Data Protection Terms

This section includes the following subsections:

Scope
Processing of Customer Data; Ownership
Disclosure of Customer Data
Processing of Personal Data; GDPR
Data Security
Security Incident Notification
Data Location
Data Retention and Deletion
Processor Confidentiality Commitment
Notice and Controls on Use of Subprocessors
Product-Specific Data Processing
Enhanced Features with Elevated Data Protection Risk
Customer Compliance Responsibilities
How to Contact Microting
European Union General Data Protection Regulation Terms (GDPR terms)

Scope

The terms in this section (“Data Protection Terms”) apply to all Microting services.

Processing of Customer Data; Ownership

Customer Data will be used or otherwise processed only to provide Customer the Microting Services including purposes compatible with providing those services. Microting will not use or otherwise process Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microting acquires no rights in Customer Data, other than the rights Customer grants to Microting to provide the Microting Services to Customer. This paragraph does not affect Microting’s rights in software or services Microting licenses to Customer.

Disclosure of Customer Data

Microting will not disclose Customer Data outside of Microting or its controlled subsidiaries and affiliates except (1) as Customer directs, (2) as described in the Terms of Service, or (3) as required by law.

Microting will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts Microting with a demand for Customer Data, Microting will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Customer Data to law enforcement, Microting will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third-party request for Customer Data, Microting will promptly notify Customer unless prohibited by law. Microting will reject the request unless required by law to comply. If the request is valid, Microting will attempt to redirect the third party to request the data directly from Customer.

Microting will not provide any third party: (a) direct, indirect, blanket or unfettered access to Customer Data; (b) platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to Customer Data if Microting is aware that the data is to be used for purposes other than those stated in the third party’s request.

In support of the above, Microting may provide Customer’s basic contact information to the third party.

Processing of Personal Data; GDPR

Personal Data provided to Microting by, or on behalf of, Customer through use of the Microting Services is also Customer Data. Pseudonymized identifiers may also be generated through Customer’s use of the Microting Services and are also Personal Data. To the extent Microting is a processor or subprocessor of Personal Data subject to the GDPR, the GDPR Terms in (GDPR Terms) govern that processing and the parties also agree to the following terms in this sub-section (“Processing of Personal Data; GDPR”):

Processor and Controller Roles and Responsibilities

Customer and Microting agree that Customer is the controller of Personal Data and Microting is the processor of such data, except when (a) Customer acts as a processor of Personal Data, in which case Microting is a subprocessor or (b) stated otherwise in the Microting Service-specific terms. Microting will process Personal Data only on documented instructions from Customer.

In any instance where the GDPR applies and Customer is a processor, Customer warrants to Microting that Customer’s instructions, including appointment of Microting as a processor or subprocessor, have been authorized by the relevant controller.

Processing Details

The parties acknowledge and agree that:

The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
The duration of the processing shall be for the duration of the Customer’s right to use the Microting Service and until all Personal Data is deleted or returned in accordance with Terms of Service;

Data Subject Rights; Assistance with Requests

Microting will make available to Customer in a manner consistent with the functionality of the Microting Service and Microting’s role as a processor Personal Data of data subjects and the ability to fulfill data subject requests to exercise their rights under the GDPR. Microting shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request. If Microting receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Microting Service for which Microting is a data processor or subprocessor, Microting will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Microting Service. Microting shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.

Records of Processing Activities

Microting shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.

Data Security

Security Practices and Policies

Microting will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data.

Customer Responsibilities

Customer is solely responsible for making an independent determination as to whether the technical and organizational measures for an Microting Service meets Customer’s requirements, including any of its security obligations under the GDPR or other applicable data protection laws and regulations. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Microting provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

Security Incident Notification

If Microting becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Microting (each a “Security Incident”), Microting will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Microting selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable My Microting. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.

Microting’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Microting of any fault or liability with respect to the Security Incident.

Customer must notify Microting promptly about any possible misuse of its accounts or authentication credentials or any security incident related to an Microting Service.

Data Location

For the Microting Services, Microting will store Customer Data at rest at:

Digital Ocean (Germany)
Webdock (Denmark)
AWS (Germany)

For Microting Services (Microting eForm) that uses speech to text, Customer Data (audio recordings) will be transferred and processed by Google LLC.

Data Retention and Deletion

At all times during the term of Customer’s subscription, Customer will have the ability to access, extract and delete Customer Data stored in each Microting Service.

Except for free trials, Microting will retain Customer Data that remains stored in Microting Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microting will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless Microting is permitted or required by applicable law to retain such data or authorized in this agreement.

Microting has no liability for the deletion of Customer Data or Personal Data as described in this section.

Processor Confidentiality Commitment

Microting will ensure that its personnel engaged in the processing of Customer Data and Personal Data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends.

Notice and Controls on use of Subprocessors

Microting may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and Microting Affiliates as Subprocessors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by Microting of the processing of Customer Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms.

Microting is responsible for its Subprocessor’s compliance with Microting’s obligations in the Terms of Service. Microting makes available information about Subprocessors on a Microting website. When engaging any Subprocessor, Microting will ensure via a written contract that the Subprocessor may access and use Customer Data or Personal Data only to deliver the services Microting has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. Microting will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Microting by the Terms of Service.

The list of subprocessors can be found here.

Product-Specific Data Processing

The Microting Services may process the following categories of Personal Data on behalf of Customer, depending on which features Customer has activated:

Time Registration Data. When Customer uses the time registration features of the Microting Services, the following Personal Data may be processed: employee names and identifiers, daily clock-in and clock-out timestamps, total daily working hours, and break registrations. This data is processed for the purpose of enabling Customer to comply with applicable working time legislation, including the Danish Working Time Act (Arbejdstidsloven) as amended July 1, 2024.

Location Data (GPS). Certain features of the Microting Services may enable the collection of precise geographic location data (GPS coordinates) from Authorized Users’ mobile devices at the time of clock-in and/or clock-out. Whether or not this location data is collected is determined solely by Customer’s configuration and explicit request to Microting. Microting acts exclusively as a data processor with respect to such location data. Location data is only collected at the specific moments of clock-in and clock-out and is not used for continuous tracking of Authorized Users. Customer may request the deactivation of location data collection at any time by contacting Microting.

Photographic Data (Clock-in/Clock-out Image Capture). Certain features of the Microting Services may enable the capture of a photograph of the Authorized User at the time of clock-in and/or clock-out. Whether or not photographic data is collected is determined solely by Customer’s configuration and explicit request to Microting. Microting acts exclusively as a data processor with respect to such photographic data. Photographs are captured only at the specific moments of clock-in and clock-out. The Microting Services do not apply facial recognition, automated matching, biometric template creation, or any other form of automated biometric processing to the captured photographs. The photographs are stored and made available solely for the purpose of manual visual verification by Customer’s designated personnel. Customer may request the deactivation of photographic data collection at any time by contacting Microting. Please refer to the section “Enhanced Features with Elevated Data Protection Risk” below for important information regarding this feature.

Audio Data. For Microting Services (Microting eForm) that use speech-to-text functionality, audio recordings are transferred to and processed by Google LLC for transcription purposes.

Enhanced Features with Elevated Data Protection Risk

Certain features available within the Microting Services involve the processing of Personal Data that may carry elevated data protection risks. These features are disabled by default in accordance with the principle of data protection by default (Article 25(2) GDPR) and are only activated upon Customer’s explicit request to Microting.

GPS Location Stamping

When Customer requests activation of GPS location stamping in connection with time registration, Microting will collect the precise geographic coordinates (latitude and longitude) of the Authorized User’s mobile device at the time of each clock-in and clock-out event.

Important notice to Customer:

Before requesting activation of GPS location stamping, Customer should be aware of the following obligations that apply to Customer as data controller:

(a) Lawful basis and proportionality. Customer is responsible for establishing a lawful basis for the collection of location data under Article 6 of the GDPR. Customer should assess whether the collection of GPS location data is proportionate to the purpose pursued and whether less intrusive alternatives (such as geofencing, on-site Wi-Fi verification, physical time terminals, or QR-code check-in) could achieve the same purpose. The collection of GPS data for time registration purposes may constitute a control measure (kontrolforanstaltning) under Danish employment law, which is subject to requirements of legitimate purpose (sagligt formål) and proportionality.

(b) Data Protection Impact Assessment (DPIA). The processing of employee location data may require Customer to carry out a Data Protection Impact Assessment pursuant to Article 35 of the GDPR. European data protection authorities have indicated that systematic monitoring of employees’ location data is likely to trigger the requirement for a DPIA.

(c) Employee information and transparency. Customer is obligated under Articles 13 and 14 of the GDPR to inform Authorized Users (employees) about the collection of their location data before processing begins. This information must include the purpose of the processing, the lawful basis relied upon, the retention period, and the rights of the data subject. Under Danish employment law, new control measures must generally be notified to employees at least six weeks before implementation. In enterprises with a cooperation committee (samarbejdsudvalg), the measure should be discussed with employee representatives prior to implementation.

(d) Data minimization. In accordance with Article 5(1)(c) of the GDPR, Customer should ensure that the processing of location data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Microting collects location data only at the moment of clock-in and clock-out and does not perform continuous or background tracking.

(e) Retention. Customer is responsible for determining the appropriate retention period for location data in accordance with the purposes of the processing and applicable law. Location data should not be retained longer than necessary for the purpose for which it was collected.

Microting recommends that Customer seeks independent legal advice before activating GPS location stamping to ensure full compliance with the GDPR, applicable national data protection legislation, and employment law.

By requesting activation of GPS location stamping, Customer confirms that it has assessed the lawfulness and proportionality of this processing and has taken the necessary steps to comply with its obligations as data controller, including informing Authorized Users of the processing of their location data.

Photo Capture at Clock-in/Clock-out

When Customer requests activation of photo capture in connection with time registration, the Microting Services will capture a photograph of the Authorized User via the device camera at the time of each clock-in and/or clock-out event. The purpose of this feature is to enable Customer to verify the identity of the Authorized User and to prevent fraudulent time registration (e.g. one employee clocking in or out on behalf of another).

Important clarification regarding data classification:

The Microting Services do not apply facial recognition technology, automated matching, biometric template creation, or any other form of automated technical processing to the captured photographs. The photographs are stored and made available solely for the purpose of manual visual verification by a human reviewer (e.g. a manager or supervisor comparing the photograph to the known identity of the employee).

In accordance with Recital 51 of the GDPR, photographs are only classified as biometric data — and thereby as special category data under Article 9 — when they are processed through specific technical means that allow or confirm the unique identification of a natural person. Since the Microting Services do not perform any such technical processing of the photographs, the captured images constitute ordinary Personal Data under Article 6 of the GDPR, not special category data under Article 9. Customer must not subject the photographs to facial recognition, automated matching, or biometric template extraction using third-party tools or services. Should Customer process the photographs using such technical means outside of the Microting Services, the data may be reclassified as biometric data under Article 9, and the responsibility for compliance with the stricter requirements of Article 9 rests entirely with Customer.

Important notice to Customer:

Although the photographs captured by this feature are classified as ordinary Personal Data and not as biometric data, the processing of employee photographs in the context of time registration nonetheless involves data protection considerations that Customer, as data controller, must address:

(a) Lawful basis. Customer is responsible for establishing a lawful basis for the processing of photographic data under Article 6 of the GDPR. The most likely applicable basis is Article 6(1)(f) — legitimate interests — where Customer has a legitimate interest in preventing fraudulent time registration and has assessed that this interest is not overridden by the employees’ rights and interests. Customer should document this balancing test. Customer should be aware that reliance on employee consent (Article 6(1)(a)) may be problematic in an employment context due to the inherent power imbalance between employer and employee, which may undermine the voluntariness of consent.

(b) Proportionality and necessity. Customer must assess whether the use of photo capture is proportionate to the purpose of preventing fraudulent time registration. Even though the processing does not involve biometric data, capturing photographs of employees at each clock-in/clock-out is a control measure that may be perceived as intrusive. Customer should document why less intrusive alternatives — such as personal PIN codes, employee badges, physical time terminals, or manager presence at clock-in — are insufficient to achieve the desired purpose. The assessment should reflect the actual risk and extent of time registration fraud that Customer has identified or reasonably anticipates.

(c) Data Protection Impact Assessment (DPIA). While photo capture for manual visual verification does not automatically trigger the requirement for a DPIA, Customer should assess whether a DPIA is required in the specific circumstances pursuant to Article 35 of the GDPR. A DPIA may be warranted in particular where the processing involves systematic monitoring of employees on a large scale, or where it is combined with other control measures (such as GPS location stamping). Microting recommends that Customer carries out a DPIA or at minimum documents the assessment of whether a DPIA is required.

(d) Employee information and transparency. Customer is obligated under Articles 13 and 14 of the GDPR to inform Authorized Users about the capture and processing of their photographs before the processing begins. This information must include the purpose of the photo capture (identity verification to prevent time registration fraud), the lawful basis relied upon, that photographs are used solely for manual visual verification and are not subject to automated or biometric processing, who will have access to the photographs (e.g. supervisors, managers), the retention period, and the rights of the data subject. Under Danish employment law, the introduction of photo capture as a control measure must generally be notified to employees at least six weeks before implementation. In enterprises with a cooperation committee (samarbejdsudvalg), the measure should be discussed with employee representatives prior to implementation.

(e) Access control. Access to the captured photographs should be limited to those persons within Customer’s organization who have a legitimate need to perform the visual verification (e.g. designated supervisors or managers). Photographs should not be made broadly accessible within Customer’s organization.

(f) Retention and deletion. Photographs captured at clock-in/clock-out should be retained only for as long as strictly necessary to fulfil the verification purpose. Customer is responsible for establishing and enforcing an appropriate retention period. Microting recommends that photographs be reviewed and deleted within a short timeframe after the verification has been completed, unless Customer has a documented and lawful need to retain the images for a longer period (e.g. to resolve a specific dispute regarding time registration).

(g) Security. Photographic data requires appropriate technical and organizational security measures, including access controls to limit who can view the images and audit logging of access to photographic records.

By requesting activation of photo capture at clock-in/clock-out, Customer confirms that it has assessed the lawfulness and proportionality of this processing and has taken the necessary steps to comply with its obligations as data controller, including informing Authorized Users of the processing of their photographic data. Customer further confirms that it will not subject the captured photographs to facial recognition, automated matching, or biometric template extraction.

Customer Compliance Responsibilities

Customer acknowledges and agrees that, as the data controller of all Personal Data processed through the Microting Services, Customer bears sole responsibility for:

(a) Lawfulness of processing. Determining the lawful basis for each processing activity carried out through the Microting Services, including any processing of location data, biometric data, or other special categories of data, in accordance with Articles 6 and 9 of the GDPR.

(b) Compliance with applicable law. Ensuring that Customer’s use of the Microting Services complies with all applicable data protection laws and regulations, including but not limited to the GDPR, the Danish Data Protection Act (Databeskyttelsesloven), the Danish Working Time Act (Arbejdstidsloven), and any applicable collective agreements or employment law provisions governing control measures in the workplace.

(c) Transparency and employee information. Providing all required information to data subjects (including Authorized Users who are Customer’s employees) regarding the processing of their Personal Data through the Microting Services, in accordance with Articles 13 and 14 of the GDPR. This includes, but is not limited to, information about the categories of data processed, the purposes and lawful basis for processing, the retention period, and the data subjects’ rights.

(d) Proportionality and data minimization. Assessing whether the features and processing activities activated within the Microting Services are proportionate to the purposes pursued and comply with the principle of data minimization under Article 5(1)(c) of the GDPR.

(e) Data Protection Impact Assessment. Carrying out a Data Protection Impact Assessment (DPIA) pursuant to Article 35 of the GDPR where required, including but not limited to situations where processing involves systematic monitoring of employees, the use of location data on a large scale, or the processing of photographic or biometric data for identity verification purposes.

(f) Consent and employee rights. Where processing is based on consent, ensuring that such consent is freely given, specific, informed, and unambiguous, taking into account the inherent imbalance of power in employment relationships as recognized by European data protection authorities.

(g) Notification of control measures. Complying with any applicable notice or consultation requirements under national employment law prior to implementing control measures, including but not limited to the requirement under Danish law to notify employees at least six weeks in advance of new control measures, unless the purpose of the measure would otherwise be defeated.

Microting will, in accordance with Article 28(3) of the GDPR, inform Customer if, in Microting’s opinion, an instruction from Customer infringes the GDPR or other applicable data protection provisions. However, Microting is not responsible for monitoring or assessing whether Customer’s use of the Microting Services complies with applicable law.

How to Contact Microting

Microting A/S Store Ejlstrup, Ejlstrupvej 210 DK-5200 Odense V

Updated contact information can be found at https://www.microting.dk/kontakt

European Union General Data Protection Regulation Terms

Microting makes the commitments in these GDPR Terms, to all customers effective May 25, 2018. These commitments are binding upon Microting with regard to Customer regardless of (1) the version of the Terms of Service that is otherwise applicable to any given Microting Services subscription or (2) any other agreement that references this document.

For purposes of these GDPR Terms, Customer and Microting agree that Customer is the controller of Personal Data and Microting is the processor of such data, except when Customer acts as a processor of Personal Data, in which case Microting is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microting on behalf of Customer. These GDPR Terms do not limit or reduce any data protection commitments Microting makes to Customer in the Terms Of Service or other agreement between Microting and Customer. These GDPR Terms do not apply where Microting is a controller of Personal Data.

Relevant GDPR Obligations: Articles 28, 32, and 33

Microting shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, Microting shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2))
Processing by Microting shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microting with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s licensing agreement, including these GDPR Terms. In particular, Microting shall:
(a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Microting is subject; in such a case, Microting shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 32 of the GDPR;
(d) respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
(e) taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microting;
(g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Microting shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
Where Microting engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microting shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4))
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Microting shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1))
In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
Customer and Microting shall take steps to ensure that any natural person acting under the authority of Customer or Microting who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4))
Microting shall notify Customer without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microting.

Additional Business Terms for Audits

(a) Customer will send any request for an audit to Microting as described in (How to contact Microting).

(b) Following receipt by Microting of a request, Microting and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit.

(c) Microting may charge a fee (based on Microting’s reasonable costs) for any audit. Microting will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit.

(d) Microting may object to any third party auditor appointed by Customer to conduct any audit if the auditor is, in Microting’s reasonable opinion, not suitably qualified or independent, a competitor of Microting or otherwise manifestly unsuitable. Any such objection by Microting will require Customer to appoint another auditor or conduct the audit itself.

(e) Nothing in these Data Processing Terms will require Microting either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access:

(i) any data of any other customer of a Microting;

(ii) any Microting’s internal accounting or financial information;

(iii) any trade secret of a Microting;

(iv) any information that, in Microting’s reasonable opinion, could: (A) compromise the security of any Microting’s systems or premises; or (B) cause any Microting to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or

(v) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Data Protection Legislation.

Document last updated: March 27, 2026