1.1 These General Terms and Conditions apply to all (requests for) offers, quotations, work and provision of Services by or Agreements with ORvox B.V. (hereafter referred to as “Supplier”) in connection with or related to digital elections.
1.2 Deviations from these Terms and Conditions are only legally binding if agreed in writing.
1.3 These Terms and Conditions may be unilaterally amended by the Supplier. Changes will be made known during the sign‑up process and/or by e‑mail. If the Client or User does not wish to accept the changes, the Agreement will terminate.
1.4 Client’s or User’s own general terms and conditions do not apply; their applicability is expressly rejected.
2.1 Third Parties: any parties other than Supplier, Client, and their Employees.
2.2 Supplier: ORvox B.V., located in Amsterdam, registered under Chamber of Commerce number 977282332.
2.3 Employees: persons working for or on behalf of the Client or Supplier, either as shareholders, employees, or temporary hires.
2.4 Client: any (legal) person entering into an Agreement with Supplier.
2.5 Agreement: the agreement between Client and Supplier for the provision of Service(s) and annexes thereto.
2.6 Supplier(s): any third party providing products and/or services to Supplier for execution of the Service.
2.7 Terms: these general terms and conditions.
2.8 Account: the environment set up by Supplier specifically for the Client using the Service.
2.9 Account Data: all data stored in the Account on behalf of the Client.
2.10 Security Information: information regarding the design, existence, and functioning of security measures, including but not limited to systems registration, risks, measures, incidents, processing, suppliers, assets, etc.
2.11 Security Measure(s): measures to secure the Service, considering risk mitigation, state of the art, and cost; can be organizational and/or technical. The applied measures are outlined in the Processing Annex.
2.12 Content: information in the form of screens, texts, ballots, photos, and/or explanations for elections, votes, and/or consultations.
2.13 Service(s): the internet‑accessible software made available to the Client under the Agreement, and related support.
2.14 User(s): person(s) authorized by the Client to gain access to the Service(s) and using it after completing the online registration.
2.15 Incident: any event causing the Service to be (partially) unavailable for Client or resulting in loss or damage of data as managed by the Client.
2.16 Software: the software of the Service(s), including source code, databases, hardware, or other materials (e.g. designs, documentation, analyses, reports) owned by Supplier or licensors.
2.17 General Data Protection Regulation (GDPR), including implementing legislation.
2.18 Data Subject(s) (Betrokkene[n]): identified or identifiable natural persons whose Personal Data is processed.
2.19 Special Categories of Personal Data: data revealing race, political opinions, religious beliefs, union membership, genetic or biometric data, health, sexual orientation, criminal convictions, etc.
2.20 Data Breach (Datalek): a breach of security leading — or likely to lead — to destruction, loss, alteration, unauthorized disclosure or access to transferred, stored, or otherwise processed Personal Data.
2.21 Personal Data: any information about Data Subjects processed under the Agreement that directly or indirectly identifies them (e.g. name, ID number, location data, online identifiers, or personal characteristics).
2.22 Sensitive Personal Data: Personal Data whose loss or unlawful processing may result in harm—includes special categories, financial data, exclusion risks, login credentials, data usable for identity fraud.
2.23 Sub‑processor(s): another processor engaged by the Processor to perform processing activities on behalf of the Controller (in this context, Suppliers’ subcontractors with access to Personal Data).
2.26 Processing: any operation or set of operations with Personal Data (e.g. collection, recording, structuring, storing, updating, retrieving, using, distributing, aligning, deleting).
2.27 Processor: a natural or legal person, public authority or other body processing Personal Data on behalf of the Controller (here: Supplier). Controller: the entity determining purposes and means of processing (here: Client).
3.1 The Agreement is concluded once a signed, unchanged Agreement has been received and accepted by the Supplier.
3.2 The date of the Supplier’s order confirmation is the start date of the Agreement. The Client receives confirmation by e‑mail.
4.1 The Service is provided for the term agreed upon in the Agreement.
4.2 Either party may terminate the Agreement monthly in writing, with one month’s notice by the Client and three months by the Supplier.
4.3 If the Client fails to fulfil obligations or cannot provide adequate security when requested, the Supplier may suspend performance or terminate the Agreement wholly or partly, without prejudice to claims for damages.
4.4 Immediate termination without damages applies if: (a) essential breach remains unremedied within 30 days after written notice; (b) repeated breaches; (c) insolvency or similar; (d) cessation of business—excluding mere merger or acquisition.
4.5 Articles on confidentiality (Article 5) remain in effect post-termination.
5.1 Supplier must maintain strict confidentiality regarding all information received from the Client in the context of the Agreement. Both parties will keep each other’s confidential organizational information and relevant Personal Data secret.
5.2 Supplier ensures only its Employees who need access to Security Information, Content, or Personal Data get such access, and that they are properly instructed.
5.3 The confidentiality obligations continue after termination.
6.1 Supplier acts as Processor and Client as Controller under the GDPR.
6.2 Processor processes Personal Data only as described in the Processing Annex and only as necessary for the Agreement.
6.3 Controller ensures the processing is lawful and does not infringe the rights of Data Subjects.
6.4 Controller retains control over purpose, retention, and sharing of Data.
6.5 Controller must comply with applicable laws regarding privacy, defining purpose and legal basis.
6.6 Processor complies with applicable regulation and obligations in Agreement and Terms.
6.7 Processing occurs within the European Economic Area unless otherwise agreed in writing.
6.8 Processor may engage Sub‑processors; obligations are passed through contract, and additional Sub‑processor consent is sought from Controller.
6.9 Processor assists Controller in handling Data Subject requests; forwards any requests received directly to Controller and may charge costs.
6.10 Requests from authorities: Processor only complies if the request is binding, verifies legal basis, informs Controller and cooperates.
6.11 Processor notifies Controller of Data Breaches within 24 hours of awareness, including necessary information for Controller’s GDPR notifications.
6.12 Controller is responsible for official reporting to authorities and/or data subjects.
6.13 Parties will collaborate with the Dutch Data Protection Authority if requested.
6.14 Controller maintains its own breach register; Processor must keep its own breach register for breaches it detects.
6.15 Processor applies confidentiality and security measures per Articles 5 and 7.
6.16 Changes in Data, reliability requirements, or legal obligations may require amendments or termination if adequate protection cannot be ensured.
6.17 Upon termination (under Article 3), Processor will transfer or destroy Personal Data as requested by Controller, retaining only what is legally required.
6.18 Transfer or destruction costs borne by Processor unless Controller requests non-standard procedures.
7.1 Supplier is responsible for applying Security Measures as detailed in the Processing Annex.
7.2 Client confirms it is informed about these Security Measures and considers them appropriate relative to data nature, scope, context, purposes, and risks.
7.3 Supplier will inform Client of any substantial changes to Security Measures.
7.4 The Client may request an inspection of security implementation; Supplier will cooperate. Inspection costs are borne by Client—including for Sub‑processors. Client must provide Supplier with the inspection report.
8.1 The Client owes a fee based on the Services agreed in the Agreement.
8.2 All amounts are exclusive of VAT and other government-imposed charges, unless stated otherwise.
8.3 Fees are invoiced from the date the Agreement is concluded. Invoices are in Euros.
8.4 In case of default, the Supplier may temporarily block Services; fees continue to accrue during blockage.
8.5 Supplier bears costs of restoring Services unless (a) Client’s misuse caused the outage; (b) Client breached Agreement; or (c) outage attributable to Client.
9.1 Payment obligation starts on the day the Agreement comes into force.
9.2 Payment must be made within the term specified in the Agreement, by the method and in the stated currency. Payment is considered made once funds are received by Supplier.
9.3 Fees excluding VAT and other statutory charges are due.
9.4 If Client does not pay on time, Supplier will notify and grant another deadline. Payment default occurs without further notice if payment is still not received within that period.
9.5 From default, Supplier may block Service access and charge statutory collection costs (Burgerlijk Wetboek art. 6:96 BW) and statutory interest and legal fees (art. 6:44 BW).
10.1 It is not allowed to resell, distribute, copy, or make available the Software, modules, or other products/services beyond the contracted delivery by Supplier.
10.2 Violation entitles Supplier to an immediate penalty of € 10,000 and an additional € 1,000 per day (up to € 100,000).
11.1 Supplier provides an Account and initial login credentials to the Client.
11.2 Client is responsible for maintaining confidentiality of login credentials.
11.3 Client is liable for unauthorized use of credentials by third parties and for all consequences.
11.4 If unauthorized access occurs through no fault of Client, they must inform Supplier immediately.
11.5 Supplier is not liable for harm arising from unauthorized access to the Client’s Account as described above.
11.6 Client indemnifies Supplier against claims by third parties resulting from Client’s attributable failure in securing access.
11.7 Client must promptly notify Supplier of any changes to its name, email address(es), or other information.
12.1 Supplier’s liability for indirect damage (e.g. consequential loss, lost profit, business interruption) is excluded.
12.2 Any liability is capped at the fee charged under the Agreement—meaning no liability for free demos.
12.3 Client indemnifies Supplier for third‑party claims arising from Client’s use of the Services.
12.4 Direct damage is limited to reasonable costs of (a) determining cause/extent of damage; (b) bringing performance in line with Agreement; (c) limiting direct damage, if demonstrated by Client.
12.5 Supplier is never liable for indirect loss, lost savings, business interruption, personal injury/death.
12.6 Supplier is not liable for any damage resulting from Supplier’s relationship with its Sub‑suppliers.
12.7 Supplier is not liable for damage caused by Content.
12.8 Supplier indemnifies Client against fines or sanctions by data protection authorities attributable to Supplier’s failure to comply.
12.9 Client indemnifies Supplier similarly for breaches attributable to Client.
12.10 Liability limitations apply to all obligations in these Terms, except articles 12.8 and 12.9; combined claims may not exceed the agreed cap.
13.1 Force majeure includes legal or jurisprudential events and technical disruptions outside Supplier’s control.
13.2 Supplier is relieved from obligations if performance is rendered impossible by force majeure.
13.3 Client agrees not to hold Supplier liable for downtime, unavailability, data loss, or revenue loss from technical disruptions, unless due to gross negligence or attributable fault by Supplier.
14.1 Supplier grants Client access to facilities and agreed Services in return for payment.
14.2 Supplier will endeavour to resolve any disruptions as quickly as possible.
14.3 Supplier will strive to keep Services available 24/7, except for required maintenance.
14.4 Supplier will maintain integrations with other networks/systems as reasonably required.
14.5 Supplier will promptly remedy reported Service disruptions.
14.6 Supplier will inform Client of any disruptions directly affecting the Service.
14.7 Supplier will announce maintenance in advance and provide expected impact/timing.
14.8 Client must refrain from acting contrary to these Terms or Dutch law and behave as a responsible user.
14.9 Client must report Service disruptions without delay.
14.10 Neither party may transfer rights or obligations under the Agreement without written consent, except as described in 14.11.
14.11 If Supplier’s Services transfer to another entity, contractual rights/obligations transfer too. Client has no right to terminate unless demonstrable harm would result; termination right is at Supplier’s discretion.
15.1 Support is provided by email and phone to Client.
15.2 No rights may be derived from support information provided.
15.3 If urgent maintenance is required (e.g. after failures), Supplier may perform it without prior notice and is not liable for resulting damage. Examples include power outages or technical/software issues at Supplier’s hosting provider.
16.1 Deviations from these Terms are valid only if mutually agreed in writing or via e‑mail.
16.2 Supplier reserves the right to amend or supplement these Terms.
16.3 Amendments also apply to existing Agreements after a 30‑day period following written notification.
16.4 If Client does not accept changes, they may terminate the Agreement effective at the start of the new Terms or upon receipt of termination notice if later.
16.5 If any clause is declared invalid by court, the remainder remains in force; parties will negotiate a valid replacement reflecting the original intent.
16.6 Dutch law governs these Terms and the Agreement.
16.7 Disputes, including about interpretation or execution, will be submitted exclusively to the competent court in Amsterdam.
16.8 Invalidity of one or more provisions does not affect validity of the remainder; parties shall agree new provisions consistent with the original intent.