ensuredly
Contact us

Terms

Updated: 01 December 2025

Parties

These terms govern the provision of the provision of Ensuredly trainings to the “Client”, which is the entity as mentioned or inferred to in the purchase order or written communication. 

Ensuredly is currently operated under:

Limited liability company Quarto Legal Oy
Helsinki
Registered in Finland under 33889408

(“Provider”) and together “Parties”

Applicability

These terms apply with any provided, offered, and signed proposal, purchase order, or statement of work regardless of the form, such as, but not limited to, written confirmations of customization and features to trainings. 

These terms apply to all services, delivered by the Provider to the Client, unless expressly overridden in writing and signed by both Parties. 

Deviations from these terms shall only be possible in agreement and in writing.

In the event of conflict between these terms and any agreed deviation, the deviation prevails for the conflicting elements only. 

The Client’s purchase order, terms or other conditions, do not apply unless expressly accepted in writing by the Provider.

Service

The Ensuredly service includes a customized monthly training program for the Client’ employees. 

The Provider offer sector-aligned training with reasonable efforts to tailor or adapt the content to the Client’s industry or sector based on available know-how and materials. 

Customization is limited to adjustments achievable within the Providers standard content framework. 

The Service does not include bespoke content creation, custom scripting or full redesign unless separately agreed in writing and subject to additional fees. 

The Provider does not warrant that customization meets all internal requirements, policies, or regulatory nuances specific to the Client’s organisation, unless prior agreed in writing.

Term and Termination

These terms come into force from the moment the Client has accepted the purchase order and continue for an initial term of one (1) year. 

After the term, the agreement are renewed with successive periods of one (1) year each, unless either Party provides a written notice of non-renewal at least 30 days before the end of the current term. 

Ongoing or incomplete trainings do not extend or delay the term unless expressly agreed in writing by Parties. 

Either Party may terminate the Agreement with immediate effect if the other Party materially breaches the Agreement and fails to remedy the breach within 30 days after receiving written notice. 

The Provider may suspend the Service or terminate the Agreement with immediate effect if the Client fails to pay an undisputed invoice within 30 days after written notice. 

Either Party may terminate the Agreement if continued performance would violate applicable law, regulation, or binding governmental requirements. 

Upon termination or expiry of the Agreement, the Provider will disable access to the service and delete or return all personal data in accordance with the data processing agreement. 

All fees already performed become immediately payable and unless required by law, fees already paid are non-refundable upon early termination by the Client. 

concerning Employees

The Client is responsible to provide accurate and up-to-date employee details as requested by the Provider. 

The Client shall notify the Provider of any changes relevant to the Service. 

The Client shall instruct its employees as necessary or applicable related to the Service. 

The Client is responsible for ensuring the appropriate legal basis to share employee information with the Provider. 

The Provider shall process the employee details pursuant to the data processing agreement as laid out below. 

use of service

The content and access are for the Client’s internal workforce only.

The Client shall not, and shall not permit its employees, affiliates, or allow any third party:

  • to copy, reproduce, modify, or distribute the training materials or tools.
  • to reverse engineer, decompile, disassemble, decode, or otherwise attempt to access, extract, or derive source code, underlying structure, or know-how of any training platform, tool, module, or system made available by the Provider.
  • to circumvent or attempt to circumvent any technical protection, access control, or security mechanism.
  • use the service to create derivative works or competing services. 

Any use of the services outside the scope of these terms requires the Provider’s written consent. 

fees and payment

The fees are specified in the purchase order and exclusive of applicable VAT, which be added and charged in accordance with the Finnish VAT legislation. 

Payments shall be made for the full service after commencement of the first training, or as otherwise agreed in writing. 

Additional employees are invoiced after their first training has been sent and charged for the remaining months until the end of the Agreement. 

Employees that are removed from the service are not refunded. 

Payments are due within 21 days of invoice date, unless otherwise agreed in writing. 

Payment are made in (€) euros. 

Payments due are subject to late payment interest of 8% per applicable law. 

Provider may suspend the Service for unpaid invoices after giving reasonable notice, without prejudice to the Provider’s right to collect outstanding amounts. 

Confidential use

Each Party shall keep all non-public information received from the other Party confidential and use it solely for the performance of the Agreement, except where disclosure is legally required. 

Access to any of the confidential information is restricted to any personnel, including subcontractors, who have a need-to-know purpose and are bound by these same confidentiality obligations. 

As demonstrated by the receiving party, confidentiality obligations do not apply to information that:

  • has become publicly available without breach of these terms,
  • was already lawfully known by the receiving party without confidentiality obligations
  • is independently developed by the receiving party without use of the confidential information
  • or must be disclosed by law, regulatory authority or court order (provided the receiving party gives notice to the disclosing party where legally permitted). 

Data Protection

For the purposes of providing the service, the Provider processes employee information on behalf of the Client pursuant to the General Data Protection Regulation (EU) 679/2016 (“GDPR”) as a “Data Processor”, as defined in Art. 4, GDPR. 

The processing of such data shall be governed by the data processing agreement, as stipulated below. 

Where the Provider is a Data Controller, the Provider’s privacy policy shall apply. 

Any requested change or additional technical and organizational security measures must be agreed in writing and may be subject to additional fees. 

Intellectual property

All training materials, including but not limited to copyright, design rights, tools and customizations, provided or made available by the Provider remain the exclusive property of the Provider. 

Any background provided by the Client, such as, but not limited to, its policies or internal information, remain the intellectual property of the Client. 

The Client receives a non-exclusive and non-transferable license to use the Provider IP for the sole purpose of the terms of this Agreement. 

Any customizations, improvements, modifications, or suggestions provided by the Client that are implemented by the Provider automatically form part of the Provider’s intellectual property. For reasons of clarity, the Client’s background shall never be part of, or become Provider’s ownership. 

Nothing in these terms transfers ownership of any intellectual property rights between the Parties. 

Warranties

The Provider will deliver the service with reasonable skill and care. 

The Service and content materials will be provided on an “as is” basis, without any implied warranties, including non-infringement, quality, suitability, or fitness for any particular purpose. 

In the event of any issues with the service, such as, non-compatibility, Parties ensure to primary seek an amicable solution. 

Liability

The Provider is not liable for any indirect or consequential damages, including loss of profit or business interruption. 

The Provider’s total aggregate liability arising out of the Agreement is limited to the total fees paid by the Client in the past 12 months preceding the incident. 

This clause does not apply to damages arising out of gross neglect or willful intent. 

force majeure

Neither Party is liable for delay or failure to perform due to events outside reasonable control, including but not limited to natural disasters, war, acts of government, network outages, labour disputes, pandemics, or other events of similar nature (“Force Majeure”) 

If a Force Majeure continues for more than 90 days, either Party may terminate the affected portion of the service with the written notice. 

governing law

These terms are governed by the laws of Finland.

In the event of a dispute, Parties may file a claim at the appropriate courts in Finland or Netherlands. 

severability

If any provision of this Agreement is, or becomes, unenforceable the remainder of this Agreement will remain in full force and effect. 

Assignment

In the event of an official merger, acquisition, corporate restructuring, or transfer of business, the Provider may assign or transfer the Agreement and its rights and obligations, in whole or in part, provided that the successor meets the agreed and applicable data protection and confidentiality obligations and with prior written notification to the Client. 

After notification the Client has 30 days to object to such assignment.

A mere change of legal form, name, or internal reorganisation of either Party does not terminate this Agreement, and the Agreement shall continue in full force. 

 

 

DATA PROCESSING AGREEMENT

Parties

 This Data Processing Agreement (“DPA”) forms an integral part of the Agreement between the Client (“Data Controller”) and the Provider (“Data Processor”), together “Parties”. 

Definitions

GDPR: means the General Data Protection Regulation (EU) 679/2016. 

The definitions in this Agreement shall follow the meanings as stipulated in the GDPR. 

Purpose

The Data Processor shall process the personal data of the Data Controller for the purpose of delivering a monthly (or as agreed) training via online email invitation, and providing the employee access to associated training content. 

Processor

The Data Processor shall: 

  • Ensure confidentiality of the personal data and ensure that agreed instructions of the Data Controller, are followed. (following Art. 28 jo. 29 GDPR).
  • Only process data for the purpose of this Agreement and under the agreed instructions of the Data Controller, (following Art. 28 jo. 29 GDPR). 
  • Implement appropriate technical and organisational security measures, (following Article 32 GDPR). 
  • Assist the Controller with data subject right requests, security of the data, breach notifications, and DPIA’s where applicable, (following Art. 28, 32, 35(2), 36(2), 37-39 GDPR).
  • Notify the Controller without undue delay of any personal data breach causing a high risk to the rights and freedoms of individuals, (following Art. 33 GDPR). 
  • Maintain necessary records to demonstrate compliance as applicable, (following Art. 29 GDPR.)
  • Cooperate with any Supervisory Authority request, (pursuant to Art. 33 jo. 34 GDPR). 

Controller

The Data Controller shall: 

  • Ensure it has a legal basis to collect and share employee data with the Processor. 
  • Provide data that is accurate, relevant and limited to what is necessary. 
  • Issue instructions to the Processor in a timely manner. 

Sub-processors

The Data Processor is authorized to make use of the following sub-processors: 

  • Hostinger, Germany, for storing employee name and email, providing access to the training content, and marking the completion of the courses. 

 

  • Brevo, France, for sending invitations to the employee.

 

The Processor must ensure the sub-processors are held by equivalent data protection obligations as imposed on the Processor. 

If the Processor needs to change sub-processor, the Controller shall be informed and may object the change within 30 days after notification on reasonable grounds. 

Transfers

The Data Processor shall not transfer any personal data outside the European Economic Area without the Controller’s written consent and a valid transfer mechanism in place according to the Chapter V of the GDPR. 

In the event personal data is transferred outside the EEA, for example, in the event a Client from outside the EU makes use of our services, the Standard Contractual Clauses (EU SCC’s) shall be in force. Those clauses cannot be changed and are found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en 

In the event of a UK transfer, the EU SCC’s apply and applicable clauses and definitions should be read as if it is a UK transfer. 

Retention

The Data Processor shall, upon termination or expiry of Agreement, delete all personal data, or, if requested at least 10 days before the end of termination, return the personal data to the Controller and delete remaining copies, unless applicable EU law requires continued storage. 

Audits

The Data Controller may, on reasonable notice, conduct or request an audit limited to verifying the Data Processor’s compliance with this DPA. Audits shall be proportionate and not disrupt the Processor’s operations. Any applicable fees shall be born by the Data Controller. Any business information, know-how or other related or unrelated information that has come to know by the Controller, or a third party as designated auditor, must be kept confidential. 

Liability

Liability and damages follows the provisions of the Main Agreement, unless overridden by GDPR provisions. 

Governing Law

This DPA is governed by the same governing law as the Main Agreement. 

Concerning dispute settlement, Parties may file a claim at the appropriate regulators or courts in Helsinki, Finland.