General terms and conditions


Summary of general terms

1. General

1.1 These terms and conditions govern the relationship between the Customer and Loopia AB, reg. no. 5566339304 (hereinafter ”Crystone”), in respect of the service which the Customer has selected (hereinafter the ”Service”). Depending on the Customer’s order, the Service may include web hosting, domain name, Extra services and Third party products or such other service Crystone at any time offers.

2. The Service

2.1 The content of the Service is specified in a separate order confirmation/invoice.

2.2 Crystone reserves the right to change the scope and content of the Service, or to terminate all or part of the Service where necessary due to technical reasons, or due to any law or other regulations issued by public authorities. The Customer shall always be entitled to terminate the Agreement in the event of any such change.

2.3 During the subscription period, Crystone shall provide support for the Service via either telephone or email, and through information on Crystone’s website. The processing time may be affected as, in certain cases, Crystone depends on third parties and may refer to a third party’s channels.

2.4 Customer data and customer information may be provided to third parties where necessary in order for the service to function.

2.5 Domain names are registered in the Customer’s name and are owned by the Customer. However, Crystone reserves the right to serve as administrative, technical, and/or invoicing contact for any domain name to the extent Crystone deems necessary.

2.6 Crystone shall be entitled to sign all domain names which are registered by Crystone on behalf of the Customer using the security extension DNSSEC. If the Customer does not wish to use this extension, the Customer may deactivate it in Crystone’s control panel.

2.7 The Customer must be at least 18 years of age to order the Service.

3. Term of the Agreement for the Service, etc.

3.1 The Service shall be provided for the period (maximum 24 months) which the Customer selects in conjunction with ordering, commencing on the date on which Crystone issues confirmation. After the agreed period has expired, the Customer has the right to terminate the Agreement with one (1) month’s notice. If the Service consists of domain names, the Service ends automatically when the period expires, unless the Customer renews the domain name. However, if the Agreement has been entered into at a distance, e.g. over the Internet, the Customer shall be entitled to withdraw from the Agreement by notifying Crystone within 30 days of the date stated on the order confirmation.

3.2 Notwithstanding section 3.1, the right of withdrawal does not apply to the Service domain name and other third-party products if the Customer requests that Crystone shall fulfill the Agreement during the withdrawal period or if the Customer starts using the Service, for example, by paying the advance invoice or by logging in to the Crystone control panel.

3.3 The Agreement terminates either through notice of termination or through failure to pay for the coming period. The recommended way of giving notice of termination is by logging in to the Crystone control panel.

3.4 Any request by the Customer to change a subscription period must be received by Crystone not later than on the date on which the current subscription period ends. Any outstanding invoices must also be paid. Any change of the subscription period shall enter into force when Crystone sends an invoice with confirmation that the change of the subscription period has been made.

3.5 Either party shall be entitled to give written notice of termination of the Agreement, by email or post, with immediate effect if: (1) the other party commits a material breach of contract and, to the extent rectification is possible, fails to rectify the breach within 14 days after a written demand to do so with reference to this section; or (2) a party is placed into bankruptcy or liquidation, is the subject of composition proceedings, or is otherwise clearly insolvent. Moreover, Crystone shall be entitled to terminate the Agreement with immediate effect if it can reasonably be believed that continued dissemination of information in the Service is in violation of the law or any regulation issued by a public authority, if Crystone is caused operational disruptions which can reasonably be believed to be the result of defects or technical disruptions attributable to the Customer, or if the Customer abuses Crystone’s support.

3.6 In all cases in which Crystone is entitled to terminate the Service with immediate effect, Crystone shall also be entitled to discontinue the Service pending further investigation.

Crystone shall also be entitled to discontinue the Service as a result of any police report, investigation, dispute or similar in respect of the Service where Crystone determines that this is necessary in order to prevent any continued criminal activity or modifications which can impede such matter. Crystone shall also be entitled to discontinue the Service if the Customer’s installation is outdated or contains security vulnerabilities. Crystone shall also be entitled to update the Customer’s installation without giving notice thereof.

3.7 Crystone shall be entitled to give notice that the Service has been terminated on the Customer’s website or by email. The Customer shall be charged a startup fee in conjunction with reactivation of the Service.

4. Fees for the Service

4.1 Fees for the Service shall be paid in advance against invoice. Payment shall be made not later than 30 days after the invoice date and before the Service expires. The Customer shall ensure that the correct OCR number is given on the payment so that the matching of payment against correct invoice can be made.

4.2 Prior to each new contract period, if the Service can and will be renewed by Crystone, Crystone shall send at least one invoice for renewal of the Service. Crystone shall not be responsible for renewing the Service where the Customer fails to pay the invoice for renewal prior to expiry of the Service and/or the due date of the renewal invoice, or fails to make full payment. In the event Crystone cannot renew the Service, the Customer shall be responsible for any renewal.

4.3 Crystone shall be entitled to deactivate the Service if the Customer fails to pay in due time, or fails to pay in full, provided that at least one written reminder or warning has been sent to the Customer either by email or post. Crystone shall be entitled to give notice that the Service has been terminated on the Customer’s website or by email. The Customer shall be charged a startup fee in conjunction with reactivation of the Service.

4.4 The Customer shall notify Crystone without delay if he/she believes that an invoice is incorrect. Where the Customer has objected to the invoice in due time and has provided substantive grounds for the objection to the charge, Crystone shall grant a grace period for payment of the disputed amount. If the grace period is granted, penalty interest on arrears shall be payable on such part of the amount in dispute which the Customer is obligated to pay.

4.5 Penalty interest on arrears shall be paid in accordance with the Interest Rate Act (1975:635) as from the due date and until payment in full is made.

4.6 Any change of fees may only enter into force in conjunction with a new subscription period. In order for any increase in fees to be valid, the Customer must be given written notice at least one (1) month in advance by email, by post, or through information provided on Crystone’s website. Advance notice of fee reductions does not need to be given.

4.7 Temporary promotional prices shall not affect fees for ongoing services.

4.8 Fees for domain names cannot be refunded.

4.9 In the event Crystone terminates the Service prematurely due to the Customer’s breach of contract as set forth in section 3.5, no fees paid for any current or future period shall be refunded.

4.10 Any service which is not renewed due to a failure to pay and/or termination expires immediately, except domain name which becomes dormant and subject to a quarantine period of up to 90 days before being deregistered. During such time, the Customer may pay a fee to reactivate the Service.

4.11 Incorrect payments from the Customer, such as overpayments, payments on credited invoices, etc., can be refunded or used for payment of future invoices at the request of the Customer.

5. Assignment of the Service, etc.

5.1 The Customer may assign the Service following Crystone’s consent. Any assignment shall be implemented pursuant to the rules applicable from time to time. Information may be obtained from Crystone’s website, An assignment may enter into force commencing the date on which Crystone notifies the Customer that consent to the assignment has been given. The withdrawing party shall be liable to make payment on obligations that arose before the assignment was implemented. The acceding party shall be liable to make payment on obligations that arose after the assignment was implemented. The withdrawing party shall be obligated to pay any outstanding debts to Crystone before the acceding party can take over the Service.

5.2 The Customer shall not be entitled to pledge any or all of its rights and/or obligations under the Agreement to any third party without Crystone’s consent.

5.3 Crystone may assign the Service to another company that may reasonably be expected to fulfill Crystone’s rights and obligations to the Customer.

6. Crystone’s liability

6.1 Crystone and/or any retained subcontractor shall be entitled to take measures which affect the availability of the Service where necessary for technical, maintenance, operational, or security reasons or due to any law, decision by a public authority, or decision taken by an accredited registrar for the relevant toplevel domain name or such registrar appointed by an accredited organisation. No compensation shall be paid for unavailability during maintenance.

6.2 Crystone shall be liable for defects in the Service only to the extent it fails to meet the agreed specifications. Insignificant deviations as well as any limitations on availability which Crystone is entitled to make pursuant to these general terms and conditions shall not be regarded as a defect.

6.3 If, as a result of a defect caused by Crystone, the Customer has not been able to use the Service, the Customer shall be entitled to a reduction of the applicable fee which corresponds to the scope of the defect. Such reduction shall be made taking into consideration the time during which the defect existed in relation to the fee applicable to the Service. Any claim for a reduction must be made in writing not later than one (1) month after the defect has been rectified.

6.4 Crystone shall be liable only for losses caused through Crystone’s negligence and, except in case of intentional acts or gross negligence, any liability in damages shall be limited to direct loss in an aggregate amount corresponding to fees for the applicable subscription period. Crystone shall not be liable for indirect losses such as loss of profit, lost sales, loss of information, or corruption of information due to, for example, a third party’s unauthorised hacking of Crystone’s computer resources.

6.5 The amount limit set forth in section 6.4 shall not apply with respect to a Customer who is deemed to be a consumer according to the Distance and OffPremises Contracts Act (SFS 2005:59).

6.6 In order to be valid, any claim for damages must be made in writing within a reasonable time after the Customer discovered or should have discovered the grounds for the claim, however, no later than three (3) years after the time of the incident.

6.7 Crystone shall not delete customer information while the Service is active unless the Customer has requested, in writing, that the information is deleted and has confirmed its identity. However, Crystone reserves the right, for system technical reasons, to move the information to another media. However, product-specific information shall be deleted upon downgrading or assignment of the Service. Information belonging to a specific domain name is deleted when erasing a domain name of the Service.

6.8 Irrespective of whether Crystone provides backups, there is no guarantee that backup copies will work correctly and that content will be fully restored or formatted correctly.

The Customer shall be solely liable for ensuring a separate backup of all data which the Customer considers important to the Customer.

6.9 From time to time, Crystone may stop supporting aspects of the Service (known as ”End of Life”). When components of the Service reach an End of Life, Crystone shall replace them with comparable components if possible. An End of Life is not a breach of the Agreement.

6.10 Crystone treats all customer information as confidential and in accordance with applicable privacy legislation. Information regarding how Crystone processes personal information can be found on Crystone’s web page for privacy,, and is also regulated in the Data Processing Agreement, Appendix A.

6.11 Crystone is entitled to take part of all information processed in the Service in order to fulfil Crystone’s rights and obligations in accordance with the parties’ agreements.

6.12 In the event a defect or damage arises for the Customer, or for Crystone’s other customers or Crystone’s system, or if such a defect or damage may arise, Crystone is entitled to take action in order to avoid such damage. In such cases, Crystone is allowed to remedy security defects in the Customer’s code.

6.13 Furthermore, Crystone may without restrictions hand over such code and software that Crystone reasonably considers to be malicious to Crystone and/or Crystone’s customers, or to Crystone’s system, to a third party for analysis. Such third parties shall be bound by confidentiality. In the event an analysis shows that the code is malicious, Crystone may remove the code from the Service.

6.14 Crystone may continuously perform security checks of the Customer’s services in order to decrease the risk for dissemination of malicious code and software, disruption in the operation, or the like.

7. The Customer’s liability

7.1 The Customer shall be liable, visàvis Crystone, to ensure that information which is handled within the Service does not constitute an infringement of any third party rights or otherwise violate applicable Swedish legislation.

7.2 The Customer undertakes not to use resources or seek unauthorised access to any such system of Crystone or its retained subcontractors which are not intended for the Customer, not to otherwise act in violation of applicable legislation in conjunction with its use and/or registration of the Service, and not to distribute computer viruses or any other form of malicious code.

7.3 The Customer undertakes to use the Service in a manner which maintains security for Crystone’s services and network, e.g. by uploading software which is proven to be safe, installing patches, and not sharing passwords.

7.4 Where a thirdparty user provides information on websites which are covered by the Service, the Customer shall monitor the information and ensure that continued dissemination is prevented as per the requirements of applicable legislation.

7.5 The Customer shall ensure that sexually explicit information does not appear on webpages which are covered by the Service. Domain names which are included in, and administered by the Service may also not point to, forward to, or otherwise be related to sexually explicit material.

7.6 The Customer shall ensure that the domain names which are added to and administered under the Service belong to the Customer.

7.7 The Customer shall always have correct, updated information on file with Crystone which can identify the Customer. The websites shall clearly identify the physical person or legal entity which is responsible for publication of the pages.

7.8 The Customer is obligated to always have a valid email address for the Customer’s authorised contact person on file with Crystone. This email address will be used by Crystone to convey important messages related to the Service.

7.9 The Customer confirms the obligations which ICANN or any other toplevel registrar may impose on Crystone as agent for registration of domain names. The Customer further confirms that the toplevel domain name registrar shall be held harmless against all claims which are attributable to domain names which are registered under such toplevel domain name. Crystone shall bear no liability whatsoever for transfer, closure, or any other matter which may affect the domain service and which is required under the conditions stipulated by ICANN or any other toplevel domain registrar.

7.10 The Customer may delegate operation of web design, updates, and so forth to another physical person or legal entity. However, this shall not constitute a limitation of the Customer’s liability under the Agreement.

7.11 The Customer accepts Appendix A as a Data Processing Agreement for all the Services which are used by the Customer.

7.12 The Customer is responsible for the possible integration of interfaces that Crystone has provided for management of data, such as FTP, email systems, database access, API or the like. Crystone is not responsible for any defects in the integration related to maintenance, interruption of service or other occurrences that affect the Customer’s integration.

8. Amendment of the Agreement

8.1 Crystone shall be entitled to make any amendment or additions of these general terms and conditions, which shall enter into force one (1) month after the new general terms and conditions have been notified to the customer If The Customer does not approve changes or additions that are detrimental to the Customer, the Customer has the right, no later than three (3) months after such notification in writing terminate the Agreement with effect from the day on which the amendment would have entered into force.  Crystone has the right to make changes and additions that are not to the Customer’s disadvantage or where such disadvantage is of minor importance to the Customer. Such changes enter into force one (1) month after such change is published. Furthermore, Crystone has the right to immediately make changes in accordance with ch. 7. Section 12 par. 3 LEK if the change is (1) to the customer’s advantage or (2) of a purely administrative nature without negative consequences for the customer. The same applies if a change is necessary for the contractual terms to be compatible with national or Union law.

9. Miscellaneous

9.1 Any dispute regarding the interpretation or application of the Agreement shall be resolved by a Swedish court applying Swedish law.

9.2 Any dispute between the Customer and a third party as a result of a registered domain name shall be handled in accordance with the policy, applicable from time to time, established by the relevant registry. Crystone applies ICANN’s Uniform Domain Name Dispute Resolution Policy (”UDRP”) applicable from time to time. Crystone does not offer administrative services or assistance beyond the requirements imposed upon Crystone by the relevant registry agreement and/or agent agreement.

9.3 In the event a party is prevented from fulfilling its undertakings under the Agreement due to circumstances over which the party had no control, such as lightning strikes, pandemics, labour market conflict, 

general scarcity of transport, goods, or energy, fire, confiscation, public authority provisions, or defects or delays in service from subcontractors due to a circumstance stated herein, this shall constitute a force majeure event which results in postponement of the time for performance. In the event performance of the Agreement has been impeded to a material extent for a period in excess of one month due to a circumstance stated above, either party shall be entitled to withdraw from the Agreement and shall incur no compensation liability.

Appendix A – Data Processing Agreement


Data Controller: ”Customer”


Data Processor: Loopia AB (hereinafter ”Crystone”)

Reg. No: 556633-9304

Country of establishment: Sweden

In this data processing agreement ”Data Processor” refers to Crystone for the Services stipulated in Crystone’s General Terms and Conditions. ”Data Controller” refers to the Customer. Crystone’s contact person for general questions regarding the agreement and Crystone’s processing of personal data can be found at

A1. Introduction

A1.1 Both parties confirm that the undersigned are authorized to enter into this data processing agreement (”DPA”) which is an integrated part of the service agreement(s) which the parties have entered into (the ”General Terms and Conditions Service”). This DPA governs the Processing of Personal Data in connection with the at every time applicable Service Agreement.

A1.2 Crystone complies with Crystone’s Privacy Statement, which is available at

A2. Definitions

A2.1 The definition of Personal Data, Special Categories of Personal Data (Sensitive Information), Processing of Personal Data, Data Subject, Data Controller and Data Processor are the same as in applicable privacy legislation including the General Data Protection Regulation (GDPR), applicable in the DPA and in Europe from May 25, 2018 and the at every time complementary applicable national legislation, together Applicable Privacy Law.

A2.2 In this appendix, Data Controller is referred to as ”Customer” or “Party”, the Data Processor is referred to as “Crystone” or “Party”, and together the parties are referred to as “Parties”.

A3. Scope

A3.1 This DPA governs Crystone’s Processing of Personal Data on behalf of the Customer, and stipulates how Crystone shall ensure data security, through technical and organizational measures according to Applicable Privacy Law.

A3.2 The purpose of Crystone’s Processing of Personal Data on behalf of the Customer is to fulfill Crystone’s obligations according to the Service Agreement.

A3.3 This DPA takes precedence over any contradictory stipulations of Processing of Personal Data in the Service Agreement or other agreements entered into by the Parties.

A4. Crystone’s Liabilities

A4.1 Crystone may only Process Personal Data on behalf of, and in accordance with the Customer’s documented instructions. By entering into this DPA, the Customer instructs Crystone to Process Personal Data as follows:

i) solely in accordance with applicable law,

ii) to fulfil all obligations according to the Service Agreement,

iii) as is further specified through the Customer’s normal use of Crystone’s services and

iv) as stated in this DPA.

What is stated above shall also be applicable upon transfer of personal data to third countries.

A4.2 Crystone has no reason to believe there is any legislation that prevents Crystone from fulfilling the instructions stated above. Crystone shall inform the Customer, upon knowledge, in the event the Customer’s instructions or Processing, in Crystone’s opinion, infringes Applicable Data Privacy Law.

A4.3 The Categories of Data Subjects and Personal Data which are the subject of Processing according to this DPA is stated in this document.

A4.4 Crystone shall ensure the confidentiality, integrity and availability of Personal Data in accordance with Applicable Privacy Law. Crystone shall implement systematic, organisational and technical measures to ensure an appropriate level of security, taking into consideration the state of the art and the cost of implementation in relation to the risk of the Processing, and the type of Personal Data.

A4.5 Crystone shall, taking into account the nature of the processing, assist the Controller with appropriate technical and organisational measures, insofar as this is possible and considering the information available to Crystone, for the fulfilment of the Data Controller’s obligations to respond to requests from the Data Subject and general data protection according to Article 32-36 in the GDPR.

A4.6 If the Customer requires information regarding security measures, documentation or other information regarding how Crystone Processes Personal Data, and such requests involve more information than the standard information provided by Crystone in order to comply with applicable Privacy Laws as Data Processor, and this in turn means that the amount of work on Crystone’s part increases, Crystone may charge Customer for such additional services.

A4.7 Crystone and its personnel shall ensure the confidentiality of Personal Data Processed under this DPA. This condition also applies after the DPA has expired.

A4.8 Crystone shall promptly and without unnecessary delay, notify the Customer to enable the Customer to comply with the legal requirements of information to the relevant supervisory authorities and Data Subjects regarding a Personal Data breach.

A4.9 Furthermore, as far as is practically possible and lawful, Crystone shall notify the Customer in the event of: i) requests regarding disclosures of Personal Data from a Data Subject, ii) requests from public authorities, such as the Police Authority, regarding disclosure of Personal Data.

A4.10 Crystone may not respond directly to requests from Data Subjects without the Customer’s consent. Crystone may not disclose content relating to the General Terms and Conditions to authorities such as the Police Authority, including Personal Data, with the exception of statutory provisions, such as court decisions or similar decisions.

A4.11 Crystone does not control whether or how the Customer chooses to make use of any third-party integration through Crystone’s API, through direct database connection or the like. The Customer is solely responsible for such integrations with third parties. Crystone is not responsible as Data Processor for any Processing of Personal Data in such third party integrations.

A5. Customer Obligations

A5.1 By entering into this DPA, the Customer acknowledges that the Customer:

• when using the services provided by Crystone according to the Service Agreement, Processes Personal Data in compliance with Applicable Privacy Law,

• has legal grounds to Process and disclose the relevant Personal Data to Crystone (including any subprocessors used by Crystone),

• is solely responsible for the validity, integrity, content and lawfulness of the Personal Information transferred to Crystone,

• has fulfilled any mandatory requirements and obligations to notify, or obtain permissions from, applicable public authorities for the Processing of Personal Data,

• has fulfilled its obligations to provide relevant information to Data Subjects regarding Processing of Personal Data in compliance with Applicable Privacy Law,

• agrees that Crystone has provided guarantees regarding the implementation of technical and organisational security measures that are sufficient to protect the Data Subject’s integrity and Personal Data,

• when using the services provided by Crystone under the Service Agreement, does not transmit any Sensitive Personal Data, or data relating to criminal convictions and offences to Crystone. In the event of such a transfer, Crystone can not be held liable for the improper processing of such Personal Data,

• maintain an updated record of the types and categories of Personal Data that the Customer Processes.

A6. Use of Sub-processors and Transfer of Data

A6.1 As part of the delivery of Services to the Customer according to the Service Agreement and this DPA, Crystone may engage subcontractors who may act as sub-processors. Such sub-processors may be affiliates of Crystone, or external subcontractors (third parties) within or outside the EU/EES. Crystone shall ensure that the same data protection obligations as set out in this DPA are imposed on the sub-processors by way of an agreement.

A6.2 Sub-contractors with access to Personal Data who are currently engaged by Crystone, are published on Crystone’s Privacy web page,, and shall, by means of this DPA, be accepted by the Customer as subprocessors.

A6.3 The Customer may at any time request a full overview and additional detailed information relating to the sub-processors involved in the service delivery, regulated by the Service Agreement.

A6.4 If sub-processors are outside the EU/ EES, Crystone shall ensure that transfer is made in accordance with Applicable Privacy Law. The Customer hereby grants Crystone the power and authority to ensure appropriate legal grounds for the transfer of personal data outside the EU on behalf of the Customer, for example, by signing EU Standard Contract Clauses.

A6.5 The customer must be notified of changes to subcontractors who process personal data via If a new sub-contractor evidently fails to comply with Applicable Privacy Law and the sub-contractor continues to fail to comply with Applicable Privacy Law, after Crystone has had reasonable time to ensure that the sub-contractor complies with the regulations, the Customer may terminate the DPA. Such termination may include the right to terminate the Service Agreement, in whole or in part, in accordance with the termination clauses contained in the respective Service Agreement. An important part of such assessments should be to what extent the sub-contractor’s Processing of Personal Data is an essential part of the services provided under the Service Agreement. A change of sub-contractor shall not in itself be regarded as a breach of the Service Agreement.

A6.6 By signing this Agreement, the Customer agrees to Crystone using sub-contractors as described above.

A7. Security

A7.1 Crystone is obligated to provide a high level of security in its products and services. Crystone provides security through organisational, technical and physical security measures, in accordance with the information security requirements described in Article 32 of the GDPR. Furthermore, the internal data protection framework which is implemented by Crystone, aims to protect the confidentiality, integrity and availability of and access to Personal Data.

The following measures are of particular importance in this regard:

• classification of Personal Data to ensure the implementation of safety measures that correspond to the risk assessment.

• evaluation of the use of encryption and pseudonymisation as risk-reducing factors.

• limitation of access to Personal Data to those who need access to fulfil the obligations of this DPA or the Service Agreement.

• use of systems that detect, restore, prevent and report personal data incidents.

• implementation of security analyses to assess the quality of current technical and organisational measures to protect Personal Data, taking into account the requirements of Applicable Data Privacy Law.

A8. Audit Rights

A8.1 The Customer is entitled to carry out an annual audit of Crystone’s compliance with the terms of this DPA. If required by law, the Customer may request audits more often. As Crystone’s services are multitenant environments, the Customer grants Crystone the authority, for security reasons, to determine that auditing is to be performed by a neutral third-party auditor that Crystone selects.

A8.2 If the requested audit area has been included in an ISAE, ISO or similar review report conducted by a qualified third-party auditor within the previous twelve months, and Crystone confirms that there are no known significant changes in the actions audited, the Customer shall accept this audit report instead of requesting a new audit of actions already audited.

A8.3 If Customer does not accept the neutral third-party auditor chosen by Crystone, the Customer may, together with Crystone, choose another neutral third-party auditor.

A8.4 The Customer is responsible for any costs incurred in connection with the requested audits. Any assistance provided by Crystone that exceeds the standard service provided by Crystone and/or its sub-contractors in order to comply with Applicable Privacy Law will be charged.

A9. Term and Termination

A9.1 This DPA is applicable as long as Crystone is Processing Personal Data on behalf of the Customer according to the applicable Service Agreements.

A9.2 This DPA terminates automatically upon the expiration of the Service Agreement. When the DPA expires, Crystone will delete or return the Personal Data processed by Crystone on behalf of the Customer, in accordance with the applicable sections in the respective Service Agreement. Unless otherwise agreed in writing, the cost for such actions shall be based on: i) hourly fee for time spent by Crystone and ii) the complexity of the requested process.

A9.3 Crystone may retain Personal Data after the expiry of the DPA, to the extent required by law, however observing the same technical and organisational measures as described in this DPA.

A10. Liability

A10.1 Liability for breach of the terms of this DPA shall be governed by liability clauses in the respective Service Agreement between the Parties. This also applies to any breaches by the sub-processor.

A11. Applicable Law and Jurisdiction

A11.1 This DPA shall be governed by the law applicable as stated in the respective Service Agreement between the Parties.

A12. Categories of Personal Data and Data Subjects

A12.1 As Crystone’s services allow the Customer to arbitrarily process Personal Data, it is not possible to generally state the categories of Data Subjects or Personal Data which are governed by this DPA. The Customer is obligated to register this information.

A12.2 The Customer may not transfer any Sensitive Data to Crystone. In the event such transfers are made, Crystone cannot be held responsible for any Processing that is not compliant with Applicable Privacy Law. Sensitive Data is defined in the Applicable Privacy Law, as follows:

• racial or ethnic origin, political opinions, religious or philosophical beliefs,

• data concerning health,

• data concerning a natural person’s sex life or sexual orientation,

• trade union membership,

• genetic or biometric data for the purpose of uniquely identifying a natural person.

A12.3 The Customer may not transfer any Personal Data concerning criminal convictions and offences.

A13. Overview of Current Sub-Processors

A13.1 The sub-processors that are engaged by Crystone at every given time is stated herein: