1         Agreement on the establishment and use of Integrations

(Revision 2.0 of the agreement for Business Online API v1.0)

1.1        The Parties

The parties in the collaboration agreement are Business Online AS and the Contracting Party from the API Commercial Specification Sheet

1.2        Provider

Business Online AS

Moseidveien 35

4033 Stavanger

Norway

Organization Number: 992 853 905

 

The Contracting Party is as described in the API Commercial Specification Sheet.

2        Development guidelines

2.1        Agreement on access to API

The Contracting Party may use the API for test and production environments by using the access keys that the Contracting Party has been granted access to by Business Online. Methods and capabilities in the API can be freely used and combined as long as other conditions in this agreement are satisfied.

3        Access key

Upon entering into the agreement, Business Online shall create and configure an instance of the API dedicated to the Contracting Party’s Microsoft 365 platform, along with the associated access key, so that the Contracting Party can develop and test the Integration against production environments.

 

Business Online shall create and maintain access keys so that the Integration can operate uninterrupted. If Business Online issues a new access key to the Contracting Party, the Contracting Party shall, as soon as possible, start using the new access key. Developers may also, issue a new access key for its their own API subscription link to the personal account in the developer portal.

 

The Contracting Party shall store the access key in such a manner that it is not accessible to unauthorized persons. The Contracting Party shall always use its own access keys for all use of the API. The Contracting Party is not permitted to pass on/resell its own access key.

4        Access key for third party

If the Contracting Party is to provide integration to a third party, the third party will be assigned its own access and user key for testing and development. If the main key of the API is to be shared with the third party, this must be done securely. The Contracting Party must protect third party access.

5        Data volume and number of calls

When using the API, the Contracting Party must be considerate of other users of the System. The Contracting Party shall limit the number of calls and data transfer so as not to place an unreasonable burden on the System.

 

Transferred data volume, call frequency, and the load on the System will be parameters that are to be described in the API Commercial Specification Sheet. In all use of the API, the Contracting Party must adhere to the description of scope, etc., as outlined in this API Commercial Specification Sheet. The Contracting Party must also at all times adhere to the current API documentation, which is continuously updated here: https://api.business-online.no/

Integrations that provide an end user with direct access to data in the System must be built in such a way that robustness and data integrity are maintained for both the System and the Application, and that all common error situations in the Integration are exposed in an understandable manner to the end user (e.g., exceeded call frequency, connection errors, etc.) so that the end user can assess the error situation and decide what action to take.

 

For all integrations, the Contracting Party must ensure that error messages and calls in the Integration are captured and logged - and that the information in the error messages is used both in the Application's user dialogue, for troubleshooting by the integration partner (third party), and when reporting to Business Online support.

 

Deviations from the provisions regarding data volume and number of calls must be specifically agreed upon with Business Online.

 

In all cases of doubt concerning the use of the API, the Contracting Party must always consult Business Online AS.

6        Responsibility for the integration           

The Contracting Party is responsible for obtaining the authority to process the end users' data through a data processing agreement, see chapter Relation to third parties. At the same time, the Contracting Party shall obtain consent from external relations and the end user to transfer any personal data to the System, as well as ensure compliance with all other requirements set forth in privacy legislation and marketing laws to be able to process and share external relations and end users' data with Business Online and subcontractors.

 

The Contracting Party is responsible for all integration with the System: in connection with development, testing, subsequent operation, and management over time. The Contracting Party must at all times have the necessary expertise to take on this responsibility. Expertise for development, testing, and management of the Integration can be obtained from a third party, but in such cases, the Contracting Party always has the overall responsibility for the third party.

 

The Contracting Party is responsible for ensuring that data entered into the System via the Integration is correct, as well as ensuring that data is not unintentionally deleted or altered, or that unauthorized parties gain access to the data.

7        Approval

Business Online shall approve all use of the API conducted by the Contracting Party. Business Online may require insight into the code used against the API.

 

8        Named responsible parties

As described in the API Commercial Specification Sheet, the Contracting Party shall appoint responsible individuals for:

a)      The business aspects of the agreement (legally responsible).

b)     The technical solution of the Integration (technically responsible).

The Contracting Party is responsible for notifying Business Online of any changes in roles, use of third parties, and the contact information in this section.

9        Business Online data

9.1        Use and display of business online data

All data retrieved from the System must be displayed in a manner that ensures appropriate data security, including protection against unauthorized access through user access management and the use of encryption.

9.2        Authentication

The API must always be called with the correct access keys.

9.3        Protection of user data

In cases where sensitive personal data is transferred, the Contracting Party must exercise particular caution and, if necessary, document that it is fulfilling this duty. For the processing of data on behalf of third parties, see the chapter Relation to third parties.

9.4        Data integrity

Data must not be cached, stored, or updated in a manner that compromises the System's ability to maintain data integrity. Business logic and data processing related to the integrity of the data must not be duplicated by applications that access the System via the API.

 

Refer to the current API documentation for additional information.

 

9.5        AI Plugin

9.5.1        Usage

The AI Plugin feature enhances the functionality of the Service by utilizing artificial intelligence to improve user experience. By using the AI Plugin, you consent to the processing of your data by AI algorithms.

9.5.2        Data Processing

The Contracting Party agrees that data processed by the AI Plugin may include automated decision-making. The Contracting Party is responsible for informing their users about the use of AI and obtaining any necessary consents.

9.5.3        Data Integrity

Data processed by the AI Plugin must not be cached, stored, or updated in a manner that compromises the System's ability to maintain data integrity. The Contracting Party is responsible for ensuring the accuracy and appropriateness of the AI Plugin's use in their applications.

9.5.4        Disclaimer

The AI Plugin is provided "as is" without warranties of any kind. Business Online AS does not guarantee the accuracy or reliability of the AI Plugin outputs. The Contracting Party uses the AI Plugin at their own risk and is responsible for any decisions made based on the AI Plugin's outputs.

 

10    Processing of personal data

As part of the services provided under this agreement, Business Online and the Contracting Party may process personal data on behalf of each other. Both parties shall comply with the relevant provisions on privacy and information security in the Personal Data Act.

 

In cases where Business Online or the Contracting Party processes personal data in connection with this agreement, the parties shall:

 

a)      Process the personal data to fulfil the purpose of this agreement, and beyond this only according to written instructions from the Contracting Party or Business Online, provided that these instructions; i) fall within the frameworks outlined in this agreement and the API Commercial Specification Sheet, and ii) are necessary to comply with applicable data protection legislation;

b)     Implement necessary technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, and against unauthorized alteration, dissemination or access, especially when the processing involves the transmission of data over a network, as well as against any other unlawful processing;

c)      Process the personal data fairly and in accordance with applicable law;

d)     Unless the parties provide written instructions to the contrary, take all reasonable measures to delete the data after a reasonable period in relation to the purposes for which they were collected or subsequently processed, unless there is an opportunity to retain the data indefinitely;

e)     Not grant access to or disclose the data to anyone, unless it is necessary or permitted according to this agreement or another agreement between the parties (if the Contracting Party discloses its login details to the System to a third party, this is considered as consent to give the third party access to the Contracting Party's data);

f)       Cooperate and assist in fulfilling the rights of the data subjects, including, for example, access to their own data and/or ensuring that the data are deleted or corrected if they are incorrect (or, in case of disagreement between the Contracting Party and the data subject, to mark the fact that the data subject believes that the data are incorrect). Business Online will invoice the Contracting Party according to current rates for this type of assistance, as well as for other assistance that Business Online provides to enable the Contracting Party to comply with its data protection responsibilities towards its customers, data subjects, end users, supervisory authorities, etc.

g)      Not process the personal data beyond what is reasonable and necessary to perform their duties under the agreement.

When Business Online and the Contracting Party process personal data on behalf of each other, the parties shall take measures in connection with the processing of personal data that are:

 

h)     Reasonable and necessary to fulfil the agreement;

i)       In compliance with the fulfilment of the Agreement and relevant legislation and regulations.

11    Business Online policy

The Contracting Party and the Contracting Party’s Application must behave in a way that ensures the System’s operation, data integrity, and use are maintained appropriately - and in a manner that complies with laws, regulations, and good business practices for both end users and other parties involved in the data transactions in the System.

12    Changes and termination

a)      Business Online reserves the right to modify the API and associated documentation. Business Online will notify the Contracting Party of any major changes within a reasonable time frame. The Contracting Party is responsible for ensuring that the Application and Integration are using the correct version of the API and are always in compliance with the applicable documentation. Business Online is not liable for errors or damages resulting from changes or errors in the API or documentation. Business Online will always strive to further develop the API in a comprehensive and backward-compatible manner.

b)     This agreement on the use of the API may be unilaterally terminated by Business Online with 3 months' written notice.

13    Monitoring and suspension

a)      Business Online will continuously monitor the Contracting Party's use of the API against the System. The monitoring may also include access to data but will primarily be of a statistical nature.

b)     Violation of the terms of the agreement, misuse, deviation from the information provided in the API Commercial Specification Sheet, or use of the API in contradiction to the documentation or requirements from Business Online may result in immediate closure of access to the API and a possible termination of the agreement if the Contracting Party does not rectify the situation within a reasonable time.

c)      If necessary for the operational reliability and stability of the System, access to the API may be closed without prior notice. In such cases, Business Online shall notify the Contracting Party of the closure of access.

d)     As a result of the Contracting Party gaining access to the API, there will always be a theoretical risk of misuse, such as the Contracting Party using the integration to exploit the cooperation to achieve entirely different purposes or benefits than agreed upon, acting disloyally, appropriating trade secrets, or other confidential information. In the event of such breaches of the agreement, Business Online AS may immediately terminate the agreement, and the Contracting Party shall compensate any loss incurred by Business Online in this regard.

14    Ownership and license

a)      Ownership of the System and the API belongs to Business Online AS.

b)     The right to use the API is granted to the Contracting Party for the duration of the agreement period, typically 12 months with automatic renewal, unless Business Online terminates the agreement in accordance with chapter Changes and termination b). The Contracting Party must notify Business Online at the latest 3 months before the end of the agreement period if they do not wish to extend the agreement.

15    Relation to third parties

In cases where the Contracting Party's Application is developed for the use of a third party, the Contracting Party shall:

 

a)      Obtain authorization to process third party data and enter into a data processing agreement. The data processing agreement must clearly describe the relevance to the Personal Data Act and decisions in the General Data Protection Regulation that may be applicable to the Integration.

b)     Ensure that use cases covered by the Marketing Act obtain consent in accordance with the law.

c)      Handle all communication to and from the third party regarding the Integration.

d)     Ensure that the third party gets started with the Application and provides the necessary training and guidance in the setup of the System.

e)     Build up error messages and documentation through the Integration that is understandable for the third party and end users of the third party.

f)       Take care of all support and act as first-line support for the third party for questions concerning the Integration.

g)      Maintain data integrity for the third party as described in the chapter Business Online data. Under no circumstances shall access to the API, user keys, or other information about this agreement be forwarded or sold to a third party.

The Contracting Party is not entitled to charge the third party for access to the API.

 

The Contracting Party shall only use its own access keys, regulated by this agreement, and the Contracting Party may not take over or use access keys from a third party or others.

16    Fees and payment

Should there be a need for assistance from Business Online beyond administration and establishment of access to the standard API, the Contracting Party will be charged according to current rates. This includes assistance in connection with mapping and testing of the Integration. This also includes needs-based customization for the Contracting Party's operating environment in connection with mapping, development, testing, and approval of modified integration. Business Online determines whether there is a need for more time for mapping, testing, and approval. The Contracting Party is not obligated to receive payable services as stated above unless the Contracting Party has specifically accepted in writing to receive such assistance.

16.1     Fees

Fees for accessing the standard API will be specified on the API Commercial Specification Sheet. Custom API methods and modifications of existing methods will be quotes separately.

16.2     Payment Terms

Payment is net per 14 days, unless otherwise specified and agreed.

16.3     Late payment interest

a)      Payment default is status if the payment has not been received within the agreed invoice due date.

b)     In case of disagreement on the invoice amount, the portion of the amount that is agreed should be paid. The discussion about the pending work / amount (disagreement) should start without delay.

c)      Late payments will be charged interest on the amount outstanding as per the legally permitted rate (Late payment interest act) in Norway from the date payment is in default.

d)     In case of payment not received after 2nd notification / reminder, access to the system will be restricted and subsequently closed.

16.4     Late payment interest

If the Customer fails to make payment by the agreed time, the Supplier shall be entitled to claim interest on any overdue amount, pursuant to the Act No. 100 of 17 December 1976 relating to Interest on Overdue Payments, etc. (Late Payment Interest Act).

16.5     Price adjustments

Prices will be changed annually based on public consumer price index, Statistics Norway (SSB).

17    Custom API methods and modifications

a)      Bespoke API Methods: Recognizing that Contracting Party may have unique requirements and needs, Business Online offers the possibility of developing bespoke or needs-based API methods tailored to better suit Contracting Party’s specific operations. The development, testing, and integration of such bespoke API methods are subject to additional fees, as outlined in the Fees and payment section of this agreement.

b)     Request and Approval: To initiate the development of bespoke API methods, Contracting Party must submit a formal request detailing the specific requirements and justifications for the modifications. Business Online will review the request and, at its sole discretion, decide whether to proceed with the planning, and development of the requested API methods. Approval of the request does not guarantee the feasibility of the bespoke API methods, and Business Online reserves the right to decline the request if it is deemed to be impractical, incompatible with the existing system, or in violation of any laws or regulations.

c)      Responsibility and Compliance: Contracting Party is responsible for ensuring that any bespoke API methods developed and provided by Business Online are used in compliance with all applicable laws, regulations, and best business practices. Contracting Party agrees to indemnify and hold Business Online harmless from any claims, damages, or losses arising from the use of bespoke API methods.

d)     Maintenance and Support: Business Online will provide support and maintenance for the bespoke API methods as agreed upon in the development and integration process. However, Business Online does not guarantee uninterrupted access or error-free operation of the bespoke API methods and is not liable for any direct or indirect damages resulting from the use of these methods.

18    Access, security, and stability

Business Online aims to ensure that the API is always available, including the AI Plugin. However, Business Online cannot provide specific guarantees related to access, security, stability, or uptime beyond what is included in the ordinary use of the System this also includes any decisions made based on AI Plugin outputs. It is assumed that the Contracting Party or the end-users of the Contracting Party are ordinary users of the System.

 

In case of errors or when assistance is needed, the Contracting Party should adhere to the standard support structure provided by Business Online.

19    Limitation of liability

Business Online is not liable for indirect losses or other consequential damages that the Contracting Party or the users of the Contracting Party may incur as a result of errors, defects, etc., in accessing the API. Indirect losses include, but are not limited to, lost profits, lost revenue, losses resulting from lost data, and claims from third parties. The total cumulative liability of Business Online per 12 calendar months is limited to 10% of the fee Business Online has received for the API service from the Contracting Party in the same period.

20    Applicable law and jurisdiction

The agreement is governed by Norwegian law. Stavanger District Court is agreed upon as the legal venue.

21    Signature

This agreement is accepted by the Contracting Party upon submission of the API Commercial Specification Sheet. Both the API Commercial Specification Sheet and this agreement are parts of the contract between the Contracting Party and Business Online.