Last updated: 15 Mar 2023
The Framework agreement option can give you more favourable terms, including better pricing, payment terms, and a higher service level agreement (SLA). Contact us at firstname.lastname@example.org for more information and eligibility.
By creating a user profile with Manymore, you accept the terms and conditions in full. You can delete your profile and stop sharing data at any time.
1. Description of the service
The services Manymore offers are available at all times on manymore.com and my.manymore.com ("the Service").
In general we provide software services related to onboarding, verification and background checks, e-signatures, invoicing, and paying out your suppliers. This includes, but is not limited to HR & finance software, and other related software and services. The Service may be provided in-person, over the phone, or online. The scope of the Service will be agreed upon with you prior to the start of any service.
To use the Service, you must register a user profile. Such registration is free.
You manage your own personal details and contact information directly in the Service. You are responsible for all information you provide to Manymore being correct, accurate and complete, and for keeping the information up to date at all times.
Username and password associated with your user account are strictly personal. You are responsible for ensuring that your password is not made available to others at any time, and are aware that you may be held responsible for all activity associated with your user account. If you suspect that others have access to your password or user account, you must immediately notify Manymore of this.
3. Responsibility for content and use
We are not responsible for the content shared or collected through the Service. You yourself are responsible for the content not:
- Is misleading, deceptive or otherwise inaccurate;
- Violates someone else's privacy or intellectual property rights;
- Is offensive or seems violating
Content that falls under any of the above categories may be removed from the service after prior notice. Your account may be disabled temporarily or permanently if you violate this provision.
You are also responsible for not using the service in a way that violates the privacy of others.
4. Personal information
In order to deliver the service, we process various personal data including, but not limited to, the following:
- Individuals: name, contact details, birth and social security number
- Organisation: names and contact details
For data you choose to upload to the Service, we are the processor. We only process this information in line with the data processing agreement entered into with you (Appendix 1).
5. Changes to the Service
Manymore reserves the right to make regular updates to the Service without prior notice. Such updates do not necessarily include all the features that were available in the previous version.
If we make changes to functionality and/or content that significantly impair the Service, this shall be treated as a change to the Agreement. Such changes will be notified at least 30 days before the changes come into effect.
6. Intellectual property rights and right of use
We own all rights to the service. This includes, but is not limited to, the concept, design, trademarks, know-how, trade secrets, copyright and other intellectual property rights.
We retain all ownership rights to any work created by our suppliers while working on assignments for us.
By accepting these terms, you are granted a right of use to the service, limited to the functions that are made available to you at all times and that are necessary to use the Service. The right of use does not give the right to modify, reproduce, copy or imitate the software or other parts of the Service.
7. Legal use
This means, among other things, that you must not use the Service:
- In any way that causes impairment of the performance or availability of the Service;
- In any way that is illegal, fraudulent or harmful to either party;
- To extract or obtain information or data about other users without their consent;
- To transmit or post illegal, immoral, defamatory, offensive, threatening, vulgar or obscene material;
- To copy, store, transmit, send, use, publish or redistribute any material that contains software viruses or other harmful computer code, files, scripts or programs; or
- To attempt to gain unauthorised access to the Service.
You also must not:
- Decompile or otherwise attempt to obtain or access the source code of software components of the Service;
- Behaving in a manner that is inappropriate towards others;
- Act in a manner likely to harm Manymore; or
8. Links to other websites
9. Account termination
You can terminate your user account at any time by sending an email to email@example.com. Upon termination, you will immediately cease all use of the software. If you decide to terminate the account, you are not entitled to receive a refund for any advance payment for the Service.
If we update this Agreement, you will be notified of such changes at least 30 days before the changes take effect. Such information will be provided to your registered email address. By continuing to use the Service after the changes have taken effect, you accept the changes.
We reserve the right to change the price of the Service. In the event of any price changes, we will notify you at your registered email address. Price changes for subscriptions come into effect at the beginning of the next subscription period.
By continuing to use the Service after the price change takes effect, you accept the new price.
11. Breach of contract
Failure to comply with a party's obligations under the Agreement constitutes a breach of the Agreement. The defaulting party must remedy the default within a reasonable time and at its own expense.
Both parties may terminate the Agreement if the other party materially breaches the Agreement and such breach is not rectified within 30 days after the breaching party was notified of such breach by the other party.
12. Limitation of liability
The user accepts that the Service may from time to time be completely or partially unavailable as a result of, among other things, maintenance. Manymore does not guarantee the availability of the Service, but will, to a reasonable extent, carry out maintenance and suitable technical measures to offer the Service.
Neither party is responsible for the other party's financial losses, including unforeseeable, indirect or consequential losses of any kind, including but not limited to loss of profit, loss of data, loss of turnover, loss of customers, or compensation claims from third parties.
The limitations of liability above do not apply if the default is due to gross negligence or intent on the part of the defaulting party.
Suppliers agree to indemnify and hold Manymore harmless from any and all claims, damages, losses, and expenses arising from their work for Manymore.
14. No guarantees
Although we try to the best of our ability to deliver the Service, the Service is delivered "as is" without explicit or indirect guarantees of any kind, unless otherwise provided by Norwegian law. You yourself are responsible for your use of the Service.
15. The entire agreement
These Terms, as well as the appendices, constitute the entire agreement between you and us, and replace any previous agreements.
This Agreement is subject to and must be interpreted in accordance with Norwegian law. The parties shall seek to resolve any disagreement or dispute regarding the Agreement amicably. The Oslo District Court is the venue for disputes that cannot be resolved amicably.
Org.no. NO 923 004 114 MVA
Appendix 1: Data Processing Agreement (DPA)
between the user of the Service ("Controller") and Manymore.com AS ("Processor").
The purpose of the Data Processing Agreement is to regulate rights and obligations in accordance with the current Privacy Legislation in connection with the Processor's processing of Personal Data on behalf of the Controller. The Data Processing Agreement must ensure that Personal Data is processed in accordance with Privacy Legislation and is not used in a way that is unlawful or that unauthorised parties gain access to the Personal Data.
In the event of a conflict between the Agreement and the Data Processing Agreement, the Data Processing Agreement takes precedence when it comes to matters specifically related to the processing of personal data.
"Privacy Legislation" refers to EU regulation 2016/679 ("GDPR"), and at any time applicable national legislation related to privacy, including legislation that implements or supplements the GDPR.
"Personal information" means any information about an identified or identifiable natural person (the "Registrants").
"Third country" means countries outside the EU/EEA.
"Sub-processor" means sub-contractors engaged by the Processor to process personal data under this Data Processing Agreement.
For privacy terms that are not defined in this Data Processing Agreement, the definitions in Article 4 of the GDPR apply.
3. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
The Controller has the right and duty to determine the purpose of the processing of personal data and which means are to be used.
The Controller is responsible for ensuring that the processing of personal data takes place in accordance with the Privacy Legislation. The Controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data that the Processor is instructed to do.
4. SCOPE OF PROCESSING
The Processor, its Sub-Processors and others who carry out tasks on behalf of the Processor and have access to the Personal Information shall process the Personal Information only on behalf of the Controller and in accordance with the Agreement, this Data Processing Agreement and the Controller's documented instructions. If other processing is necessary to fulfil obligations to which the Processor is subject in accordance with applicable law, the Processor must notify the Controller as far as this is permitted by law.
The Processor must immediately notify the Controller if the Processor believes an instruction is in breach of the Privacy Legislation.
The processor must keep records of processing activities on behalf of the Controller in line with GDPR Article 30.
2. Overview of the treatment
The nature and purpose of the processing is to obtain and store information and documentation that the Controller uploads to the Service, so that i) the Controller can upload and store the necessary information in the Service, ii) the Processor can obtain the necessary information on behalf of the Controller, and/ or iii) third parties who need said information and documentation can retrieve it where the Data Controller agrees to it.
The processing concerns the name, social security number, address and other information about the Controller that appears in the documentation the Controller uploads to the Service.
The Processor, its Sub-Processors and others who carry out assignments on behalf of the Processor and have access to the Personal Information are subject to a duty of confidentiality and must comply with the duty of confidentiality in connection with the processing of Personal Data in accordance with the applicable Privacy Act. The Processor is responsible for ensuring that Sub-Processors and others who act on behalf of the Processor are subject to such confidentiality obligations. The confidentiality obligation also applies after the termination of the Data Processing Agreement.
The Processor must take all measures necessary in accordance with GDPR article 32, including implementing suitable technical and organisational security measures with the aim of achieving a level of security that is suitable in relation to the risk of achieving a suitable level of security.
The Processor must assess the appropriate level of security and take into account the risks associated with the processing, including the risk of accidental or illegal destruction, loss, alteration or unauthorised disclosure or access to Personal Data that has been transferred, stored or otherwise processed.
All transfers of Personal Data between the Processor and the Controller or between the Processor and a third party must be made using adequate security measures, or as agreed between the parties.
Appendix 1 contains a general description of the technical and organisational measures to be implemented by the Processor.
The Processor must also assist the data controller in complying with the data controller's duties according to GDPR article 32, taking into account the nature of the processing and the information available to the Processor. The controller must bear all costs in connection with such assistance.
5. Access to personal data and fulfilment of data subjects' rights
Unless otherwise agreed or follows from applicable legislation, the Controller shall have the right to demand access to Personal Data processed by the Processor on behalf of the Controller. The Controller shall bear all costs in connection with such access, unless the access is available as part of the Service.
If the Processor or Sub-Processor receives a request from the Data Subject regarding the processing of Personal Data, the Processor must forward the request to the Controller, unless the Processor is entitled to handle the request under current legislation or in line with the Controller's instructions.
The Processor shall assist the Controller in fulfilling the Controller's duty to respond to requests submitted by the Data Subjects in order to exercise their rights set out in the Privacy Legislation. This includes, among other things, the data subject's right to access, correction, deletion, limitation, protest and data portability.
6. Other assistance to the controller
If the Processor or a Sub-Processor receives a request from the relevant supervisory authority for access to or information about registered Personal Data or processing activities covered by this Data Processing Agreement, the Processor must notify the Controller of the request, unless the Processor is entitled under current legislation or in line with the Controller's instructions to handle the request.
If the Controller is obliged to carry out an assessment of privacy consequences and/or carry out preliminary discussions with the relevant supervisory authority in connection with the processing of Personal Data under this Data Processing Agreement, the Processor shall assist the Controller.
7. Security breach notification
The Processor must notify the Controller without undue delay, and at the latest within 36 hours, after becoming aware of a security breach in the processing of Personal Data ("Security Breach"). The controller is responsible for reporting security breaches to the relevant supervisory authority.
The notification to the Controller shall, as a minimum, describe (i) the nature of the Security Breach, including, when possible, the categories of and approximate number of Registered and Personal Data affected, (ii) the likely consequences of the Security Breach, (iii) the measures taken by the Processor has taken or proposes to take to deal with the Security Breach, including, if relevant, measures to reduce any harmful effects as a result of the Security Breach.
If the Controller is obliged to notify the Data Subjects of a security breach, the Processor must assist the Controller with this, including providing, if available, the necessary contact information to the Data Controllers who are affected.
8. Use of sub-processors
The Processor has the Controller's general approval to use Sub-Processors. The Processor must at all times have an updated list with an overview of the names and contact information of all Sub-Processors and locations Sub-Processors process Personal Data on behalf of the Controller, which must be made available at the request of the Controller.
The Processor must ensure that the Processor's obligations set out in the Data Processing Agreement and the Privacy Legislation are imposed on Sub-Processors through a written agreement. The Processor must be fully responsible to the Controller for Sub-Processors to fulfil their obligations.
9. Transfer to third countries
The Processor is authorized to carry out transfers of Personal Data to third countries at its own discretion, provided that such transfers comply with the GDPR and any other applicable data protection laws and regulations. The Controller hereby gives its prior consent to such transfers, subject to the condition that the third country has a sufficient level of protection in line with the GDPR and that the necessary safeguards are in place to protect the Personal Data.
The Processor must assist the Controller with its risk assessment of the use of Sub-Processors and/or the transfer of Personal Data to a Third Country, as well as an assessment of whether the transfer is legal, including assessing whether the Third Country ensures an adequate level of protection, whether there is a need to implement further measures, which further measures that need to be implemented, as well as providing documentation that necessary additional measures can be implemented.
The Processor is obliged to provide the Controller with documentation of implemented technical and organisational measures to ensure a suitable level of security, as well as other information that is necessary to document that the Processor fulfils its obligations under this Data Processing Agreement and the Privacy Legislation.
The data controller and the relevant supervisory authority have the right to carry out audits, including inspections and evaluations of Personal Data processed, the systems used for this purpose, implemented technical and organisational security measures, including security instructions etc., as well as Sub-processors.
If the Controller appoints an external auditor to carry out the audit, the auditor must be bound by a duty of confidentiality.
The controller must cover costs related to audits initiated by the controller.
11. Duration and termination
The Data Processing Agreement applies as long as the Processor processes Personal Data on behalf of the Controller.
If the Processor breaches the Data Processing Agreement or does not fulfil its obligations under the Privacy Legislation, the Controller may (i) order the Processor to stop further processing of Personal Data with immediate effect, and/or (ii) terminate the Data Processing Agreement with immediate effect.
12. Consequences of termination
Upon termination of the Data Processing Agreement, the Processor must, as specified by the Controller, either delete or return all Personal Information to the Controller, including copies and back-up, unless otherwise stipulated in applicable legislation.
The Processor must document in writing to the Controller that deletion has taken place in accordance with the Data Processing Agreement and as indicated by the Controller.
13. Notices and changes
All notices relating to the Data Processing Agreement must be sent in writing to firstname.lastname@example.org.
In the event of changes to the Privacy Legislation, if a judgement or statement from a competent authority or other authoritative source results in a changed interpretation of the Privacy Legislation, or if changes are made to the delivery of the service under the Agreement that requires changes to the Data Processing Agreement, the parties shall cooperate to update the Data Processing Agreement accordingly.
Any updates or changes to this Data Processing Agreement must be made in writing, email being sufficient, and require the prior consent of the Controller. The Processor may propose changes or additions to the Agreement, but the Controller has the right to reject any proposed changes or additions that are not in compliance with applicable data protection laws and regulations or that would materially affect the processing of Personal Data.
If the Controller does not consent, the Processor may update their proposal and request another review, or terminate the entire Agreement including this DPA.
If the Controller consents to any updates or changes to this Agreement, the updated Agreement will be published on the Processor's website and will become effective immediately upon publication. The Controller is responsible for regularly reviewing the Data Processing Agreement on the Processor's website to ensure compliance with the updated terms.
Appendix 1 to the Data Processing Agreement: requirements for information security
Physical access control
The Processor must take proportionate measures to prevent unauthorised physical access to the Processor's property and premises where Personal Data is stored or processed. The measures shall include:
• Procedures and/or physical systems for access control, including security
• Automatic door locking or other measures for electronic access control
• ID, key or other requirements for access to the premises
Access control for systems
The Processor must take proportionate measures to prevent unauthorised access to systems where Personal Information is stored. The measures shall include:
• Procedures for password protection (including, for example, requirements for length and use of special characters, regular password changes, etc.)
• Access to systems requires approval from HR or IT administrators
• Guest users and anonymous users are denied access to systems
• Routines for manual locking of the PC when leaving the workstation
Access management for Personal Information
The Processor must take proportionate measures to prevent initially authorised users from accessing Personal Data that it is outside their authorisation to process, to prevent, among other things, unauthorised access, removal, modification or disclosure of Personal Data. The measures shall include:
• Only employees and others with an official need must have access to the Personal Information
• Differentiated access rights defined based on work tasks
• Automatic logging of user access in IT systems
Control over entry, change etc. of Personal Data
The Processor must take proportionate measures to check and confirm whether and by whom Personal Data has been entered into the system, modified or removed. The measures shall include:
• Differentiated access rights defined based on work tasks
• Automatic logging of user access in IT systems, and regular review of security logs to uncover and follow up on potential security incidents
• Ensure that it is possible to verify and confirm to which third parties Personal data may have, or has been, disclosed through the use of electronic communication equipment
• Ensure that it is possible to verify and confirm which Personal Information has been entered into the system, changed or deleted, as well as when and by whom
Control over the release of Personal Information
The Processor must take proportionate measures to prevent unauthorised access, modification or removal of Personal Data upon transfer. The measures shall include:
• Use of "state of the art" encryption on all electronic transmission of Personal Information
• Create an audit trail for all disclosure of Personal Information
The Processor must take proportionate measures to ensure that Personal Data is protected against accidental destruction or loss. The measures shall include:
• Regular back-up of Personal Information
• Remote storage
• Use of virus protection/firewall
• Monitoring of systems to detect viruses etc.
• Ensure that malfunctions/machine errors cannot cause stored Personal Information to be destroyed
• Ensure that installed systems can be restored in the event of disruptions
• Uninterrupted power supply
• Procedures to ensure business continuity (Business Continuity)
Control that Personal Information is kept separate
The Processor must take proportionate measures to ensure that Personal Information collected for different purposes is also processed separately. The measures shall include:
• Differentiated access rights defined based on work tasks
• Separate IT systems
Training and awareness
The Processor must take measures to ensure that all employees are trained in the requirements of the Privacy Legislation, as well as information security, through, among other things, having:
• Unequivocal and clear regulation in employment agreements on confidentiality, security and requirements for compliance with internal routines
• Internal routines and training in requirements for processing Personal Data to create awareness among employees