Terms of Service
Version: 1 | Last Updated: 2025-10-20
These Terms of Service (“Terms”) govern the use of the SaaS platform and related services (“Services”) provided by From Scratch AB / Norriva (“we,” “our,” “us”). By accessing or using the Services, the company or other legal entity identified in your account (the “Customer”) agrees to these Terms.
1. Acceptance of Terms
By accessing or using the Services, you confirm that (i) you have read and understood these Terms; (ii) you are authorized to enter into an agreement for the Services on behalf of the Customer; and (iii) the Customer (a) agrees to be bound by these Terms; and (b) remains responsible for use of the Services, and for compliance with these Terms, by its authorized users (“Authorized Users”).
These Terms are intended solely for business customers. We do not provide the Services to consumers.
2. Services Provided
The Services provided by us consist of a SaaS platform designed to help manage and optimize the Customer’s go-to-market (GTM) strategy. The platform includes applications, tools, and resources for leadership, marketing, sales, customer success, and related functions. More information about the Services is available at www.norriva.com (the “Website”).
3. Subscription and Payment
3.1 Subscription Plans
Subscription plans, pricing, and features are listed on the Website (www.norriva.com/pricing). Your subscription begins upon activation and continues until terminated in accordance with Section 8.
3.2 Payment Terms
All fees are payable in advance in accordance with the subscription plan selected.
3.3 Price Adjustments
We may adjust the subscription fees from time to time. Any price changes will take effect at the start of the next subscription period, provided that the Customer has been given at least 30 days’ prior notice. If the Customer does not wish to continue the subscription at the new price, the Customer may cancel the subscription before the renewal date in accordance with Section 8.
3.4 Auto-Renewal
Subscriptions automatically renew for successive billing periods unless terminated by the Customer in accordance with Section 8. For clarity, any termination must be completed before the renewal date to avoid renewal.
3.5 Free Plan and Promotions
If the Customer uses a free plan, free trial, or promotional offer (“Free Plan”), the Customer may do so subject to the usage limits, features, and restrictions we set at the time. The Customer may not create multiple Free Plans for the same organization or alongside a paid subscription. Free Plans may not include support. We may change or end any Free Plan and associated Services at any time without obligation. Free Plans are subject to the disclaimers set out in Section 11 and the specific limitations of liability set out in Section 12.
3.6 Refund Policy
Fees are non-refundable except where required by law. We do not provide refunds or credits for any partial subscription periods or unused Services, except where required by law.
3.7 Payment Methods
Payment must be made using the methods specified on the Website.
3.8 Taxes
The Customer is responsible for all taxes, duties, and charges imposed in connection with its subscription, except for taxes that are our responsibility under applicable law.
4. Customer Responsibilities and Acceptable Use
4.1 Account Security
The Customer is responsible for ensuring that its Authorized Users keep their login credentials secure and confidential. The Customer is liable for all activities conducted under its accounts. The Customer must notify us immediately of any unauthorized access or use of the Services.
4.2 Compliance
The Customer must comply with all applicable laws, regulations, and these Terms, and must ensure that all Authorized Users do the same. Any violation of these Terms by an Authorized User will be deemed a violation by the Customer.
4.3 Acceptable Use
The Customer must not, and must ensure that its Authorized Users do not:
- copies, modifies, reverse-engineers, resells, or creates derivative works of the Services, or uses them to build a competing product or service;
- infringes or violates any third-party rights, including intellectual property, privacy, or publicity rights;
- uploads, shares, or generates illegal, harmful, defamatory, discriminatory, obscene, or otherwise inappropriate content;
- sends spam, phishing, or other unsolicited communications, or uploads/distributes viruses, malware, or other malicious code;
- attempts to bypass, disable, or interfere with security features, access controls, or the proper functioning of the Services; or
- uses automated tools (including bots, scrapers, or crawlers) without our prior written consent, or otherwise creates an unreasonable load on our infrastructure
We may suspend access to the Services immediately if we believe, in our reasonable judgment, that the Customer or its Authorized Users have violated this Acceptable Use Policy. We will use reasonable efforts to notify the Customer of the suspension and the reasons for it without undue delay. Termination of the agreement is governed by Section 8.
4.4 Customer Content
The Customer retains ownership of all content it or its Authorized Users upload to the Platform (“Customer Content”). By using the Services, the Customer grants us a non-exclusive, worldwide, royalty-free and transferable license to copy, transmit, display, and process Customer Content solely to maintain, secure, and support the Services, and to comply with applicable law. We do not acquire any ownership rights in Customer Content. The Customer represents that it has all rights and consents necessary to submit Customer Content and to grant the foregoing license.
We may use aggregated and anonymized (or otherwise de-identified) data derived from the Customer’s use of the Services for analytics, product improvement, and benchmarking, provided it does not identify the Customer or any individual.
5. AI Use & Responsibility
The Services include artificial intelligence (“AI”) features that may generate content suggestions based on inputs provided by the Customer or its Authorized Users. While we aim to provide helpful, accurate, and relevant suggestions, AI-generated outputs may not always be complete, correct, or appropriate for the Customer’s intended purpose.
The Customer is solely responsible for reviewing, editing, and verifying any AI-generated content before using or publishing it, including ensuring compliance with applicable laws, regulations, industry standards, and these Terms. The Customer must ensure that all Authorized Users do the same.
We do not guarantee that AI-generated outputs will be free of errors, comply with third-party rights, or be fit for any specific purpose. We have no responsibility or liability of any kind for any losses, damages, or claims arising from the use of AI-generated content.
The Customer must not, and must ensure that its Authorized Users do not, use the AI features to generate or disseminate:
- Illegal, infringing, harmful, or discriminatory content
- Content that violates the rights of others (including intellectual property, privacy, and publicity rights)
- Misleading claims in regulated industries (e.g., medical, financial, legal)
We may review, block, or remove AI-generated outputs that violate these Terms or applicable law, and may suspend access in accordance with Section 4.3. The AI features form part of the Services and are subject to Section 11 (Warranties and Disclaimers). Their behavior may change as we improve and update the models in accordance with Section 10.2 (Changes to the Services).
6. Intellectual Property
6.1 Ownership
We and our licensors own all intellectual property rights in the Services, including the underlying design, software, code, technology, and documentation, as well as any improvements, updates, or derivative works created by us.
6.2 License Grant
Subject to the Customer’s compliance with these Terms and payment of all applicable fees, we grant the Customer a limited, non-exclusive, non-transferable, and revocable license to use the Services for its internal business purposes during its active subscription.
6.3 Feedback
We may freely use any suggestions, ideas, or feedback provided by the Customer or its Authorized Users without restriction or obligation.
7. Confidentiality
Each party agrees to keep the other party’s non-public information confidential and to use it only as necessary to perform its obligations under these Terms. This obligation does not apply to information that (a) is or becomes public without breach, (b) was already known to the receiving party, (c) is received lawfully from a third party, or (d) is independently developed without reference to the other party’s information.
8. Termination and Suspension
8.1 Termination by the Customer
The Customer may terminate its subscription at any time through the account settings, with effect at the end of the current subscription period. No refunds will be made for any unused portion of the subscription.
8.2 Termination by Us
We may suspend or terminate the Customer’s access to the Services immediately if the Customer or its Authorized Users (a) violate these Terms, (b) fail to pay fees when due, or (c) engage in unlawful, harmful, or fraudulent activity. We will use reasonable efforts to notify the Customer of any suspension or termination and the reasons for it. Suspension rights also apply under Sections 4.3 and 5 (AI Use & Responsibility).
In addition, we may terminate the Customer’s subscription for convenience by giving at least thirty (30) days’ prior notice, in which case termination will take effect at the end of the then-current subscription period. No refunds will be made for any unused portion of the subscription.
8.3 Effects of Termination
Upon termination, the Customer’s access to the Services will cease. Customer Content will remain available for retrieval through the Services for thirty (30) days following termination, after which it will be permanently deleted unless retention is required by law. The Customer is solely responsible for retrieving its data within this period, and we have no obligation to deliver or transfer data on the Customer’s behalf.
8.4 Survival
The provisions of these Terms relating to intellectual property, confidentiality, disclaimers, limitations of liability, and payment obligations shall survive termination of the Customer’s subscription.
9. Data Privacy and Security
Our Privacy Notice, available at www.norriva.com/privacy-notice, describes how we collect, use, and protect information when acting as data controller (e.g., when managing Authorized User accounts).
The provision of the Services means that we, as data processor and on behalf of the Customer, may process personal data relating to individuals. This personal data processing is subject to the Data Processing Agreement (DPA) that is amended to these Terms as Appendix 1. The DPA is therefore to be seen as an integrated part of these Terms.
The Customer must not enter or store any sensitive or special categories of personal data in the Services, unless expressly agreed with us in writing.
We implement appropriate technical and organizational measures to protect information but cannot guarantee that security incidents will never occur.
10. Service Availability and Changes
10.1 Service Availability
We will use reasonable efforts to make the Services available with at least 99% uptime on a monthly basis, excluding periods of scheduled and emergency maintenance. Availability may also be affected by circumstances beyond our reasonable control, such as failures of third-party hosting providers or internet service providers. This Section does not establish a service level commitment or any remedy for failure to meet the stated availability target.
10.2 Changes to the Services
We may improve, modify, or remove features of the Services from time to time. Where such changes have a material impact on the Customer’s use of the Services, we will provide reasonable notice before the changes take effect. Notwithstanding the foregoing, we may implement changes without prior notice where necessary to address security issues, comply with applicable laws or regulatory requirements, or avoid material harm to the Services or other customers. All changes to the Services form part of the Services and are subject to these Terms.
11. Warranties and Disclaimers
All Services (including Free Plans) are provided on an “as is” and “as available” basis without warranties of any kind, whether express, implied, statutory, or otherwise. We specifically disclaim all implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, and do not warrant that the Services will be uninterrupted, error-free, or completely secure. In particular, we make no guarantee that the Services will result in the Customer’s commercial success or any particular business outcome. No oral or written advice or information obtained from us or through the Services creates any warranty not expressly stated in these Terms.
12. Limitations of Liability
To the maximum extent permitted by law:
(a) Our aggregate liability to the Customer for all claims arising out of or relating to these Terms or the Services will not exceed the fees paid by the Customer during the twelve (12) months preceding the event giving rise to the claim.
(b) For Free Plans, our total liability will not exceed €100.
(c) We will not be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss of profits, revenues, data, goodwill, or use
13. Indemnification
The Customer agrees to indemnify, defend, and hold harmless From Scratch AB / Norriva, its affiliates, and their respective officers, directors, employees, and contractors from and against any claims, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to (a) the Customer’s use of the Services; (b) Customer Content; (c) the Customer’s breach of these Terms; or (d) the Customer’s violation of applicable laws or regulations.
14. Collaboration Partners
The Customer agrees that we may share Customer’s name with its trusted business partners for collaboration purposes, provided that such partners are subject to appropriate confidentiality obligations. This does not grant any partner the right to market directly to the Customer.
15. Subcontractors
We may engage subcontractors to provide or support the Services without the Customer´s consent. We remain responsible for the performance of our subcontractors as if it were our own.
16. Reports of Misuse or Illegal Content
Concerns regarding misuse of the Services or illegal content may be reported to us at privacy@norriva.com or through the contact information provided in Section 24 below. We may review and take appropriate action, including removing or restricting access to content that we reasonably believe to be unlawful or in breach of these Terms.
17. Force Majeure
We will not be liable for any delay or failure to perform caused by circumstances beyond our reasonable control, including natural disasters, internet or telecommunications failures, labor disputes, government actions, or other similar events. Our obligations will be suspended for the duration of the force majeure event and will resume once the event ends.
18. Export Compliance
The Customer must comply with all applicable export control, trade, and economic sanctions laws and regulations in connection with its use of the Services. We may restrict access to the Services where required by such laws.
19. Governing Law & Dispute Resolution
These Terms are governed by the laws of Sweden. If a disagreement arises, the Parties will first attempt to resolve it through good-faith discussions. If no agreement is reached within thirty (30) days, the matter will be finally settled by the courts of Sweden, with Stockholm District Court (Stockholms tingsrätt) as the court of first instance.
To the extent permitted by applicable law, each party waives any right to a jury trial or to participate in class actions or similar collective proceedings.
20. Assignment
We may assign or transfer our rights and obligations under these Terms without the Customer’s consent. The Customer may not assign or transfer its rights or obligations under these Terms without our prior written approval. Any attempted assignment in violation of this Section is void.
21. Notices
We will send notices to the email address associated with the Customer’s account, and the Customer is responsible for keeping that address accurate and up to date. Notices from the Customer to us must be sent to support@norriva.com. Notices sent by email will be deemed received on the next business day after sending.
22. Entire Agreement
These Terms (together with the Data Processing Agreement, as applicable) constitute the entire agreement between the Customer and us regarding the Services and supersede any prior agreements or understandings. If any provision is held unenforceable, the remaining provisions will remain in full force and effect. Our failure to enforce a provision will not be deemed a waiver of our rights.
23. Modifications to Terms
We may amend these Terms from time to time. Minor amendments that do not materially impact the Customer may take effect immediately upon notice. Material amendments will be notified to the Customer at least thirty (30) days before they take effect, unless required earlier by mandatory law, government decision, or security reasons, in which case they may take effect immediately upon notice. If the Customer does not accept a Material amendment, its sole remedy is to terminate its subscription before the amendment takes effect. In such case, fees already paid remain non-refundable. Continued use of the Services after an amendment takes effect constitutes the Customer’s acceptance of the updated Terms..
24. Contact Information
From Scratch AB / Norriva
Org. No: 559494-1261
Email: hello@norriva.com
Website: www.norriva.com
APPENDIX 1 – DATA PROCESSING AGREEMENT (“DPA”)
This Data Processing Agreement (“DPA”) is between the party that decides why and how personal data is processed (the Controller) and the party that processes data on its behalf (the Processor). Together, they are the Parties. The Parties are defined in Annex 1 of this DP
This DPA is an appendix to the Terms & Conditions that the Controller accepted in order to use the Processor’s platform and the DPA takes effect on the same date as the Controller accepted the Terms and Conditions for the use of the platform (Effective Date).
The Parties will use the European Commission’s standard contractual clauses for use between controller–processor (Decision 2021/915). A full copy of the text is available at https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en.
The EU Standard Contractual Clauses (SCC) have four annexes (Annex I–IV). These annexes must be completed by the Parties and are attached to this DPA.
The SCC cannot be changed except for filling in the annexes. No additional terms may contradict or reduce the SCC or data subjects’ rights. Where the SCC allows options, the Parties agree as follows:
Clauses in SCC | Agreed alternative |
Clause 1 a) | Alternative 1 |
Clause 5 | Shall be applied |
Clause 7.7 a) | Alternative 2, list of sub-processors valid at the Effective Date. Any changes must be notified at least 30 days in advance. |
Clause 8 c) 4) | Alternative 1 |
Clause 9.1 b) | Alternative 1 |
Clause 9.1 c) | Alternative 1 |
Clause 9.2 third paragraph | Alternative 1 |
In addition to what is stated above, the following provisions shall apply to the processing of Personal Data pursuant to the Agreement.
Notification of data breaches
The Processor shall notify the Controller of any personal data breaches referred to in Clause 9.2 of the SCC at the latest 72 hours after becoming aware of the incident
Docking
If a new entity joins as a Party under Clause 5(b), its details must be added in Annex II, and all Parties must sign an amendment.
Compensation
Unless otherwise agreed in writing, the Processor is not entitled to extra payment for following the Controller’s instructions under this DPA.
However, the Processor may claim reasonable and proven extra costs if, for example:
- Assisting with data subject rights requests is far more extensive than reasonably expected,
- Assisting with a Data Protection Impact Assessment (DPIA),
- Assisting with a data breach caused by the Controller.
- Assisting with audits or inspections requested by the Controller,
- Following new or changed instructions given after this DPA takes effect; and
- Terminating a sub-processor at the Controller’s request.
Applicable Law
This DPA is governed by Swedish law.
Miscellaneous
An independent auditor appointed by the Controller under Clause 7.6(d) must not conduct any business that competes with the Processor.
The Controller instructs the Processor to anonymize and aggregate personal data entered into the Processor’s platform.
Personal data transferred to the Processor’s platform will be stored there as long as the Controller is a client of the Processor.
Annex I – Parties
Controller
By accessing or using the Services as defined in the Terms of Service (“Terms”), the company or other legal entity identified in your account (the “Customer”) agrees to use and is deemed to have signed this DPA, which constitutes Appendix 1 to the Terms and is seen as the Controller.
Information about the Controller can be found out in the Customer’s account.
Processor
The Processor is From Scratch AB / Norriva, the provider of the SaaS platform and related services (“Services”). Information about the Processor can be found under section 24 Contact Information of the Terms
The Processor shall also be deemed to have signed this DPA, which constitutes Appendix 1 to the Terms, when the Customer accesses or starts using the Services.
Annex II – Description of Processing
Purpose of Processing | Processing personal data in connection with the provision of the Services |
Nature of Processing | Storing, organizing, and to provide, maintain, and improve the Platform. |
Kind of Personal Data being processed | ☒ Contact information, e.g. first name, last name, e-mail address, phone number ☒ Organizational information, e.g. organization, role/function/position ☒ Financial Information, e.g. bank account number, related bank information, details necessary for making or receiving payments, issuing invoices ☒ Technical information, e.g. login credentials ☒ Customer content, e.g. go-to-market strategy data, sales and marketing metrics, calendars, documents, product or project information, and other business information ☐ Other: ____________________________ |
Category of Data Subject(s) | ☒ Customer ☒ Employees ☒ Partners ☐ Other: ____________________________ |
Retention period | For the term of your subscription and up to 30 days after termination, unless otherwise required by law. |
Annex III – Technical and Organizational Measures
Data Confidentiality
Physical Access Controls | We operate as a remote-first team and do not maintain a physical office. Each team member works from a secure home environment with password-protected devices and restricted physical access. Devices used for work are kept in private spaces and are not shared with unauthorized individuals. |
Logical Access Controls | Access to all company systems and data is protected through strong passwords, two-factor authentication, and role-based permissions. We use reputable cloud service providers with built-in security features such as encryption, firewalls, and monitoring. |
Staff Knowledge Controls | All team members handling personal data receive onboarding and periodic refreshers on GDPR, data protection, and our internal security guidelines. We maintain clear and accessible documentation on how personal data is handled within our systems. |
Authorization Controls | Access to personal data is restricted to authorized personnel only, based on role and necessity. Access rights are reviewed regularly and removed immediately when no longer required (e.g., when a team member leaves or changes role). |
Pseudonymization | Where possible, personal data is pseudonymized for development, testing, and analytics. Direct identifiers are replaced with randomly generated values, and mapping data is stored securely and separately. |
Data Integrity
Transfer Controls | All personal data is transmitted over secure, encrypted connections (TLS/HTTPS) and stored in encrypted form (AES-256 or equivalent). We rely on reputable cloud providers that comply with GDPR and maintain high security standards. |
Input Controls | Only authorized users can create, edit, or delete personal data within our systems. All changes are logged and monitored through our cloud provider’s audit trail functionality to ensure data integrity and accountability. |
Data Availability and Resilience
Availability Controls | Our systems and data are hosted in secure, redundant cloud environments with automatic backups managed by our service providers. This minimizes downtime and protects against accidental data loss. |
Recoverability Controls | We have documented backup and recovery procedures in place. In the event of a technical incident, data can be restored from backups managed by our cloud providers. We review these processes periodically to ensure reliability. |
Testing, Assessment and Evaluation
Data Protection Management | We comply with GDPR principles and review our technical and organizational measures at least annually or when significant changes occur. A designated privacy contact oversees compliance and serves as a point of contact for data protection matters. |
Incident Response Management | We maintain an incident response process for identifying, containing, and reporting security incidents or potential data breaches. All incidents are logged and evaluated, and if necessary, reported to the Swedish Authority for Privacy Protection (IMY) and affected parties in line with GDPR requirements. |
Data Protection by Design and by Default | Data protection principles are built into our product and processes. We collect only the data necessary for specific purposes, apply privacy-friendly defaults, and ensure users can exercise control over their data. |
Subcontractor Management | We work only with trusted subcontractors and service providers that meet appropriate technical and organizational security standards. All providers that process personal data on our behalf are covered by GDPR-compliant Data Processing Agreements (DPAs), either through the provider’s standard terms (for major cloud and SaaS services) or through our own DPA for smaller subcontractors. We maintain a list of approved subprocessors and review their compliance periodically. |
Annex IV – List of Sub-processors
List of subcontractors used by the Processor as of the effective date.
NAME | LEGAL ENTITY | Processing Purpose | DATA CATEGORIES | LOCATION | COUNTRY | SAFEGUARDS FOR TRANSFERS |
Google Cloud | Google Cloud EMEA Limited | Hosting infra Search Infra / Content generation Communication | User, Content, Performance, Device, Activity, email, communication | EEA/EU | Regional hosting at rest | SCC EU-U.S. DPF incl. UK |
Stripe | Stripe Payments Europe, Limited (SPEL) | Payment processing & subscription management | Contact, financial, transactional, | EEA/EU | Ireland | SCC EU-U.S. DPF incl. UK |
Monday | monday.com Ltd. | Processing customer data, contact organizing | Contact, organizational, Customer relationship data | EEA/EU | Germany | SCC EU-U.S. DPF incl. UK |