← Back to Home

Terms and Conditions

Last Updated: 02-Dec-2025

WELCOME TO SUSTALIUM!

These Terms and Conditions (the "Terms") govern your access to and use of the sustainability intelligence platform and services (collectively, the "Services") provided by Sustalium B.V. i.o. ("Company," "we," "us").

By creating an account, clicking "I Agree," or using the Services, you are entering into a legally binding agreement (the "Agreement") with the Company on behalf of yourself or the entity you represent ("Customer," "you").

PLEASE READ THESE TERMS CAREFULLY. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THE SERVICES.

1. Definitions

  • "Platform" means the Sustalium software-as-a-service platform and any related websites or applications.
  • "Customer Data" means any and all data, information, and materials that you or your Authorized Users submit to the Platform.
  • "Authorized User" means an individual whom you have authorized to access and use the Services under your account.

2. The Services

2.1. License Grant.

Subject to your compliance with this Agreement, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Services for your internal business purposes during the Subscription Term.

2.2. Service Level Agreement (SLA).

The Services are provided with a baseline Service Level Agreement (SLA) of 99.5% uptime during normal Dutch business hours. This baseline SLA does not include any service credits for downtime. Any higher uptime commitments, support levels, or service credits are only applicable if specified in a separate, signed Master Services Agreement (MSA).

2.3. Modifications to the Service.

We reserve the right to modify or update the Services at any time. If we make a material change that would adversely affect the core functionality of the platform, we will provide you with reasonable advance notice (e.g., via email or in-app notification).

2.4. Your Responsibilities.

You are responsible for all activities that occur under your account. You agree to: (a) maintain the confidentiality of your account credentials; and (b) ensure that your use of the Services complies with all applicable laws.

2.5. Acceptable Use.

You shall not: (a) reverse-engineer the Platform; (b) use the Services for any illegal purpose; or (c) interfere with the security or integrity of the Platform.

3. Fees and Payment

3.1. Subscriptions.

You agree to pay all fees specified in your selected subscription plan. All fees are non-refundable except as expressly stated in this Agreement.

3.2. Billing and Automatic Renewal.

Your subscription will automatically renew unless you cancel prior to the renewal date. You authorize us to charge your payment method for the renewal subscription fees.

3.3. Fee Modifications.

We reserve the right to modify our subscription fees at the end of your subscription term. We will provide you with at least thirty (30) days' prior written notice of any fee change.

3.4. Taxes.

All fees are exclusive of any applicable taxes, levies, or duties.

4. Intellectual Property & Data Rights

4.1. Our Intellectual Property.

We own and shall retain all right, title, and interest in and to the Services and the Platform.

4.2. Your Customer Data.

You own and shall retain all right, title, and interest in and to your Customer Data. You grant us a limited, worldwide, royalty-free license to use, host, and process your Customer Data solely for the purpose of providing and improving the Services.

4.3. Anonymized Data and Verifiable Records.

You agree that we may use anonymized, aggregated data for statistical analysis and to improve our platform. Furthermore, you acknowledge that any independently verifiable facts derived from your data (such as a product's achievement of a public certification on a certain date), which have been cryptographically anchored into our "System of Verifiable Truth," may be retained as part of an immutable record to ensure the integrity of the wider ecosystem.

5. Data Protection, Hosting, and Confidentiality

5.1. Confidentiality.

We will both treat each other's Confidential Information with a high degree of care and will not disclose it to any third party except as necessary to provide the Services.

5.2. Data Processing (GDPR).

For the purposes of the GDPR, you are the "Data Controller" and we are the "Data Processor." The processing of personal data is governed by our Data Processing Addendum (DPA), which is attached as Annex A and is incorporated by reference into this Agreement.

5.3. Data Hosting and Sovereignty.

The Company's core "Intelligence Engine" and primary data processing systems are located within the European Union. However, to ensure performance and comply with local regulations, Customer Data for clients based outside the EU may be hosted in a regional data center (e.g., in the US or APAC). Any such cross-border data transfer will be governed by a valid legal mechanism, such as the EU Standard Contractual Clauses (SCCs), as detailed in our DPA.

6. Disclaimers, Guarantees, and Limitation of Liability

6.1. Data Integrity Disclaimer.

You acknowledge that the Service aggregates complex data from third-party sources and data provided by you. While we use reasonable efforts to ensure accuracy, we cannot guarantee that all information is complete, accurate, or up-to-date in real-time. You are solely responsible for the accuracy and completeness of any data you enter into the Platform. If you identify a potential error in our data or calculations, we will assess the report and correct any verified errors in a timely manner.

6.2. Limited Guarantee.

The Company's standard warranties and guarantees of accuracy apply only to data and algorithms that have been explicitly marked within the Service as "Company Verified" or "Validated." Any and all data, calculations, or outputs that are not explicitly marked as "Company Verified" are provided on an "as-is," indicative basis without any warranty of accuracy. Higher levels of assurance must be governed by a separate MSA.

6.3. Use of Recommendation Engine.

Any suggestions, recommendations, or alternative solutions generated by the Service's recommendation engine (the "Recommendations") are for informational purposes only and are not a substitute for your own professional judgment and due diligence. You are solely responsible for independently verifying any Recommendations before implementation, and we shall have no liability for any business outcomes resulting from your decision to act on them.

6.4. General Disclaimer of Warranties.

EXCEPT AS EXPLICITLY STATED IN SECTION 6.2, THE SERVICES ARE PROVIDED "AS IS." WE MAKE NO OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY.

6.5. Limitation of Liability.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL THE COMPANY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF THIS AGREEMENT EXCEED THE TOTAL AMOUNT OF FEES PAID BY YOU DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

7. Term and Termination

7.1. Term.

This Agreement commences when you accept these Terms and continues for as long as you have an active subscription.

7.2. Termination.

You may terminate by cancelling your subscription. We may terminate if you breach any material term and fail to cure within thirty (30) days.

7.3. Data Retention Upon Termination.

Upon termination, your personal data and proprietary, non-public Customer Data will be retained for a period of ninety (90) days, during which you may export your data. After this period, such data will be permanently deleted. This deletion period may be extended if we are required to retain the data to comply with a legal obligation or a binding order from a court or law enforcement agency.

8. General Provisions

8.1. Marketing and Publicity.

You grant the Company a limited license to use your company's name and logo on our website and in our marketing materials. You also agree to act as a reference for prospective customers, provided that no confidential business data is exposed. You may revoke this permission at any time by providing us with written notice.

8.2. Governing Law and Jurisdiction.

This Agreement shall be governed by the laws of The Netherlands. Any disputes shall be submitted to the competent court in Amsterdam, The Netherlands.

8.3. Modifications.

We may modify these Terms from time to time by posting a revised version on our website. Your continued use of the Services after the effective date of any modification constitutes your agreement to the modified Terms.

8.4. Entire Agreement.

This Agreement, including Annex A (the DPA), constitutes the entire understanding between the parties.

Annex A: Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is incorporated into and forms a part of the Terms and Conditions (the "Agreement") between Sustalium B.V. i.o. (the "Company" or "Processor") and the customer entity that is a party to the Agreement (the "Customer" or "Controller").

This DPA shall be effective for the term of the Agreement.

1. Definitions

1.1. The terms "Controller," "Processor," "Personal Data," "Data Subject," and "Processing" shall have the meanings given to them in the GDPR.

1.2. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1.3. "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission.

2. Roles and Scope of Processing

2.1. Roles. The parties acknowledge and agree that for the purposes of the GDPR, the Customer is the Controller and the Company is the Processor of any Personal Data processed on behalf of the Customer in connection with the Services.

2.2. Scope. The Company shall process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data, unless required to do so by Union or Member State law. The Agreement, including this DPA, constitutes the Customer's complete and final instructions to the Company for the processing of Personal Data.

3. Details of Processing

3.1. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are set forth in Appendix 1 to this DPA.

4. Obligations of the Processor

The Company agrees to:

4.1. Confidentiality. Ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2. Security of Processing. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Appendix 2 to this DPA.

4.3. Sub-processing.

  • a) The Customer provides a general authorization for the Company to engage other processors ("Sub-processors"). The Company's current list of Sub-processors is set forth in Appendix 3.
  • b) The Company shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, in accordance with the communication preferences provided by the Customer, thereby giving the Customer the opportunity to object to such changes.
  • c) The Company will impose on any Sub-processor the same data protection obligations as set out in this DPA by way of a written contract.

4.4. Data Subject Rights. Taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights.

4.5. Personal Data Breach. Notify the Customer without undue delay after becoming aware of a Personal Data Breach and provide reasonable assistance to the Customer in its own data breach notification obligations.

4.6. Data Protection Impact Assessment. Assist the Customer in ensuring compliance with its obligations pursuant to Articles 35 and 36 of the GDPR (Data Protection Impact Assessments and prior consultation), taking into account the nature of Processing and the information available to the Company.

4.7. Audits. Upon reasonable request, make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

5. Obligations of the Controller

The Customer warrants that it has a valid legal basis for the Processing of all Personal Data and that its instructions to the Company are lawful.

6. International Transfers

6.1. The Company shall not transfer Personal Data to any country outside the European Economic Area (EEA) without a valid transfer mechanism under the GDPR.

6.2. The parties agree that where the transfer of Personal Data from the Customer to the Company involves a transfer outside the EEA, the SCCs shall apply. To this end, the SCCs are hereby incorporated by reference and are deemed to be completed as set forth in Appendix 1.

7. Deletion or Return of Data

Upon termination of the Agreement, the Company shall delete or return all Personal Data to the Customer as set forth in the Agreement, unless Union or Member State law requires storage of the Personal Data.

8. General Provisions

8.1. Liability. The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

8.2. Governing Law. This DPA shall be governed by the laws of The Netherlands.

Appendix 1 to the DPA

A. LIST OF PARTIES

Data exporter(s): [Controller]

  • Name: The Customer, as defined in the Agreement.
  • Address: The Customer's address as set forth in their account information.
  • Contact person's name, position and contact details: The Customer's primary contact as set forth in their account information.
  • Activities relevant to the data transferred under these Clauses: Use of the Company's Services as described in the Agreement.
  • Role (controller/processor): Controller

Data importer(s): [Processor]

  • Name: Sustalium B.V. i.o.
  • Address: Winkelstede 60, 2543BR, Den Haag, The Netherlands
  • Contact person's name, position and contact details: Data Protection Officer, dpo@sustalium.com.
  • Activities relevant to the data transferred under these Clauses: Provision of the Services as described in the Agreement.
  • Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • The Customer's Authorized Users and other individuals whose Personal Data is submitted to the Services by the Customer (e.g., employees, contractors, business partners).

Categories of personal data transferred

  • User Account Data: Name, email address, password, role, and contact information.
  • Customer-Uploaded Data: Personal Data that may be contained within the business documents and data uploaded by the Customer to the Services, the extent of which is determined by the Customer in its sole discretion.

Sensitive data transferred (if applicable)

  • The Customer agrees not to upload any sensitive Personal Data (as defined in Article 9 of the GDPR) to the Services unless a separate agreement has been made.

The frequency of the transfer

  • Continuous, for the duration of the Agreement.

Nature of the processing

  • The collection, storage, analysis, and display of Personal Data for the purpose of providing the Services as described in the Agreement.

Purpose(s) of the data transfer and further processing

  • To provide, maintain, and improve the sustainability intelligence platform and services for the Customer.

The period for which the personal data will be retained

  • For the duration of the Agreement, and for a period of up to ninety (90) days after termination, unless otherwise required by law.

C. COMPETENT SUPERVISORY AUTHORITY

  • The competent supervisory authority shall be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Appendix 2 to the DPA

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES (TOMS)

The Company has implemented and will maintain the following technical and organizational measures:

  1. Access Control: Access to systems and data is restricted to authorized personnel based on the principle of least privilege. Multi-factor authentication is required for access to critical systems.
  2. Encryption: All Customer Data is encrypted in transit using TLS 1.2 or higher. All Customer Data is encrypted at rest using industry-standard AES-256 encryption.
  3. Data Minimization: The Company collects and processes only the Personal Data that is necessary to provide the Services.
  4. Logging and Monitoring: The Company maintains detailed logs of access to critical systems and monitors for suspicious activity. Furthermore, the platform maintains an immutable, cryptographically-verifiable audit trail of all critical customer data events (such as data submission and report generation) to support customer compliance and audit requirements.
  5. Incident Response: The Company maintains a formal Incident Response Plan to identify, manage, and remediate security incidents in a timely manner.
  6. Personnel Security: All personnel with access to Personal Data are subject to confidentiality obligations and undergo regular security and data protection training.
  7. Business Continuity: The Company maintains a Business Continuity and Disaster Recovery plan, including regular backups of Customer Data, to ensure the availability of the Services.

Appendix 3 to the DPA

LIST OF SUB-PROCESSORS

The Customer provides a general authorization for the Company to engage the following Sub-processors to provide the Services:

Sub-processor NamePurposeEntity Location
Google Cloud Platform (GCP)Cloud Infrastructure and HostingThe Netherlands (EU) / USA
Auth0, Inc.User Authentication and Identity ManagementUSA

Contact Information

For questions about these Terms, please contact us at:
Email: dpo@sustalium.com
Address: Sustalium B.V. i.o., Winkelstede 60, 2543BR, Den Haag, The Netherlands