Terms of Service

These terms of service (“Terms of Service”) govern the access and use of the cloud-based communications solution (“Service”) provided by NEXTID SOFTWARE SOLUTIONS – FZCO, a company established under the laws of Estonia, with registry code 12829749 and address Pärnu mnt 139e/2, Tallinn 11317, Estonia (“otp.dev”), which is accessible through website otp.dev (“Website”).

The term “Client” or “you” refers to a person who has (i) completed the registration process on the Website and, as a part of the process, has accepted these Terms of Service on the Website, or (ii) in any other binding manner has accepted these Terms of Service. If you are registering the Client’s Account (as defined in Section 2.2) on behalf of a legal entity, you are agreeing to these Terms of Service for that legal entity and representing and warranting to otp.dev that you have the authority to bind that legal entity to these Terms of Service. If you do not have such authority, you must not accept these Terms of Service and must not use the Service.

By accepting these Terms of Service or starting to use the Service, you confirm that you have read and understood these Terms of Service and you agree to be bound by these Terms of Service, the Data Processing Agreement (which is added as an annex to these Terms of Service), and any policies referenced herein, which all form a part of the Terms of Service. Acceptance of these Terms of Service shall form a legally binding agreement (“Agreement”) between the Client and otp.dev for using the Service.

otp.dev and the Client are hereinafter also referred to as the “Parties” and separately as a “Party”.

Should you have any questions or comments about the Website or the Terms of Service, please contact otp.dev at help@otp.dev.

otp.dev grants the Client and its designated end-users (e.g. the Client’s employees) (“End User”) access through the Website to the Service, including any corresponding SDKs, APIs, documentation, or software made available in connection with the Service, as may be further described on the Website or agreed in a format reproducible in writing.

In order to be able to use the Service, the Client will need to pass account verification conducted by otp.dev, unless the client’s account is created by otp.dev. If the Client passes the account verification, otp.dev will inform the Client via e-mail and make the Service available to the Client. Depending on the Service’s features and/or the Client’s onboarding process, the Client or otp.dev shall create a Client profile to be able to use the Service (“Client’s Account”) containing the Client’s identification information and other required information, through which the Client can manage, create and close sub-accounts for its End Users. The Client may determine for each sub-account to have different rights per sub-account within the Service.

The Client and its End Users can use the Service by logging in to the Client’s Account or respective sub-accounts. The Client is fully responsible for managing and administering the usage of the sub-accounts related to the Client’s Account and fully responsible for the actions of its End Users and any other person who accesses the Service using the Client��s Account or sub-accounts.

The Client and the End Users are liable for maintaining the confidentiality of their username, password, and any other credentials necessary for accessing the Service. The Client shall immediately notify otp.dev if it suspects that the security of the Client’s Account or any sub-accounts has been compromised. otp.dev is not liable in case the Client’s or the End User’s data falls victim to any breach due to the activity or inactivity on behalf of the Client.

With respect to the information (including all text, images, documents, personal data, and other content) that the Client or the End User acquires, possesses, enters, records, stores, modifies, discloses, makes available, transmits, uses, deletes or otherwise processes via the Service, the Client represents and warrants to otp.dev that the Client or, respectively, the relevant End User, has the right to acquire, possess and process the same. The Client shall be solely liable for the properties of the said information and the acquisition, possession, and processing of such information under, through, in relation to, or by means of the Client’s Account.

During the validity of these Terms of Service between the Client and otp.dev, the Client may request otp.dev to perform or develop additional services and features, which are not specified in these Terms of Service. Such services or features, compensation, and other specifics shall be mutually agreed upon by the Parties in a separate agreement in a form reproducible in writing or as an annex to these Terms of Service.

If the Client registers for a free trial, it will need to pass account verification conducted by otp.dev. If the Client passes the account verification, otp.dev will inform the Client via e-mail and make the Service available to the Client on a trial basis free of charge for the purposes of the Client’s internal evaluation of the suitability of the Service (“Trial”). By gaining access to the Service, the Client agrees to be bound by these Terms of Service. Additional Trial terms of service may be provided during the Trial registration process. Any such additional terms are incorporated into these Terms of Service by reference and are legally binding.

The Trial term will be until the end of the free trial period for which the Client registered to use the Service. Each Party may terminate the Trial at any time without notice to the other Party. In case otp.dev terminates the Client’s use of the Trial and features made available in connection therewith, otp.dev will not bear any liability or further obligation of any kind whatsoever to the Client or any other party.

The Service is intended for using omnichannel text messaging solutions by making use of the Service’s features as described on the Website. Using the Service for any other purposes is not allowed.

The Client shall use the Service in compliance with applicable laws, including any applicable data protection legislation and the terms of these Terms of Service. The Client is solely responsible for all content and data posted and activity that occurs under the Client’s Account, including the End Users’ sub-accounts (collectively the“Account Content”).

otp.dev has the right to screen the Account Content to prevent prohibited behavior according to the Agreement. Any content that conflicts with the provisions of the Agreement, including this Section, may be removed, disabled, and/or destroyed by otp.dev at its sole discretion without any warning or notice. otp.dev is not liable for any occurrences experienced by the Client due to the removal of content under this Section.

otp.dev provides the Service for free for the Trial period. After the Trial period, the Client agrees to pay otp.dev fees for the Service requested by the Client, as described at otp.dev/pricing/, on the Website, API, or agreed upon in a format reproducible in writing. For the avoidance of doubt, SMS messages are charged on a “bill by submitted” and “fee per SMS” basis. Except for SMS-s with a submission status “NOT ACCEPTED”, any SMS message regardless of submission status is due for a charge.

Should the Client wish to receive additional features and services as add-ons specified on the Website or agreed in a form reproducible in writing, the Client shall pay an additional fee for such add-ons as long as the add-ons are active.

All fees for the use of the Services are invoiced in the currency chosen by the Client in the registration process or the Client’s Account and are exclusive of VAT or any other taxes. VAT and other taxes shall be added to the fees in case required under applicable legislation. The Client is obliged to pay for all the VAT and other taxes to be added to the fees based on the invoices issued by otp.dev.

The Client shall indemnify and hold harmless otp.dev of all taxes (including interest and penalties) relating to all receivable amounts from the Client that were required to have been withheld or deducted by the Client under applicable laws. The amount payable shall be increased as may be necessary so that, after making all required deductions or withholdings, otp.dev receives and retains an amount equal to the amount that it would have received had no such deduction or withholding been required.

All fees are exclusive of any applicable communications service or telecommunication provider (e.g. carrier) fees or surcharges. The Client shall pay all such communications surcharges associated with the Client’s use of the Services. Communications surcharges will be shown as a separate line item on an invoice. The Client will pay all costs, fines, or penalties that are imposed on otp.dev by a government or regulatory body or a telecommunications provider as a result of the Client’s or End Users’ use of the Services.

The Client can select to pay the fees in advance by credit card (e.g. by adding funds to the Client’s Account) or receive invoices. Each invoice is issued by the third business day of each month to the e-mail set forth in the Client’s Account. Each invoice is due within seven (7) calendar days of issuing the invoice unless otherwise specified on the invoice or in a format reproducible in writing.

otp.dev reserves the right to change its prices at any time upon reasonable advance notice provided that any such changes shall be posted on the Website, in the Client’s Account, or sent to the Client via e-mail.

The Client must notify otp.dev in a form reproducible in writing within fifteen (15) calendar days from the date otp.dev billed the Client for any fees that the Client wishes to dispute. Where the Client is disputing any fees, it must act reasonably and in good faith and cooperate diligently with otp.dev to resolve the dispute. otp.dev will not charge the Client with a late penalty payment or suspend the provision of the Services for unpaid fees that are in dispute unless the Client fails to cooperate diligently with otp.dev or otp.dev determines the dispute is not reasonable or brought in good faith.

In case of delay in the performance of a monetary obligation arising from the Terms of Service, otp.dev shall have the right to demand from the Client a late penalty payment of zero point one percent (0.1%) from the unpaid amount for each calendar day of delay, starting from the moment of delay until full payment of the debt.

All payment obligations are not subject to cancellation and fees, taxes, and communication surcharges are non-refundable unless stipulated in the Terms of Service or a format reproducible in writing.

The Client’s Account balance expires in six (6) months as of the day the services agreed between otp.dev and the Client have not been used during six (6 months) by the Client. For the sake of clarity, after the aforementioned period, the funds on the Client’s Account are non-refundable.

otp.dev reserves the right to suspend or terminate the Service for the Client according to Section 15. In such cases, otp.dev does not provide any refunds.

The Client acknowledges that otp.dev is not obliged to provide any support in connection with the Service, including End User support, training, or consulting. Unless agreed separately and if the Client requests such support, it will be provided as additional services in accordance with Section 2.7. otp.dev has the right, in good faith and at its sole discretion, to provide the Client with limited free support.

The Client shall notify otp.dev of technical faults related to the Service and otp.dev shall eliminate, within a reasonable time, faults deriving from the Service.

otp.dev has the right to carry out planned and extraordinary maintenance works necessary for the provision of the Service. otp.dev shall inform the Client of planned maintenance works as far in advance as reasonably possible. otp.dev has the right to perform extraordinary maintenance work relating to ensuring the reliability and security of the Service without prior notice. During any maintenance work, the usability of the Service may be limited. If feasible, otp.dev shall notify the Client of the extent of any usage restrictions. Suspension of the Service for the reasons set out in this Section does not relieve the Client from the obligation to pay any applicable fees.

The Client acknowledges that all trademarks and intellectual property rights in and to any materials, data, or information, including all software (in source code or object code) and documentation related thereto, which have been provided by otp.dev to the Client in connection with the performance of the Service are owned and shall continue to be owned by otp.dev and/or its licensors. Notwithstanding the foregoing, subject to these Terms of Service, otp.dev grants the Client a worldwide, non-exclusive, non-transferable, non-sublicensable, and revocable license to access and use the Service and the features requested by the Client. The Service may only be used internally by the Client (and if applicable, by its designated End Users) for its intended purposes as described in these Terms of Service, and during the term, these Terms of Service remain in force between the Parties.

The Client nor its End Users have no right to rent, lease, lend, sell, redistribute, sub-license, copy, reverse engineer, decompile, disassemble, translate, modify, distribute copies of, make available, adapt, or create derivative works based on the Service’s software or its related intellectual property unless otherwise permitted in writing by otp.dev.

The Client is obliged to ensure that the End Users comply with the restrictions and conditions set forth in these Terms of Service. The Client acknowledges that otp.dev has the right to apply separate end-user license agreements to the End Users at any time and such terms must be accepted by the End Users. The Client is obliged to assist otp.dev to the best of its ability in collecting the relevant acceptances. In the event of failure or disagreement with the aforementioned acceptance, otp.dev has the right to prohibit or restrict the End User’s access to the Service.

In case the Client orders from otp.dev any additional works which relate to localization (e.g. translation), personalization (e.g. with the Client’s logos and branding), or customization of the Service, the Client grants otp.dev free of charge worldwide, non-exclusive, transferable and sub-licensable (only to otp.dev's contractors for the performance of the works) license to use any materials and input of the Client as necessary for performing the works and providing the Service for the duration the Terms of Service remain in force. The Client acknowledges that the intellectual property rights of any ordered works remain with otp.dev and otp.dev has every right to, among others, use, license, sell and distribute such works for its own benefit.

The Client grants otp.dev free of charge a worldwide, non-exclusive, transferable, and sub-licensable (only to otp.dev's contractors for the purposes stipulated herein) license to use the Client’s logo and the Client’s (and its End Users’) testimonials on the Website and in other marketing materials (including client e-mails, advertisements, brochures, etc.) for otp.dev's marketing purposes. The license shall be valid until the expiry of the respective rights under applicable legislation. The Client ensures that it has every right to grant such license herein.

Certain content and features available via the Service and the Website may include information sourced from third parties. Any such content, data, information, or publications made available through the Service and the Website are furnished by otp.dev on an “as is” and “as available” basis for the Client’s convenience and information and must be used for informational purposes only. otp.dev has no control over the content or information of third-party resources. otp.dev disclaims any warranty or representation, either express or implied, that such information is accurate or complete.

Third-party links on the Service and the Website may direct the Client to third-party websites that are not affiliated with otp.dev. otp.dev is not responsible for examining or evaluating the content or accuracy and otp.dev does not warrant and will not have any liability for any third-party materials or websites, or any other materials, products, or services of third parties. otp.dev is not liable for any harm or damages related to the purchase or use of goods, services, resources, content, or any other transactions made in connection with any third-party websites.

The Parties are obliged throughout the validity of the Agreement and after termination of the Agreement to maintain each other’s confidential information. “Confidential Information” shall mean all information and data, including, without limitation, all trade secrets, such as: business-related financial (including product/service information and pricing, forecasts, details of specific project), commercial (including information about the other Party’s analytics, suppliers, service providers, potential and existing customers, business partners and contractors, and related personal data) and technical information (including information on intellectual property objects, copyrights, IT-systems, source code and software and related information), related to a Party, which the Party has directly or indirectly, orally or in writing or in another form, before or after concluding the Agreement, disclosed to or received from the other Party in connection with performance of the Agreement and which is not publicly available and which the counterparty can reasonably be presumed to be interested in maintaining the confidentiality of. Among other things, otp.dev's confidential information shall include the process of provision of Service (including any manuals, support materials, etc.).

A Party may disclose Confidential Information to state and local government institutions if the duty to disclose such information derives from applicable legislation. Among other things, otp.dev has the right to disclose and forward the Account Content and the End User’s data to investigative and supervision authorities.

If a Party is obliged by applicable legislation to disclose Confidential Information, it shall, where possible, undertake, within a reasonable time prior to disclosure of such information, to notify the other Party in writing of the relevant obligation of public disclosure and of the extent of the information subject to disclosure, and shall undertake to disclose the relevant information always in the minimum required amount, and if possible, in a generalized form, bearing the marking “Confidential”.

For the purpose of the Agreement, “third party” does not include, nor does the prohibition on disclosure of Confidential Information apply to (a) employees of a Party and other persons related to performance of the Agreement, on condition that Confidential Information is disclosed to them only in an extent necessary for them to perform the Agreement and on condition that the Party ensures that the said persons maintain Confidential Information; and (b) Parties’ auditors, legal advisors and banks bound by the duty of confidentiality.

The Parties undertake to notify each other promptly if Confidential Information is communicated or may be communicated to a person lacking the right thereto. The provisions of this clause shall not in any manner limit the liability for breach of the Agreement.

Both Parties shall comply with any applicable data protection legislation or regulation in the processing, collection, use and disclosure of personal data. Each Party shall have the necessary legal basis (if necessary, consents) in order to provide the other Party any personal data necessary to perform its obligations hereunder.

During the term of the Terms of Service and thereafter in perpetuity, otp.dev will not process or otherwise undertake any act with respect to any personal data in any manner, including any actual or attempted processing thereof, except for the sole purpose of performing the Service and in compliance with: (i) the express terms and conditions of the Terms of Service, the Data Processing Agreement; and (ii) applicable legislation.

The Parties anticipate that for the provision of the Service, otp.dev shall act as a data processor and the Client shall act as a data controller as further specified in the Data Processing Agreement, which is incorporated as an annex to the Terms of Service.

The Client acknowledges that all services, features, tools and developments made available under this Agreement, including the Service, are made available on “as is” and “as available” basis. Except as expressly set forth herein, and to the extent permitted by applicable legislation, otp.dev disclaims all warranties, express or implied, of merchantability, fitness for a particular purpose, durability, availability, timeliness, accuracy, reliability or completeness, or non-infringement.

otp.dev additionally disclaims all warranties related to telecommunications providers. The Client acknowledges that the internet and telecommunications providers’ networks are inherently insecure and that otp.dev will have no liability for any changes to, interception of, or loss of data while in transit via the internet or a telecommunications providers’ network.

otp.dev is not liable for any indirect, non-material, incidental, special, punitive, or consequential damages, or any loss of profits, revenue, opportunities, data, or data use, or legal expenses or any other fees incurred by the Client. otp.dev is only liable for a breach of the Terms of Service, if the breach is intentional or caused due to gross negligence or any other action that cannot be excluded or limited by an applicable legislation (e.g. in case of death or personal injury). In this case, the Client has the right to request the performance of the Terms of Service (unless requiring the performance is excluded by legislation). To the extent permitted by applicable legislation, otp.dev's liability is limited to only direct material damages in the maximum amount of the fees due for the twelve (12) months’ period preceding the event giving rise to the claim.

In no case is otp.dev liable for damages caused by events not caused/occurred on the Service and not offered by otp.dev or third persons not acting on behalf of otp.dev, e.g. loss of data caused by hacking, DDoS attacks, damages caused under police and other authority searches or any other similar events, which may have a negative effect in the Client’s Account and/or the data. This includes situations where authorities lawfully confiscate servers or other equipment that may include the said data.

otp.dev is not liable for any default caused by a third parties’ actions or inactions, including telecommunications providers or mobile network operators. otp.dev will use all commercially reasonable efforts to transmit messages to the applicable telecommunications provider or mobile network operator as quickly as possible, however the final delivery of all messages to designated recipients is the responsibility of such provider or operator. otp.dev does not accept liability, if final delivery does not succeed due to an action, omission or any other failure of the relevant telecommunications provider or mobile network operator.

otp.dev is not liable for any Account Content, including incomplete, inaccurate or inappropriate content, provided by Client or its End Users. otp.dev has no control over how the Client, or its End Users use the service, including the Account Content, as it does not moderate or screen Account Content or its source, except for screening to prevent prohibited behaviour as set out in Section 4 above.

otp.dev is not liable for any activities for which the Client uses the Service or any other circumstances deriving from the Client, e.g. the Client’s instructions, inserted information and managed End Users’ sub-accounts. otp.dev is not liable for any decisions made by the Client or its End Users based on the information inserted or displayed on the Service, including any forecasts or statistics. The Client is aware that any decisions made by it and its End Users in reliance on the Service or the said persons’ interpretations of the information is attributable to them and the Client has full responsibility in this regard. otp.dev is not liable for the Client’s use of any information obtained from the Service.

otp.dev is not liable for any delay or failure caused by (a) acts of god/natural disasters (including hurricanes and earthquakes); (b) disease, epidemic, or pandemic; (c) terrorist attack, civil war, civil commotion or riots, armed conflict, sanctions or embargoes; (d) nuclear, chemical, or biological contamination; (e) collapse of buildings, fire, explosion, or accident; (f) labor or trade strikes; (g) interruption, loss, or malfunction of a utility, transportation, or telecommunications service; (h) any order by a government or public authority, including a quarantine, travel restriction, or other prohibition; or (i) any other circumstance not within otp.dev's reasonable control, whether or not foreseeable. In the event of a force majeure event, otp.dev shall be relieved from full performance of the contractual obligation until the event passes or no longer prevents performance.

The Client is liable for all damages caused to otp.dev by the Client, its employees, management board members, End Users, or contracting parties. The Client is, among others, liable for damaging the Service and the Service’s infrastructure and the property of third parties. The Client must inform otp.dev as soon as possible if damages occur and compensate the damages.

In the event of a breach of the obligations set out in this Agreement, otp.dev has the right to claim a contractual penalty from the Client in the maximum amount of doubled twelve (12) months’ fee paid preceding each breach within thirty (30) calendar days of receiving a respective request from otp.dev. If the damage exceeds the sum of the contractual penalty, otp.dev has the right to demand compensation for damage in the sum exceeding the contractual penalty.

In the event of the Client processing personal data, including sending messages, without a valid legal basis or violating the policy of the company Viber, WhatsApp or other such providers, the Client shall pay otp.dev a contractual penalty in the amount of EUR 5,000.

The Client shall indemnify, defend, and hold harmless otp.dev, its employees, management, and agents and its related companies, at the Client’s expense, from and against all third-party actions, claims and proceedings brought against otp.dev including liability, loss, damages, cost and expense, including reasonable legal fees, resulting from or in connection with, including, but not limited to (i) the Client’s breach of any terms and conditions under the Agreement; (ii) the Account Content the Client submits to the Service; (iii) the exercise of the Rights of Use and Exploitation; (iv) any activity in which the Client engages on or through otp.dev. This remedy of otp.dev will be in addition to and not exclusive of other remedies provided by legislation.

otp.dev has the unilateral right to amend the Agreement by notifying the Client of the changes by e-mail at least thirty (30) calendar days before the amendments enter into force. If the Client does not agree with the amendments to the Agreement, the Client may terminate the Agreement in line with Section 15.

If otp.dev uses the abovementioned right, otp.dev will concurrently revise the effective date of the Terms of Service above.

Different terms to this Agreement that are mutually agreed upon by the Parties shall be agreed in a separate agreement in a form reproducible in writing or as an annex to these Terms of Service.

This Agreement shall enter into force on the date (i) the Client accepted this Agreement on the Website and completed the registration process; (ii) the last approval was provided by a Party to a separate agreement agreed upon according to Section 14.4; or (iii) the Agreement was accepted by the Parties in any other binding manner. The Agreement is effective until terminated by either Party.

Suspension of the Client’s access to the Service does not relieve the Client from the obligation to pay fees. otp.dev is not liable for any occurrences experienced by the Client due to suspension of the access under this Section.

Either Party may terminate these Terms of Service at any time without cause by notifying the other Party thirty (30) calendar days in advance. Such notification to the Client must be sent to the address set forth in the Client’s Account and to otp.dev to the e-mail address help@otp.dev.

otp.dev has the right to terminate the Terms of Service effective immediately by notifying the Client, if the Client has materially breached the Terms of Service. The Client has materially breached the Terms of Service in case of the following (but not limited to): (i) the Client conducts any prohibited act described in Section 4, (ii) the Client has not paid the fees according to the Section 5 despite the reminder of payment and the granting of an additional term of at least seven (7) calendar days, (iii) in the opinion of otp.dev, the actions or omissions of the Client or its End Users endanger the security, integrity, operation or usability of the Service or the Website. If otp.dev terminates the Client’s Account for breach of the Terms of Service, the Client may not re-register.

Either Party has the right to terminate the Terms of Service effective immediately by notifying the other Party if bankruptcy, insolvency, administration, or other similar proceedings are initiated regarding the other Party or it informs the Party or any third party of its permanent or temporary insolvency.

Termination of the Terms of Service causes automatic termination of the Data Processing Agreement, the Client’s Account and any sub-accounts granted to the End Users and the forfeiture and relinquishment of all Account Content contained on the application. The Account Content cannot be recovered once the Client’s Account and its sub-accounts are deleted. In case the Client has caused the extraordinary termination, otp.dev shall not be liable for any damages (including lost profit) occurred due to the actions described in the previous sentence.

Upon termination of the Terms of Service, all rights and obligations will immediately terminate, including the licences granted to the Client under the Terms of Service shall cease and the Client shall delete all documentation related to the Service. otp.dev shall return or delete all materials related to the provision of the Service to the Client pursuant to the Data Processing Agreement, unless stipulated otherwise in a form reproducible in writing. The prior obligation does not apply to anonymised personal data, usage statistics, technical parameters and analyses based on the Account Content, the Client’s other inputs and Confidential Information.

The obligations and liabilities of the Parties incurred prior to the suspension or termination shall survive the termination of the Terms of Service for all purposes (e.g. obligation to pay all fees incurred and owed).

No failure or delay by either Party in exercising any right or enforcing any provision under the Agreement will constitute a waiver of that right or provision, or any other provision.

In the event that any provision of these Terms of Service is determined to be unlawful, void or unenforceable, such provision shall nonetheless be enforceable to the fullest extent permitted by applicable legislation, and the unenforceable portion shall be deemed to be severed from these Terms of Service, such determination shall not affect the validity and enforceability of any other remaining provisions.

The titles of the sections in these Terms of Service are for reference purposes only and do not affect the interpretation of the underlying terms.

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) Data Processing Agreement, (2) the terms set forth in the body of the Terms of Service, (3) the Anti-Spam Policy, (4) any other terms incorporated by reference herein or any other exhibits or attachments hereto.

These Terms of Service, Data Processing Agreement and any policies or operating rules posted by otp.dev on the Website or in respect to the Services constitute the entire agreement and understanding between the Client and otp.dev and govern the Client’s use of the Services, superseding any prior agreements, communications and proposals, whether oral or written, between otp.dev and the Client (including, but not limited to, any prior versions of the Terms of Service).

In case of conflict, the English language version of the Terms of Service prevail.

The Client shall have no right to transfer, including via a transfer of company, or assign the rights and obligations arising from the Agreement either partly or fully to a third party without a prior written consent of otp.dev.

otp.dev shall have the right to assign the Terms of Service and all of the rights and obligations contained therein to another company owned by otp.dev or otp.dev's parent company or to a third party to which the Services-related business functions are transferred.

These Terms of Service shall be governed by and construed in accordance with the laws of the Republic of Estonia. Any dispute, controversy or claim arising out of or in connection with these Terms of Service, or the breach, termination or invalidity thereof shall be resolved through amicable negotiations, upon failure of which all disputes shall be settled in the Harju County Court in the Republic of Estonia.

All notices and other communication shall be deemed properly given if delivered in person; when receipt is electronically confirmed, if transmitted by e-mail; and upon receipt, if sent by certified or registered mail, return receipt requested. Notices to the Client must be sent to the e-mail or other address as set forth in the Client’s Account. Notices to otp.dev must be sent to the e-mail or address Pärnu mnt 139e/2, Tallinn 11317, Estonia; Attn: Legal.

A Party must inform the other Party immediately of any changes in its contact person, address and e-mail by the other Party about it in the manner set out herein.

This data processing agreement (“DPA”) is an annex to and an integral part of the Terms of Service, which governs the personal data processing conducted by NEXTID SOFTWARE SOLUTIONS – FZCO as a processor (“Processor”) on behalf of the Client acting as a controller (“Controller”) within the scope of providing the Service under the Terms of Service together with its annexes and any policies referred in the Terms of Service (if applicable) (altogether “Agreement”).

The Parties acknowledge that this DPA and personal data processing activities conducted under the Agreement are governed by the Regulation (EU) 2016/679 of the European Parliament and the Council (“GDPR”), and other relevant legislative acts, or supervisory authorities’ guidelines, governing the processing of personal data in the Republic of Estonia (all together with GDPR “Legislation”).

All and every term, unless specifically defined herein, is being used in the meaning of the GDPR or the Agreement.

For matters not stipulated in this DPA, the Agreement applies. In the event of a conflict or ambiguity between the Agreement and this DPA, this DPA will prevail.

The Processor shall process personal data only in accordance with documented instructions of the Controller, including the instructions provided by the Controller in the Agreement, DPA, and annexes thereto unless required to do so by the Legislation to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the Legislation prohibits this on important grounds of public interest.

The Processor shall process personal data in accordance with the Agreement, DPA, and annexes thereto only for the specific purposes of the processing and the duration as specified in Annex 1 (Annex 1 – description of the processing).

The Processor is entitled to invoice the Controller for additional costs and remuneration, in addition to the fees provided under the Agreement, for fulfilling its obligations under Sections 4.1.8, 4.1.9, and 4.1.10 of the DPA in case the Processor assesses the costs for fulfilling its obligations to be excessive and unreasonable (e.g. due to the repetitive nature of the requests, the volume of data to be processed, the necessity to compile systematically structured data sets according to the instructions of the Controller which requires additional work). The Processor shall notify the Controller of such costs in advance and prior to issuing such invoices. The invoices shall be issued and paid by the Controller, adhering to the invoicing regulations agreed in the Agreement.

The Processor acknowledges that according to Article 28 (10) of the GDPR the Processor shall be considered a separate controller if it goes beyond the instructions of the DPA and the Agreement and thus itself determines the purposes and means of processing.

Upon the Controller’s reasonable request, the Processor shall provide the Controller with all information necessary (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) to demonstrate compliance with the obligations laid down in the DPA, within thirty (30) calendar days of receipt of such request.

Where, in the reasonable opinion of the Controller, such information is not sufficient to meet the obligations of Article 28 of the GDPR, the Controller may, upon sixty (60) calendar days prior written notice to the Processor and upon reasonable grounds, conduct an audit by an independent third-party auditor mandated by the Controller. Any costs for conducting the audit shall be borne by each Party themselves.

Any audit shall be solely limited to confirming the Processor’s compliance with its data protection obligations under this DPA, and shall exclude all information data and content which relates to: (i) any other clients, agents, or partners of the Processor; (ii) any of Processor’s internal accounting or financial information; (iii) any trade secrets; (iv) any data that is being accessed for any reason other than the good faith fulfilment of the Controller’s rights under this DPA.

The notification provided according to Section 5.2 shall contain a proposal for an auditing plan. If parts of the requested scope of the audit are covered by an audit report carried out by a qualified third-party auditor within the last twelve (12) months, the Processor is entitled to provide to the Controller such a report instead of the proposed audit.

Any audit shall be performed during the Processor’s regular business hours and the performance of the audit must not interrupt the Processor’s business. Furthermore, in order to minimise operational disturbances the Processor can combine the audit with audits conducted on behalf of other clients or resellers.

Any audit must be carried out in a manner that does not disrupt, delay or interfere with the Processor’s performance of its business and in accordance with the Processor’s internal policies. The Controller shall ensure that all participants of the audit are subject to written confidentiality obligation at least to the same extent as provided in the Agreement. Unless prohibited by the Legislation, the Controller must provide a copy of the audit report to the Processor, and the Processor will be entitled to use the report in other client relationships, e.g. as stated in Section 5.4 above.

The Processor is permitted to engage sub-processors for the provision of the Service under the Controller’s authorization (general written authorization pursuant to Article 28 (2) of the GDPR) provided hereby. The Controller acknowledges and agrees that the Processor has engaged the sub-processors identified in Annex 2 (Annex 2 – sub-processors).

Should the Processor wish to engage a new sub-processor or replace a current sub-processor with a new sub-processor, then the Processor is obliged to inform the Controller. Upon having reasonable grounds, the Controller may object, in a format reproducible in writing, to any such additions, changes, or replacement within thirty (30) days of the Processor informing the Controller. If the Controller does not object during such time period, the addition, change, or replacement shall be deemed accepted.

In case the Controller has exercised, pursuant to Section 6.2 above, its opportunity to object to the addition or replacement of the sub-processor and the Processor does not, under reasonable grounds, agree with such objections, both Parties have the right to terminate the Agreement, together with the DPA by notifying the other Party thirty (30) calendar days in advance. Until the termination of the Agreement, the Processor has the right to use the sub-processors to which the Controller has issued its objections, for the performance of the Agreement and the DPA. The termination of the Agreement and the DPA does not exclude the application of any legal remedies by both Parties under applicable legislation and under the Agreement.

In the event the Processor engages or replaces a current sub-processor, the Processor shall engage such sub-processor under a written agreement containing equivalent obligations as those set out in this DPA and remain fully liable to the Controller for the performance of each sub-processor’s obligations.

The Controller allows the Processor to transfer the personal data outside of the EU/EEA, including engaging any sub-processors, if the Processor transfers personal data to countries in relation to which the European Commission has issued an adequacy decision or if the Processor uses other appropriate safeguards set out in Chapter V of the GDPR (e.g. standard contractual clauses adopted by the European Commission).

The Controller is entitled to request information from the Processor regarding the countries to which personal data is transferred and of the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate safeguards.

In the event that any of the measures referred to in Section 7.1 above are no longer sufficient to satisfy the requirements of the Legislation applicable to the processing of personal data under the DPA to legalise the transfer of personal data outside the EU/EEA, the Processor shall use any reasonable efforts to implement either an alternative transfer mechanism which satisfies the requirements of the Legislation applicable to the processing of personal data under this DPA in order to legalise the transfer of personal data outside the EU/EEA or cease with such transfer.

After the receipt of the Controller’s written request, the Processor shall delete or return all of the personal data processed for the provision of the Service according to the Agreement (and any existing copies thereof), unless storage of any personal data is required by the Legislation.

In the event that the Controller does not render a written request to either delete or return the personal data, the Processor shall delete permanently all of the relevant personal data within six (6) months of the end of the provision of the Service to the Controller unless otherwise agreed upon in writing. The foregoing cannot be considered an obligation of the Processor to retain the said personal data for a period of six (6) months and the Processor has the right to delete the said data earlier. The Controller takes note that after the period stipulated herein, the said personal data is permanently deleted. The prior obligation does not apply to anonymized personal data, usage statistics, technical parameters, and analyses.

The Controller acknowledges that the deletion of personal data after the termination of the Agreement and this DPA does not exclude the Processor’s right to retain the said data in its backup systems. The Processor shall ensure that applicable safeguards are in place, the personal data is put beyond use in the backup systems and the personal data is subsequently deleted as soon as possible, i.e. on the Processor’s next deletion/destruction cycle.

The Controller acknowledges that the Processor has the right to retain all of the instructions and other material which relates to the processing of personal data.

This DPA becomes effective upon entering into the Agreement by the Parties and is valid until the termination of the Agreement.

The termination of the DPA takes place according to the Agreement. Termination of the DPA causes automatic termination of the Agreement and vice versa. Termination of this DPA does not exempt the Parties from fulfilling their obligations as specified in the Legislation.

The confidentiality obligation set out in Section 4.1.3 applies indefinitely even after the termination of the DPA.

This DPA is governed by the laws of the Republic of Estonia. The Parties agree that any disputes arising from this DPA will be resolved as stipulated in the Agreement.

The Processor is entitled to unilaterally amend this DPA by giving the Controller a prior notification of fourteen (14) calendar days in case it is necessary to comply with the Legislation or any changes thereto. If the Controller declines to accept such amendments, the Processor is entitled to immediately extraordinarily terminate the Agreement and this DPA in order to comply with the Legislation. If necessary to comply with the Legislation, in the period between the issuing of the termination notice and until the end of the termination of the Agreement, the amendments giving rise to the termination shall be applied fully.

The Processor has the unilateral right to amend the DPA by notifying the Controller of the changes by e-mail at least thirty (30) calendar days before the amendments enter into force. If the Controller does not agree with the amendments to the DPA, the Controller may terminate the DPA in line with the Agreement.

The Processor will process the personal data as necessary to provide the Service according to the Agreement.

The Processor may conduct the following processing activities: receiving data, including collection, accessing, retrieval, recording and data entry; using data, including analysing and profiling by the provision of the Service; returning data to the Controller; erasing data, including destruction and deletion.

The Processor may process personal data of the following categories of data subjects: the Controller’s employees, the Controller’s clients, and clients’ end users (including, but not limited to SMS recipients).

The Processor may process the following types of personal data: name, username, e-mail address, and phone number. The Processor does not process sensitive personal data.

The Processor will process the personal data as long as it is necessary for the provision of the Service.