 If an invoice is more than thirty (30) days overdue and the Customer has not paid such invoice within ten (10) days from a reminder, Zefort is entitled to immediately suspend provision of the Services.

10.4 Value added tax will be added to all fees to the extent required by law. In the event that value added tax is not initially charged, Zefort shall be entitled to charge value added tax at a later stage should relevant tax authorities decide that value added tax should be charged.

10.5 Zefort reserves the right to amend the fees in the Agreement and Appendices.

11. NO WAIVERS

11.1 The failure by either Party to enforce any provision of this Agreement will not constitute a present or future waiver of such provision nor limit such Party's right to enforce such provision at a later time. All waivers by a Party must be in writing to be effective.

12. TERMINATION

12.1 Each Party shall be entitled to terminate the Agreement by written notice with immediate effect if:

(i) the other Party is in material breach of the Agreement and does not remedy such breach (where possible to remedy) within thirty (30) days from written notice thereof,

(ii) the other Party is declared bankrupt, enters into liquidation, commences proceedings for a corporate reconstruction and/or when it otherwise becomes apparent that a Party is insolvent in some other way,

(iii) if Zefort’s relationship with a third party partner who provides software or other technology Zefort uses to provide the Services expires, terminates or requires Zefort to change the way they provide the software or other technology as part of the Services,

(iv) if Zefort believes providing the Services could create a substantial economic or technical burden or material security risk for Zefort,

(v) in order to comply with the law or requests of governmental entities.

13. EFFECT OF TERMINATION

13.1 Upon termination of the Agreement, all rights under this agreement to use Zefort services will immediately terminate.

13.2 Upon termination of the Agreement, Zefort will delete all content provided by the Customer, unless the Customer notifies Zefort otherwise within thirty (30) days from the termination of the Agreement. The Customer shall compensate Zefort for any additional costs resulting from the Customer's instructions regarding handling of the content.

13.3 Upon termination of the Agreement, the customer is responsible for all fees and payments incurred through the date of termination, including fees and payments for agreed in-process tasks completed after the date of termination.

14. DISCLAIMER OF WARRANTY

14.1. Using big data, artificial intelligence, machine learning, modelling techniques as well as professional expertise, the insights, points of view, learning modules and other data should be correct in the assessment, but are directional in nature and may not suit for all particular needs, therefore cannot be relied on. Zefort is not liable for the outcomes or results out of use of them and they cannot be construed as specific advice.

14.2 Zefort does not give warranties and is not responsible for damage, loss of data or other harm that results from use of the Services.

14.3 Zefort is not responsible for any disturbances the Services may cause to any other software when the Services are used together with such software or otherwise.

14.4 Zefort is not liable for any delay or disruption in transmission of content or malfunctions caused by (i) the quality of the content provided to Zefort, (ii) the Customer’s mistake when uploading content (whether in breach of Zefort’s instructions or not), including but not limited to the Customer providing incorrect format information when uploading content or (iii) otherwise by the Customer’s incorrect use of the Services.

15. LIMITATION OF LIABILITY

15.1 Neither Party shall be liable for any loss of profits, loss of production, reduced turnover in business and similar costs or losses or any other indirect damages. Neither Party shall be liable for damage caused by the acts or omissions of the other Party. Both Parties’ maximum liability for any event is limited to direct damages up to an amount corresponding to one month´s fee for the Services.

15.2 Each Party shall present any claims against the other Party at the latest three (3) months from the date when the Party discovered, or should have discovered, the reason for the claim.

16. FORCE MAJEURE

16.1 If a Party is prevented from fulfilling its commitments in accordance with the Agreement, by circumstances beyond its control that it could not reasonably be expected to have foreseen, and the result of which the Party could not reasonably be expected to have avoided or overcome such as including but not limited to strike, labour conflict, war, warlike hostilities, insurrection or riot, mobilization or general military call-up, civil war, requisition, seizure, fire, lightning, earthquake, flood or water damage, altered decisions by authorities, intervention by authorities, legislation or official restrictions, currency restrictions, export or import restrictions, general shortage of goods, lack of bandwidth and faults or delays in services from a subcontractor, such Party shall be relieved from liability for a failure to perform any obligation under the Agreement.

16.2 Any Party that invokes relief in accordance with the above shall inform the other Party thereof without delay. If the performance of any obligation is prevented for a period longer than three (3) months as a result of any such circumstance stated above, each Party is entitled to terminate the Agreement free from liability to compensate the other Party.

17. SUBCONTRACTORS

17.1 Zefort shall be entitled to engage subcontractors to fulfill its undertakings under the Agreement. Zefort shall
be responsible for all work performed by the subcontractor as though the work had been performed by Zefort.

18. ASSIGNMENT

18.1 Each Party may assign its rights or obligations under the Agreement to an affiliated company or to an entity to which such Party has transferred its business operations.

19. CONFIDENTIALITY

19.1 Each Party undertakes not to disclose to any third-party details of the Agreement or information regarding the other Party’s activities which may be deemed as business or professional secrets, without the other Party’s express written consent. Information which the Party states to be confidential will always be deemed to be business or professional secrets. The duty of confidentiality does not include such information which a Party can prove has come to its knowledge other than through the Services, or which is generally known, nor does the duty of confidentiality apply where a Party is obligated under law to supply the information.

19.2 Each Party undertakes to supervise that employees or other engaged persons do not convey confidential information to any third party.

19.3 The duty of confidentiality shall apply during the Term of this agreement and three (3) years thereafter. Customer’s Content shall be confidential information of the Customer and confidentiality obligations by Zefort in relation to Content shall remain perpetually.

20. MARKETING

20.1 All PR, public announcements and marketing with respect to the Agreement shall be jointly approved by the Parties. Zefort shall however be entitled to publish the Customer's name and logotype on its website and to refer to the Customer as Zefort’s customer in marketing and promotion material.

21. INDEMNIFICATION

21.1 The Customer will defend and indemnify Zefort, Zefort’s affiliates, and each of their respective employees, officers, directors, and representatives from and against any direct out of pocket damages, costs, and expenses (including reasonable legal fees) relating to any claim by an independent third party alleging that (i) the Customer’s use of the Services (including any activities under Customer’s Zefort account and use by Customer’s employees and personnel) in violation of this Agreement or in violation of applicable law by the Customer or (ii) Customer’s Content, including any claim involving alleged infringement or misappropriation of third-party rights by Customer’s Content or by the use, Customer’s Content; breaches such third party’s rights.

21.2   Zefort will defend and indemnify the Customer, Customer’s affiliates, and each of their respective employees, officers, directors, and representatives from and against any direct out of pocket damages, costs, and expenses (including reasonable legal fees) relating to any claim by an independent third party alleging that the Services or Customer’s use thereof (including any activities under Customer’s Zefort account and use by Customer’s employees and personnel) breach (i) any third party intellectual property or other rights; or (ii) any applicable law to the extent such breach is attributable to Zefort.

22. NOTICES

22.1 Any notice given by one Party to the other shall be deemed properly given if specifically acknowledged by the receiving Party in writing (e-mail is sufficient provided it comes from an official account) or when delivered to the receiving Party by hand, registered mail or courier during normal business hours.

22.2 Notice is considered to be delivered one day after it is sent, if by official e-mail or by next day delivery by a major commercial delivery service.

23. GOVERNING LAW AND DISPUTES

23.1 This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by substantive Finnish law, excluding the choice-of-law principles.

23.2 Any dispute, controversy or claim arising out of or in connection with the Agreement or any non-contractual obligation arising out of or in connection with the Agreement shall be finally settled by arbitration administered by the Arbitration Institute of the Finland Chamber of Commerce. The place of arbitration shall be Helsinki, Finland. The language used in the proceeding shall be English, unless the Parties agree otherwise.

23.3 The Rules for Expedited Arbitrations shall apply where the amount in dispute does not exceed EUR 100,000. Where the amount in dispute exceeds EUR 100,000 the Arbitration Rules shall apply. The Arbitral Tribunal shall be composed of a sole arbitrator where the amount in dispute exceeds EUR 100,000 but not EUR 1,000,000. Where the amount in dispute exceeds EUR 1,000,000, the Arbitral Tribunal shall be composed of three arbitrators.

 

***

Personal Data Processing Annex

Last Updated Date 30th  April 2025

1. GENERAL

1.1. This Personal Data Processing Annex (“DPA”) is an integral and inseparable part of the general terms and conditions (the “Terms”) of Zefort Oy (“Zefort”). An up-to-date version of the Terms is available at https://zefort.com/zefort-general-terms-and-conditions/.

1.2. This DPA, together with the Agreement concluded between Zefort and the Customer (“Parties”), sets out the principles and conditions of data protection and security of Personal Data.

1.3. This DPA applies when Zefort has entered into an Agreement with the Customer regarding the Services offered by Zefort and thereby Processes the Customer’s Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 (the GDPR) on behalf of and for the account of the Customer.

1.4. This DPA shall not apply in case the Parties have signed a separate data processing agreement.

1.5. In the event of a conflict between the provisions of this DPA and the provisions of the Agreement and its other annexes thereto, the Processing of Personal Data shall be governed primarily by the provisions of this DPA.

2. DEFINITIONS

Personal data: Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, from a piece of information.

Processing: Any operation or set of operations which is performed on the Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: A natural or legal person or other entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

Processor: A natural or legal person or other entity that Processes Personal Data on behalf of the Controller.

Subcontractor: A third party that Zefort uses in the performance of its contractual duties under the Agreement.

Personal Data Breach: An event that results in the destruction, loss, alteration, unauthorized disclosure or access to Personal Data by an unauthorized party.

Data Protection Legislation: The data protection legislation framework applicable to Zefort, including but not limited to the GDPR. The data protection legislation includes applicable national law of Finland that regulates the Processing of Personal Data.

3. ROLES

3.1. The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, the Customer is the Controller and Zefort is the Processor.

3.2. This DPA does not apply to the Processing of Personal Data that belongs to Zefort’s Customer, Prospect, Marketing or Partner Register. Zefort is the Controller of the abovementioned registers.

3.3. It is not the intention of the Parties to this DPA to transfer any of the Controller’s legal obligations to the Processor.

4. NATURE AND PURPOSE OF PROCESSING

4.1. The Processor undertakes to Process Personal Data in accordance with this DPA, solely for purposes of providing the Services under the Agreement. In addition, the Processor may use the Personal Data and other content that the Customer has stored (Customer Data) in the Service internally under the agreed confidentiality obligations for development purposes to improve and optimize its Services to the Customer. Personal Data and other Customer Data may not in any way be processed for any other purposes.

4.2. The Controller may submit Personal Data to the Processor which may include, but is not limited to, the following categories of Data Subjects:

(a) Controller itself;

(b) Controller’s suppliers, end-customers or any external stakeholders;

(c) Controller’s employees, other staff and corporate representatives.

4.3. The Controller may submit Personal Data to the Processor which may include, but is not limited to, the following categories of Personal Data:

  • Personal identification (gender, name, surname, birthplace, citizenship, nationality, preferred language, date of birth, pictures, passport numbers, national identification numbers, marital status, signature)
  • Contact information (address, email, phone number)
  • Property information (address, land-register reference)
  • Device information (Internet Protocol (IP) address, MAC address, domain addresses, recipients of data packages, cookie information, system logs, website history, account information, geolocation data)
  • Employment information (job title, function, name of employer, salary, benefits)
  • Other information (client meta information, digital certificate number)

4.4. Both the Controller and the Processor shall be liable for any costs incurred by them in fulfilling their respective obligations under the GDPR or this DPA.

5. THE RIGHTS AND OBLIGATIONS OF THE CONTROLLER

5.1. The Controller must Process Personal Data in accordance with Data Protection Legislation when using the Services provided by Zefort. The Controller has an obligation to define the purposes and means of Processing of Personal Data.

5.2. The Controller is liable for the accuracy, integrity, reliability and lawfulness of the Personal Data provided to the Processor. The Controller shall be responsible for ensuring that, throughout the term of the Agreement, it has the right to transfer Personal Data to Zefort. It is the responsibility of the Controller to provide the Data Subject with all information required by the GDPR regarding the Processing of Personal Data.

5.3. The Controller must comply with all mandatory obligations and requirements for notification and authorizations to public authorities in relation to the Processing of Personal Data.

5.4. It is the responsibility of the Controller to handle all requests received from Data Subjects concerning the exercise of their rights under the GDPR.

5.5. The Controller is entitled to, upon reasonable notice, audit in a manner mutually agreed with the Processor, the Processor’s (and any Sub-processor’s) compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall assist the Controller in such audits. The Processor shall be entitled to reasonable compensation of any audits carried out by the Controller.

6. THE RIGHTS AND OBLIGATIONS OF THE PROCESSOR

6.1. The Processor shall comply with Data Protection Legislation and any other instructions regarding the Processing of Personal Data provided by the Controller. The Processor is obliged to inform the Controller immediately if it considers the instructions to be unlawful unless such information would be prohibited by law for important reasons of public interest.

6.2. The Processor maintains a service description or other record of all categories of Processing activities carried out on behalf of the Controller as required by the GDPR. This record shall contain:

i. the name and contact details of the Processor and of the Controller, and, where applicable, of the Controller's or the Processor's representative, and the data protection officer;

ii. the categories of Processing carried out on behalf of the Controller;

iii. where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization; and

iv. where possible, a general description of the technical and organizational security measures referred to in Section

6.3. The Processor shall ensure that those who have access to the Personal Data are aware that they are only entitled to Process Personal Data in accordance with this DPA, any other instructions given by the Controller, and the GDPR and other applicable data protection legislation. The Processor shall ensure that any personnel, consultants or other persons entrusted with Processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This section shall continue in force after the expiry or termination of the Agreement.

6.4. The Processor guarantees that it has implemented appropriate technical and organizational measures providing a level of security that is appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedom of the Data Subjects. The Processor shall ensure at least the following measures: encryption of Personal Data; the possibility to ensure at all times the confidentiality, integrity, availability and sustainability of the systems and services used for the Processing of Personal Data; the availability of Personal Data and the restoration of access to Personal Data without delay following a physical or technical breakdown.

6.5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

6.6. The Processor undertakes to inform the Controller without undue delay of any request received from Data Subjects concerning the exercise of their rights under the GDPR.

6.7. The Processor undertakes to assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down. The Processor shall be entitled to reasonable compensation for its assistance according to this Section 6.7.

6.8. The Processor is obliged to assist the Controller in activities where the Controller needs the Processor's cooperation in order to fulfill its obligations under the GDPR. Such activities may include, for example, participating in impact assessments and providing data protection-related habits and reports. If the Controller requests information or assistance on data security measures, documentation or other information related to the Processor's Processing of Personal Data in a way that the requests differ in substance from the GDPR or other applicable data protection legislation and this results in additional work for the Processor, the Processor shall be entitled to charge the Controller for such additional services.

6.9. The Processor lacks control over the Personal Data stored by the Controller within the Service, yet the data security policies are crafted to enable the Controller to store Personal Data securely in the Service.

6.10.  Should any Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings or similar, the Processor shall inform the Controller immediately by email or other appropriate means of communication. The Processor shall use its best efforts to protect the Controller’s Personal Data and notify the Third Party with access to the Personal Data that the affected Personal Data is confidential information.

7. USE OF SUB-PROCESSORS AND TRANSFER OF PERSONAL DATA

7.1. The Processor may engage Sub-processors for the Processing of Personal Data. The Processor shall maintain an up-to-date list of Sub-processors here: https://zefort.com/security/. The Processor shall ensure that its Sub-processors comply with confidentiality, security, and data protection requirements of this DPA and the Agreement, as well as the GDPR. The Processor establishes a data processing agreement with its Sub-processors, ensuring that the obligations imposed on the Sub-processor are no less stringent than those imposed on the Processor in this DPA. The Processor bears full responsibility for ensuring that Sub-processors comply with the Processing of Personal Data.

7.2. The Processor has the right to change Sub-processors during the term of the Agreement. The Processor shall inform the Controller in advance of such changes. The Controller may object to the use of any new Sub-processor. If the Parties cannot agree on the use of a Sub-processor, the Controller may terminate the corresponding Agreement.

7.3. If the Processor receives objections from the Controller regarding changes of Sub-processors according to Section 7.2. or otherwise receives instructions or demands from the Controller, not covered by this DPA, the Processor shall be entitled to reasonable compensation in order to comply with such objections or instructions.

7.4. The Processor may not Process or transfer Personal Data to a third country outside of the EU/EEA.

8. DURATION OF PROCESSING AND ERASURE OF DATA

8.1. The Processor shall Process Personal Data only for as long as the Agreement is in force.

8.2. After the termination of the Agreement, Zefort shall delete all Personal Data and other Customer Data, or if requested in writing within thirty (30) days from termination by the Customer, return them to the Customer, and delete existing copies of it, unless the applicable legislation requires Zefort to store the Personal Data.

9. HANDLING PERSONAL DATA BREACHES

9.1. If the Processor suspects or becomes aware of any Personal Data Breach or any other circumstance, within its own control, in which the Controller or Processor is required to act under the Data Protection Legislation, the Processor shall notify the Controller by email or by other appropriate means of communication without undue delay and, where possible, within 72 hours of becoming aware of the breach. The notification shall include the following information:

  • a description of the Personal Data Breach, including which categories of Data Subjects were affected by the breach and the estimated number or such categories;
  • the name and contact details of the Processor’s contact person in charge of investigating the breach;
  • a description of the actual and/or likely consequences of the breach; and
  • a description of the measures taken by the Processor to respond to the breach and to mitigate its adverse effects.

9.2. If it is not possible to provide all of the information mentioned in Section 9.1. at once, the information may be provided in parts.

9.3. The Processor shall, where appropriate, investigate the Personal Data Breach and take appropriate measures to rectify the breach, identify its root causes and prevent a recurrence.

9.4. The Processor undertakes to assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in the Data protection legislation. The Processor shall be entitled to reasonable compensation for its assistance according to this Section 9.4.

10. LIABILITY AND OTHER CONDITIONS

10.1. If a Data Subject has suffered material or non-material damage as a result of an infringement of GDPR or this DPA, the Processor shall be liable for the damage caused by the Processing of Personal Data in accordance with Article 82 of the GDPR, only where it has not complied with obligations of GDPR specifically directed to processors or with this DPA. The Controller and the Processor shall each be liable for any sanctions imposed on them by the competent supervisory authority.

10.2. The Parties agree that where the Data Protection Legislation changes as a result of legislative, regulatory or judicial developments, thereby altering the Parties’ legal rights and/or obligations, or impacting either party’s ability to perform its rights and/or obligations under this DPA, the Parties will negotiate in good faith to comply with the new developments to continue the commercial relationship between the Parties.

10.3. This DPA shall be governed by substantive Finnish law, excluding the choice of law principles. Any disputes, controversies or claims shall be resolved in accordance with the provisions set out in the Terms.

11. PERIOD OF VALIDITY AND TERMINATION OF THIS DPA

11.1. This DPA shall remain in force as long as the Agreement is in force and for as long after the termination of the Agreement or expiry of the Agreement as is necessary to complete the activities related to the Processing of Personal Data (such as the return of Personal Data to the Controller) or longer if applicable law so provides.

11.2. Obligations which, by their nature, are intended to remain in force after the termination or expiry of this DPA shall remain in effect after the DPA has expired.

  • Popular features
    • Overview
    • Zefort Sign
    • Document Automation
    • Zefort Forms
    • ChatGPT extension
    • Sympa HR integration
    • Zapier integration
    • DocuSign integration
    • Telia Sign integration
    • All integrations
  • Product
    • Pricing
    • Customer stories
    • For Sales teams
    • For HR teams
    • For legal teams
    • For company administration
  • Resources
    • Blog
    • Events & Webinars
    • Zefort Sign vs. other e-sign solutions
    • Zefort vs. file management solutions
    • Zefort vs. House of Control
    • Zefort Spotlight series
    • CLM software migration guide
    • Ultimate guide to contract management
    • Mastering Digital Contract Management: A Comprehensive Guide
    • Electronic signatures – what you need to know
  • About
    • About Zefort
    • Careers
    • Contact us
    • Security
    • en
    • fi
    • se
  • Customers
    • Sign in
    • Knowledge base
    • What’s new?
    • Onboarding
    • System status
    • Developers
    • Partnerships

Start a 14-day trial

Supercharge your contract management with Zefort.

Get started
zefort-black

Zefort Ltd.

Business ID: FI28557572
Tel: +358400199528

Headquarters: Kairiskulmantie 12, 10th floor
FI-20760 Kaarina, Finland

Helsinki Office: Elielinaukio 2,
FI-00100 Helsinki, Finland

BMC_ISO-27001-white_svg

Cookie Settings | Privacy policy | Zefort General terms and Conditions | Recruitment Privacy Notice

©2025 Zefort. All Rights Reserved.

X
We use cookies
We use Cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit Cookie Settings to provide a controlled consent or you can reject usage of all cookies except necessary. You can also read our Privacy policy and learn more how we use cookies.
Accept only necessaryAccept AllReject All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
bcookie2 yearsLinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
langsessionThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc1 dayLinkedIn sets the lidc cookie to facilitate data center selection.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
CookieDurationDescription
_gaexp3 monthsGoogle Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-100866936-11 minuteA variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au3 monthsProvided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_lfa2 yearsThis cookie is set by the provider Leadfeeder to identify the IP address of devices visiting the website, in order to retarget multiple users routing from the same IP address.
CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
__adroll1 year 1 monthThis cookie is set by AdRoll to identify users across visits and devices. It is used by real-time bidding for advertisers to display relevant advertisements.
__adroll_fpc1 yearAdRoll sets this cookie to target users with advertisements based on their browsing behaviour.
__adroll_shared1 year 1 monthAdroll sets this cookie to collect information on users across different websites for relevant advertising.
__ar_v41 yearThis cookie is set under the domain DoubleClick, to place ads that point to the website in Google search results and to track conversion rates for these ads.
_fbp3 monthsThis cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_opt_expidpastSet by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
anj3 monthsAppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
B1 yearThis Cookie is used by Yahoo to anonymously store data related to user's visits, such as the number of visits, average time spent on the website and what pages have been loaded. This data helps to customize website content to enhance user experience.
bscookie2 yearsThis cookie is a browser ID cookie set by Linked share Buttons and ad tags.
c1 yearThis cookie is set by Rubicon Project to control synchronization of user identification and exchange of user data between various ad services.
fr3 monthsFacebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
i1 yearThis cookie is set by OpenX to record anonymized user data, such as IP address, geographical location, websites visited, ads clicked by the user etc., for relevant advertising.
IDE1 year 24 daysGoogle DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie15 minutesThe test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid1 yearThe tuuid cookie, set by BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu1 yearThis cookie, set by BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.
uuid23 monthsThe uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-idneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
_gaexp_rcpastNo description available.
_lfa_test_cookie_storedpastNo description
_te_sessionNo description
1e5a17c8absessionNo description available.
A31 yearNo description
AnalyticsSyncHistory1 monthNo description
li_gc2 yearsNo description
UserMatchHistory1 monthLinkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
Powered by GDPR Cookie Compliance WebToffee Logo