GENERAL TERMS OF SERVICE
GENERAL TERMS OF SERVICE FOR THE EXCHANGE OF ELECTRONIC DOCUMENTS
Version: 2.1
Effective as of: December 17, 2025
Service Provider: MEGATREND REDOK d.o.o., Velika cesta 47, Odra, 10010 Zagreb, PIN 93809374555
Contact: info@redok.net
ACCEPTANCE OF THE GENERAL TERMS OF SERVICE
By using or accessing any service provided by Megatrend Redok d.o.o. (hereinafter: the Provider), the service user (hereinafter: the Subscriber) confirms that they are acquainted with these General Terms of Service (hereinafter: the Terms), accept them in their entirety, and undertake to comply with them. In the event of non-acceptance of these Terms, the Subscriber is not authorized to use the Service.
ARTICLE 1 — INTRODUCTORY PROVISIONS
1.1 Subject Matter and Application of the Terms
These General Terms of Service for the internet service and the electronic business document exchange service (hereinafter: the Service) govern the legal relationship between MEGATREND REDOK d.o.o. (hereinafter: the Provider) and the service user who registers as a Subscriber (hereinafter: the Subscriber) in the capacity of:
· A legal entity performing a registered economic activity (B2B),
· A public authority body (B2G),
· A commercial entity in accordance with the applicable Croatian regulations.
These Terms apply exclusively for business purposes. Pursuant to the Consumer Protection Act, the Service does not apply to natural persons as end-users, nor does it encompass the provision of services to consumers.
1.2 Nature of the Service
The Service constitutes an information society service within the meaning of the Electronic Commerce Act (NN 173/03) and enables the exchange, processing, storage, and electronic delivery of structured business documents between the Subscriber and its business partners, in accordance with the applicable regulations of the Republic of Croatia, including:
· The Fiscalization Act (NN 89/25),
· The Act on Electronic Invoicing in Public Procurement (NN 94/18),
· The Accounting Act (NN 85/24),
· EU standard EN 16931-1:2017 for the technical specifications of the electronic invoice.
1.3 Scope of the Terms
These Terms apply to all business transactions between the Provider and the Subscriber. By accepting these Terms at the time of registration, the Subscriber declares that they are fully acquainted with the content of these Terms, that they accept them in their entirety as an integral and binding part of the contractual relationship, and that they undertake to unconditionally comply with them throughout the entire duration of the contractual relationship.
1.4 Contracting Process
A business entity that accepts the Provider’s offer enters into a Service User Agreement with the Provider, of which these Terms are an integral part.
The person who accepts the Provider’s offer on behalf of the Subscriber must be legally authorized to represent the Subscriber or must have a valid power of attorney to represent the Subscriber. The Provider has the right to request proof of a valid power of attorney before concluding the Agreement.
Oral agreements and understandings that are not supported by a written Agreement are not valid or binding on the Provider.
All subsequent amendments and supplements to these General Terms must be made in writing to be valid. Electronic mail and communication via the platform are considered to be in written form for the purposes of Article 15 of these Terms.
ARTICLE 2 — DEFINITIONS
For the purposes of these Terms, certain expressions have the following meaning, regardless of whether they are used in the singular or plural:
2.1 Basic Terms
EDI (Electronic Data Interchange) – the electronic exchange of structured data between computer systems based on agreed standards and formats.
e-Document (electronic document) – any document exchanged via the Service in electronic form, including, but not limited to: e-Invoices, purchase orders, delivery notes, confirmations, notices, and other business documents.
e-Invoice (electronic invoice) – a structured document issued, transmitted, and received in an electronic format that allows for its automatic and electronic processing, in accordance with the Fiscalization Act, EU standard EN 16931-1:2017, and the technical specifications of the Tax Administration.
2.2 Parties to the Agreement
Provider – Megatrend Redok d.o.o., a commercial company registered at the Commercial Court in Zagreb, which enables the Subscriber to access and use the Service.
Subscriber – a legal or natural person – a craft business owner / sole proprietor who performs a registered economic activity and who, based on a valid registration and acceptance of these Terms, has entered into a subscription relationship with the Provider.
Subscription – the contractual relationship created upon the Subscriber's registration and acceptance of these Terms, granting the Subscriber a limited and time-bound right to use the Service.
User – a natural person authorized by the Subscriber to use the Service on the Subscriber's behalf, including employees, agents, and other persons acting based on a legal or factual relationship with the Subscriber.
2.3 Parties to Electronic Exchange
Sender – a legal entity that that creates an electronic document using its own information system and sends it to another legal entity via the System;
Recipient – a legal entity that receives an electronic document and processes it using its own information system in accordance with its applicable internal business processes;
2.4 Technical Systems and Channels
Electronic Document Exchange System – the software and hardware owned or controlled by the Provider through which electronic documents are exchanged (hereinafter the System);
Interface – the means of accessing the Redok EDI Service, including via web application, API (Application Programming Interface), user portal, or any other form of electronic access for the exchange of electronic documents.
e-Mailbox – an individual electronic space within the System, intended for the Subscriber’s received and stored documents.
2.5 Provider’s Services and Channels
Redok Direct Connect – the name of the service provided by the Provider for the purpose of exchanging electronic documents for legal entities that create electronic documents in their own information systems;
Redok WEB - a collective name for a suite of services offered by the Provider to legal entities for exchanging electronic documents, accessible via a web interface.
Web EDI Supplier portal - the Provider’s web interface intended for the Subscriber’s suppliers for the quick and simple exchange of business documents (orders, delivery notes, invoices) without the need for their own EDI system. By using the web interface, the supplier sends and receives documents that are delivered to the Subscriber in the same way as if they had arrived via a standard EDI exchange.
Web EDI Customer portal - the Provider’s web interface intended for the Subscriber’s customers for the quick and simple exchange of business documents (orders, delivery notes, invoices) without the need for their own EDI system. By using the web interface, the customer sends and receives documents that are delivered to the Subscriber in the same way as if they had arrived via a standard EDI exchange.
Speedox Delivery - a service that enables the Subscriber to send large volumes of documents in a controlled manner via electronic mail and secure external links. The Subscriber can track delivery and retrieval status in real-time, including the timestamp and IP address of the recipient.
e-Archive (Document Vault) – a service for the permanent storage of electronic documents on the Provider’s systems, with the option of searching and retrieving data as needed by the Subscriber, in accordance with the retention periods prescribed by law.
2.6 Roles and External Systems
Intermediary (Information Intermediary) – the role assumed by the Provider in accordance with Article 59 of the Fiscalization Act (NN 89/25), acting as an information intermediary for sending and receiving electronic invoices via the System through integration with the Address of Metadata Services (AMS).
AMS (Address of Metadata Services) – the central system of the Tax Administration maintaining a register of taxpayer identifiers, necessary for sending and receiving electronic invoices; all taxpayers must be registered with the AMS to exchange invoices electronically.
PEPPOL (Pan-European Public Procurement On-Line) – an international standard for the electronic exchange of business documents (e.g., e-Invoices, orders, delivery notes) between business entities and public institutions, governed by the OpenPEPPOL organization. The standard enables cross-border interoperability and access to networks of various information intermediaries without the need for individual bilateral agreements.
ARTICLE 3 — SERVICE DESCRIPTION AND SCOPE
3.1 Service Functionalities
The Service enables the Subscriber to:
· send, receive, display, and process e-Invoices and other e-Documents,
· transmit fiscalization messages to the Tax Administration,
· integrate with the Address of Metadata Services (AMS),
· archive and store electronic documents via the e-Archive,
· monitor and generate statistical reports on document exchange and
· access technical and user support.
3.2 Access Channels
The functionalities of the Service are available via:
· a web interface for end-users,
· an API for integration with the Subscriber’s information systems,
· other access methods supported by the Provider.
3.3 Modifications to the Service
The Provider reserves the right to amend, upgrade, or partially discontinue certain functionalities of the Service to:
· improve the technical stability and performance of the System;
· comply with applicable legal regulations; or
· ensure data protection and security, and address security vulnerabilities.
In the event of material changes to the Service, Subscribers will be notified in accordance with Article 6.6 of these Terms.
ARTICLE 4 — REGISTRATION AND ACCESS
4.1 Registration Conditions
Use of the Service is conditioned upon the Subscriber’s valid registration and the establishment of a Subscription with the Provider. Registration on behalf of the Subscriber may be performed by a legal representative or other authorized person, subject to the submission of appropriate documentation confirming the authority to represent the entity.
4.2 Right to Refuse Registration
The Provider reserves the right to refuse registration if the Subscriber fails to meet formal requirements, if the authenticity of the submitted data is questionable, or in cases of suspected abuse or unlawful activity.
4.3 User Account Allocation
Upon successful registration, the Provider shall assign a user account to the Subscriber and activate its electronic mailbox (e-Mailbox) for document exchange.
4.4 Registration in the AMS
If the Subscriber subscribes to the Fiscalization 2.0 service, the Subscriber authorizes the Provider to submit its identifier data to the Tax Administration's Address of Metadata Services (AMS), a prerequisite for receiving e-Invoices.
The Subscriber shall:
· confirm, via the FiskAplikacija application, that the Provider is its information intermediary for receiving e-Invoices; and
· authorize the Provider via the ePorezna system for eFiskalizacija and eIzvještavanje services.
The Subscriber may revoke this authorization at any time.
4.5 Identity Verification
The Provider reserves the right to verify the identity of the Subscriber and its Users, and to monitor access to the Service to ensure system integrity and lawful use.
4.6 Trial Use
The Provider may, at its sole discretion, grant the Subscriber limited access to the Service in a trial mode, free of charge and for a duration determined by the Provider. Such use:
· is subject to all provisions of these Terms,
· creates no right to continued access or data retention upon expiration; and
· may be terminated by the Provider at any time, without notice and without liability for any data loss.
ARTICLE 5 — SUBSCRIBER’S OBLIGATIONS
5.1 Basic Principles of Use
The Subscriber shall use the Service conscientiously, lawfully, and in accordance with these Terms, applicable regulations, technical specifications, and the Provider’s instructions. The Subscriber shall act in accordance with business ethics and data protection principles.
5.2 Accuracy of Data
The Subscriber shall ensure the accuracy, truthfulness, and currency of all data provided during registration and use of the Service. The Subscriber shall regularly update its contact data (including name, email, phone number, address, company name, and PIN) and notify the Provider of any changes without delay.
The Subscriber represents and warrants that all provided data is accurate, that it has the right to use the stated PIN, that it is using the Service under its real identity, and that it is solely responsible for the accuracy of the information provided.
5.3. Protection of Access Credentials
The Subscriber shall:
· maintain access credentials (username, password, authentication tokens) with due care and in a secure manner;
· not disclose access credentials to third parties, except when strictly necessary for business operations and under appropriate security measures;
· regularly update passwords and other security elements; and
· immediately notify the Provider of any suspected unauthorized access or compromise of credentials.
5.4. Compliance with Laws
The Subscriber shall:
· use the Service exclusively for lawful business purposes, in compliance with all applicable laws and regulations of the Republic of Croatia, including the Fiscalization Act and the Act on Electronic Invoicing in Public Procurement; and
· regularly access its e-Mailbox to retrieve and process received e-Documents in a timely manner.
5.5. Prohibition of Abuse
The Subscriber shall not use the Service for any illegal, fraudulent, or harmful purposes. The Subscriber acknowledges the list of prohibited activities set forth in Article 7 and agrees to refrain from any such conduct.
The Subscriber bears full responsibility for all data transmitted through the Service and for any damages resulting from a breach of these obligations.
5.6. Technical Prerequisites
The Subscriber shall provide and maintain, at its own expense:
· a computer with an active internet connection;
· an up-to-date web browser (latest stable version);
· an active email address; and
· any other technical infrastructure required for the reliable and secure operation of the Service.
The Subscriber is solely responsible for any issues arising from outdated technology, unstable internet connectivity, or inadequate infrastructure.
5.7. Reporting Technical Issues
When reporting a technical issue, the Subscriber shall:
· describe the issue in detail (including symptoms, time of occurrence, and steps to reproduce);
· specify the technical environment (browser type, operating system, version);
· provide all relevant data to aid in reproduction (timestamps, ID numbers, document names, screenshots); and
· remain available for communication during the troubleshooting process.
If the Subscriber fails to provide sufficient information, the Provider is not obligated to resolve the issue or may delay resolution until the necessary information is provided.
5.8. Remote Support Requirements
To facilitate technical support, the Subscriber shall enable a secure remote connection, maintain active internet and voice communication, and grant access to necessary systems and files.
5.9. Internal IT Readiness
The Subscriber shall maintain adequate internal technological and IT capabilities to support the processes of creating, sending, and receiving electronic documents.
5.10. User Management
The Subscriber shall ensure that all authorized Users access the platform exclusively for the Subscriber's benefit and in accordance with these Terms. The Subscriber shall immediately revoke or restrict access for any User whose authorization has expired or who is suspected of abuse, unauthorized conduct, or violation of these Terms.
ARTICLE 6 — PROVIDER’S OBLIGATIONS
6.1 Service Standards
The Provider shall provide the Subscriber with access to the Service in accordance with these Terms and professional, security, and technical standards appropriate for the Service.
The Provider shall maintain System functionality and availability, implement appropriate technical and organizational security measures, and enable the correct transmission, processing, and archiving of e-Invoices and e-Documents in compliance with applicable regulations on fiscalization, electronic commerce, and data protection.
6.2 Service Level Agreement (SLA)
The Provider guarantees a Service availability of 99.8% on an annual basis.
The Service is designed to operate continuously, 24/7, excluding a weekly maintenance window of 8 hours (Saturday 22:00 – Sunday 06:00).
Availability is calculated as the percentage of time the Service is available relative to the total time in a year, excluding scheduled maintenance windows.
6.2a Scheduled Maintenance
Regular System maintenance is performed during the weekly maintenance window (Saturday 22:00 to Sunday 06:00). During these periods, the Subscriber may experience:
· System unavailability of up to 10 minutes;
· processing delays of up to 30 minutes; or
· temporary restrictions on certain functionalities.
Extended Maintenance: Any planned maintenance expected to exceed these limits will be announced to the Subscriber at least two (2) business days in advance (typically by Thursday at 13:00).
Emergency Maintenance: Maintenance outside the regular window may be performed if strictly necessary to ensure System security, data integrity, or legal compliance.
6.2b SLA Exclusions
The availability guarantee in Section 6.2 does not apply to:
· scheduled maintenance periods as defined in Section 6.2a;
· failures or performance issues caused by factors outside the Provider's reasonable control (e.g., internet service provider failures, third-party systems like AMS, or other intermediaries);
· Force Majeure events as defined in Article 14; or
· issues caused by the Subscriber's or Users' actions or omissions (e.g., outdated software, connectivity issues, or credential mismanagement).
6.3 Technical Support
The Provider shall provide technical support during its regular business hours via:
· email;
· telephone;
· remote support platform; or
· website contact form.
Support requests will be addressed within a reasonable timeframe, in accordance with the Provider's internal standards or specific service level agreements.
6.4 Credential Management
The Provider shall issue access credentials (username and password) upon the written request of the Subscriber's authorized representative. Upon written request, the Provider shall reset or change the assigned password.
6.5 System Monitoring and Issue Resolution
The Provider continuously monitors Service availability. In the event of reported malfunctions or disruptions, the Provider shall make reasonable efforts to resolve them promptly. If an error cannot be rectified, the Provider shall propose the best available workaround.
6.6 Notification of Changes
The Provider shall notify the Subscriber in writing of any significant changes to the System or Service. Notice periods are as follows:
· 30 days prior to effective date for standard functionality changes;
· 60 days prior to effective date for material changes requiring technical adaptation of the Subscriber's systems; and
· Immediately for urgent security patches or mandatory legal compliance updates.
6.7 Subcontracting
The Provider reserves the right to engage third-party subcontractors and utilize third-party infrastructure, communication, and software components to provide the Service, including but not limited to data transmission services, identification providers, and electronic exchange networks.
6.8 Sub-processor Compliance (GDPR)
The Provider shall ensure that all subcontractors (sub-processors) provide sufficient guarantees to implement appropriate technical and organizational measures in compliance with GDPR requirements.
The current list of sub-processors is available to the Data Controller for review at the Provider’s premises or upon request via email at info@redok.net, as detailed in Article 9.4 of Appendix 1 (DPA).
6.9 Content Liability Disclaimer
The Provider assumes no liability for:
· the content of exchanged documents;
· the accuracy of Sender or Recipient addresses; or
· any data loss or damage resulting from the Subscriber's failure to maintain adequate data backups
ARTICLE 7 – SECURITY AND ACCEPTABLE USE
7.1. Prohibited Activities
The Subscriber is strictly prohibited from:
· using a PIN (OIB) not belonging to the Subscriber or an entity under its management, or using a third party's PIN without written consent;
· registering the same entity multiple times using different PINs;
· transmitting false or fraudulent e-Invoices (e.g., incorrect amounts, falsified IBANs, or invalid recipients);
· engaging in mass transmission of e-Invoices without a valid business purpose (spam); and
· using third-party data (names, addresses, contact details) without authorization.
7.2. Detection and Monitoring
The Provider reserves the right to implement continuous monitoring measures to detect suspicious activities, including but not limited to:
· monitoring of email domains and PINs;
· automated detection of anomalous usage patterns;
· blocking IP addresses suspected of malicious activity; and
· maintaining detailed audit trails of all system actions.
7.3. Account Suspension
The Provider may temporarily suspend access (without terminating the Agreement) if it determines:
· a security risk to the System, data, or other users;
· suspected abuse or unauthorized use;
· a material breach or omission by the Subscriber that could cause damage; or
· prolonged inactivity (subject to prior notice).
The Subscriber shall be notified of such suspension. Suspension shall remain in effect until the underlying cause is resolved and does not relieve the Subscriber of its payment obligations.
ARTICLE 8 — DURATION, AMENDMENTS, AND TERMINATION
8.1 Term
The Subscription is established for an indefinite period commencing on the effective date of the Service User Agreement, unless otherwise agreed in a separate written agreement.
8.2 Amendments to Terms
The Provider reserves the right to amend these Terms. Subscribers shall be notified at least fifteen (15) days prior to the effective date of any amendments, except when changes are required for legal compliance or security reasons.
Changes to Service functionalities and technical specifications are governed by Article 3.3, which applies independently of this Section.
8.3 Termination for Convenience
The Subscriber may terminate the Service at any time, for any reason ("Termination for Convenience"), via the user interface or by written notice to the Provider. Termination shall become effective on the last day of the calendar month in which the notice is submitted. The Subscriber shall remain liable for all fees incurred up to the effective date of termination. No cancellation fees or exit penalties apply.
AMS Deregistration: The Subscriber acknowledges that termination of the Service results in deregistration from the Tax Administration's AMS associated with the Provider. The Provider shall process this deregistration within seven (7) business days of termination. The Subscriber is solely responsible for timely registration with another information intermediary to ensure continuity of e-Invoice reception.
8.4 Suspension of Service
The Provider may suspend Service access or functionalities without terminating the Subscription if it determines:
· a violation of applicable laws (e.g., Fiscalization Act, GDPR);
· a security risk to the System, data, or other users;
· suspected abuse or unauthorized access;
· misconduct by the Subscriber potentially damaging to the Provider or third parties; or
· account inactivity exceeding twelve (12) months without response to inquiries.
The Subscriber shall be notified of such suspension promptly, typically via email. Suspension shall remain in effect until the underlying cause is resolved.
8.5 Termination for Cause
The Provider may terminate the Subscription immediately, without notice period, if the Subscriber:
· commits a material or repeated breach of these Terms or applicable laws;
· uses the Service in a manner damaging to the System, third parties, or the Provider's reputation;
· fails to settle overdue obligations within fifteen (15) days of receiving a warning;
· is in payment arrears for more than ninety (90) days; or
· uses incorrect, false, or third-party identification data, particularly involving:
o unauthorized use of a PIN or impersonation;
o transmission of fraudulent or malicious e-Invoices; or
o actions compromising Service security or stability.
Termination shall be effective upon delivery of written notice to the Subscriber.
Reporting and Damages: In cases of termination due to security violations or fraud, the Provider reserves the right to report the incident to competent authorities (e.g., Tax Administration, Police) and seek full compensation for damages.
ARTICLE 9 — ACCOUNT CLOSURE AND DATA RETRIEVAL
9.1 Right to Data Retrieval
Following termination of the Subscription, the Provider shall enable a one-time retrieval of available data upon the Subscriber’s written request, provided such request is submitted within sixty (60) days of the termination date.
Data retrieval is conditional upon the settlement of all outstanding financial obligations owed to the Provider.
9.2 Scope of Data
Retrievable data includes records of sent and received e-Invoices and archived e-Documents. Data shall be provided in a structured, machine-readable format consistent with the Service's current technical capabilities. The Provider is not obligated to perform additional processing, format conversion, or data migration to third-party systems.
9.3 Data Deletion
If the Subscriber fails to request retrieval within sixty (60) days of termination, the Subscriber shall be deemed to have waived its right to retrieval. Upon expiration of this period, the Provider may permanently delete all Subscriber data, except where retention is required by law or contract.
9.4 Costs
Standard data retrieval using tools available within the Service is free of charge. If the Subscriber requests specific technical preparation, export to external media, non-standard encryption, or other actions requiring additional Provider resources, such services may be charged in accordance with the valid Price List or a specific quotation.
ARTICLE 10 — LIABILITY AND EXCLUSION OF LIABILITY
10.1 General Liability
Each Party shall be liable for damages caused to the other Party by a breach of its obligations under these Terms, except where such breach results from circumstances beyond the Party's reasonable control (Force Majeure or third-party actions).
10.2. Subscriber’s Liability
The Subscriber assumes full responsibility for all activities conducted through its user account and for any damages resulting from non-compliance with these Terms.
Indemnification: In the event of a breach of Article 5.5, Article 7, or other provisions hereof (including submission of false or third-party data), the Subscriber shall indemnify and hold the Provider harmless against all resulting damages, including direct damages, legal costs, regulatory fines, and third-party claims. Liability for such breaches is unlimited and not subject to the cap set forth in Section 10.5.
Liability for Users: The Subscriber is fully responsible for the actions of all its authorized Users. Any action performed via assigned credentials shall be deemed an action of the Subscriber. The Subscriber is liable for all damages, losses, and legal violations resulting from User activities, without limitation.
10.3. Provider’s Liability
The Provider shall be liable only for direct damages proven to be a direct result of:
· technical failures of the Service under the Provider's exclusive control;
· failure to implement appropriate security measures; or
· unauthorized disclosure of Confidential Information caused by the Provider's intent or gross negligence.
10.4. Exclusions of Liability
The Provider shall not be liable for damage arising from:
· failures, delays, or irregularities of third-party systems (e.g., Tax Administration AMS, other intermediaries, telecommunication providers);
· Subscriber's actions contrary to these Terms (e.g., credential loss, use of outdated software, incorrect data entry); or
· Force Majeure events (unforeseeable and unavoidable events, including natural disasters, war, strikes, epidemics, or widespread internet outages)..
10.5. Limitation of Liability
Except in cases of willful misconduct or gross negligence, the Provider's total aggregate liability for any claims arising out of or in connection with these Terms shall be limited to an amount equal to the sum of three (3) monthly subscription fees paid by the Subscriber immediately preceding the event giving rise to the claim.
10.6. Exclusion of Consequential Damages
TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT SHALL THE PROVIDER BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS INTERRUPTION, WHETHER OR NOT THE PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10.7. Free Services
If the Service is provided free of charge (e.g., Trial Period or Free Tier), it is provided "AS IS" and "AS AVAILABLE," without any warranties of any kind. The Provider assumes no liability for any damages, data loss, or service unavailability, except where caused by the Provider's willful misconduct.
10.8. Disclaimer of Warranties
EXCEPT AS EXPRESSLY SET FORTH IN ARTICLE 6, THE SERVICE IS PROVIDED WITHOUT WARRANTIES OF ANY KIND. THE PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THE PROVIDER DOES NOT WARRANT THAT THE SERVICE WILL MEET THE SUBSCRIBER'S SPECIFIC REQUIREMENTS OR THAT OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE.
ARTICLE 11 — INTELLECTUAL PROPERTY
11.1 System Ownership
All intellectual property rights in and to the System, including but not limited to source code, object code, data structures, UI/UX design, domains, trademarks, and documentation, remain the exclusive property of the Provider or its licensors.
11.2 License Grant
The Provider grants the Subscriber a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for its internal business purposes during the Subscription Term. The Subscriber acquires no ownership rights in the System. Sublicensing, resale, or assignment is strictly prohibited without prior written consent.
11.3 Prohibited Actions
The Subscriber shall not, directly or indirectly:
· perform vulnerability scanning, load testing, or unauthorized penetration testing;
· reverse engineer, decompile, disassemble, or attempt to derive the source code of the System;
· access or attempt to access unauthorized areas of the System;
· copy, modify, distribute, or publicly display any portion of the Service;
· remove or alter any copyright, trademark, or proprietary notices; or
· use the Service to build a competitive product or service.
11.4 No Reselling
The Subscriber shall not act as an intermediary, distributor, reseller, or service bureau for the Service without a separate written agreement with the Provider.
11.5 IP Infringement Remedies
Any breach of this Article 11 constitutes a material infringement of intellectual property rights, entitling the Provider to terminate the Subscription immediately without notice, and to seek full compensation for damages, including reputational harm and lost profits.
11.6. Subscriber Data Ownership
The Subscriber retains all ownership and intellectual property rights in the data and documents (e.g., e-Invoices, master data) transmitted or stored via the Service ("Subscriber Data").
The Subscriber grants the Provider a limited, non-exclusive license to use, copy, and transmit Subscriber Data solely as necessary to provide the Service, ensure security, and comply with legal obligations.
ARTICLE 12 — CONFIDENTIALITY AND DATA PROTECTION
12.1. Confidentiality Obligation
Each Party agrees to treat as confidential all non-public information, documents, and data disclosed by the other Party during the Subscription Term ("Confidential Information"), including but not limited to technical solutions, source code, pricing, client lists, and business processes.
This obligation does not apply to information that is: (a) publicly available without breach of this Agreement; or (b) required to be disclosed by law or order of a competent authority.
12.2. Survival of Confidentiality
The confidentiality obligations shall survive the termination of the Subscription for a period of five (5) years, or longer if required by applicable law.
12.3. Data Protection (GDPR)
Personal data processing is governed by the Data Processing Agreement (DPA), attached hereto as Appendix 1.
The Subscriber acts as the Data Controller and the Provider acts as the Data Processor. The Provider shall process personal data solely in accordance with the Subscriber’s instructions and the DPA.
12.4. System Logs and Audit Trails
The Subscriber acknowledges and agrees that the Provider automatically records technical access logs and activity trails (including IP addresses) to ensure System integrity and provide legal evidence. These records constitute the Provider's Confidential Information and shall be used strictly for security, technical support, and compliance purposes.
ARTICLE 13 — PUBLICITY
The Provider is authorized, in accordance with good business practices, to use the Subscriber’s name, logo, and basic identification data to identify the Subscriber as a customer in business references, presentations, and marketing materials.
This right is limited to disclosing the existence of the business relationship and does not extend to Confidential Information or specific details of usage. The Subscriber may revoke this consent at any time by written notice, upon which the Provider shall promptly remove the Subscriber’s name and logo from future marketing materials.
ARTICLE 14 — FORCE MAJEURE
Neither Party shall be liable for any failure or delay in performance of its obligations under these Terms (except for payment obligations) if such failure or delay is caused by a Force Majeure event—defined as an objectively insurmountable and unforeseeable event beyond reasonable control, including but not limited to acts of God, natural disasters, epidemics, war, strikes, sanctions, or widespread infrastructure failures.
Mitigation: The affected Party shall make reasonable efforts to mitigate the impact of the Force Majeure event. The affected Party must promptly notify the other Party in writing, specifying the nature of the event and the estimated duration of the delay.
Termination: If the Force Majeure event continues for more than three (3) months, the unaffected Party may terminate the Agreement with immediate effect, without liability for damages.
ARTICLE 15 — GOVERNING LAW AND JURISDICTION
15.1 Governing Law
These Terms shall be governed by and construed in accordance with the laws of the Republic of Croatia, excluding its conflict of law principles.
15.2 Dispute Resolution
The Parties shall attempt to resolve any dispute arising out of or in connection with these Terms amicably through good-faith negotiations. If no settlement is reached within thirty (30) days of a written request for negotiation, the dispute shall be submitted to the exclusive jurisdiction of the competent court in Zagreb, Croatia (or "at the Provider's registered seat").
15.3 Notices
All notices shall be deemed validly delivered if sent to the email address provided by the Subscriber during registration. The Subscriber is responsible for monitoring its email account. Delivery is deemed effective 24 hours after transmission, unless a delivery failure notification is received.
ARTICLE 16 — FINAL PROVISIONS
16.1 Effectiveness
These General Terms become effective upon publication on the Provider’s website. They apply to all Subscribers from the moment of acceptance during registration or Service activation.
16.2 Modifications
The Provider reserves the right to amend these Terms. Amendments shall be published on the website and become effective on the date specified in the notice (minimum 15 days after publication), unless otherwise required by law.
16.3 Severability
If any provision of these Terms is held to be invalid, illegal, or unenforceable, the validity of the remaining provisions shall not be affected.
16.4 Entire Agreement
These Terms, together with any specific Service Agreements, constitute the entire agreement between the Parties. In case of conflict between these Terms and a specific written agreement signed by both Parties, the specific agreement shall prevail.
16.5 Acknowledgement
The Subscriber acknowledges having read and understood these Terms and accepts them as the binding legal basis for using the Service, without limitation or condition.
APPENDIX 1 — DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement ("DPA") forms an integral part of the General Terms of Service and sets forth the obligations and responsibilities of the Parties regarding the processing of personal data, in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR").
1. ROLES OF THE PARTIES
Data Controller – The Subscriber who uses the Service for the purpose of electronic exchange of business documents (EDI), including but not limited to transmitting, receiving, processing, and storing e-Invoices and other electronic documents, and, where applicable, acting in the capacity of an information intermediary pursuant to the Fiscalization Act.
Data Processor – The Provider who processes personal data on behalf of the Data Controller within the scope of providing the Service, which includes acting as an information intermediary. Processing activities cover all available usage channels (Direct Connect, web portals, API integrations, email services, e-Archive) and all types of exchanged electronic documents.
2. SUBJECT MATTER, PURPOSE, AND BASIS OF PROCESSING
2.1 Subject Matter
The subject matter of the processing is the performance of the Service by the Data Processor as defined in the General Terms of Service. The Data Processor processes personal data exclusively within the scope necessary to provide said Service.
2.2 Purposes of Processing
The Data Processor processes personal data exclusively for the following purposes:
a) System Operations: Ensuring the functionality, maintenance, security, and stability of the System across all channels (Direct Connect API, Web Portal, Email Service, e-Archive);
b) Document Exchange: Enabling the transmission, receipt, processing, and display of structured business documents (e.g., e-Invoices, orders, delivery notes) between the Subscriber and its partners, including long-term archiving in compliance with statutory retention periods;
c) Technical Support: Providing technical and user support, including remote diagnostics and issue resolution;
d) Information Intermediary Services: Acting as an information intermediary pursuant to Article 59 of the Fiscalization Act, including integration with the Tax Administration's AMS, transmission of fiscalization messages, and compliance with Fiscalization 2.0 requirements.
2.3 Types of Personal Data
The processing may include the following categories of personal data:
· Identification data: Name, surname, Personal Identification Number (PIN/OIB), title, function;
· Contact data: Email address, telephone number, postal address, geolocation data;
· Data contained in business documents: Sender and recipient identifiers, names of representatives or responsible persons, and any other personal data embedded in the document content;
· Technical records: IP addresses, access timestamps, user activity logs, session identifiers, error and incident reports;
· Authentication data: Usernames, password hashes, multi-factor authentication (MFA) data;
· Audit trail data: Records of access, modifications, deletions, and other data operations.
2.4 Categories of Data Subjects
The personal data processed concerns the following categories of data subjects:
· Employees, representatives, and agents of the Subscriber;
· Business partners, suppliers, and customers of the Subscriber;
· Authorized signatories and proxies of the Subscriber;
· Any other natural persons identified within the content of business documents exchanged via the System.
2.5 Legal Basis for Processing
The processing of personal data is carried out on the basis of the following legal grounds:
a) Article 6(1)(b) of Regulation (EU) 2016/679 (GDPR) — Performance of a contract:
For the execution of the core functionalities of the Service, including the transmission, receipt, processing, display, and archiving of electronic documents, provision of technical support, and maintenance and monitoring of the System;
b) Article 6(1)(c) of Regulation (EU) 2016/679 (GDPR) — Legal obligation:
For performing the role of an information intermediary in accordance with Article 59 of the Fiscalization Act (NN 89/25), including integration with the AMS, delivery of fiscalization messages, and fulfillment of other statutory obligations related to the fiscalization of electronic invoices and the exchange of business documents.
2.6 Duration of Processing
The processing of personal data shall continue for the entire duration of the subscription relationship between the Data Controller and the Data Processor, and shall survive the termination of said relationship solely to the extent required by applicable statutory retention periods and the provisions of Article 4 of this DPA.
3. DATA MINIMIZATION AND SPECIAL OBLIGATIONS
The Data Processor shall store and process personal data in accordance with the principle of data minimization, ensuring that only data strictly necessary for the specified purposes is processed. The Data Controller retains the right to request the deletion or restriction of processing for data that is no longer necessary for the intended purposes.
4. DURATION OF PROCESSING AND RETENTION PERIODS
The processing of personal data shall continue for the entire duration of the subscription relationship between the Data Controller and the Data Processor.
Retention periods following the termination of the relationship:
· Electronic invoices (e-Invoices/F2.0): Retained in accordance with statutory deadlines prescribed by the Fiscalization Act and applicable tax regulations, for a minimum period of 6 years from the issuance date;
· Other electronic documents: Shall remain available for retrieval/export for a period of 60 days following the termination of the subscription relationship, after which they shall be permanently deleted;
· Technical records (Audit trails, IP addresses): Retained for a maximum period of 90 days, unless a different retention period is required by law.
The Data Controller may request the export of all their data within 60 days following the termination of the relationship. Upon the expiration of this period, the Data Processor shall permanently delete all data that has not been retrieved by the Data Controller, with the exception of data subject to mandatory statutory retention obligations.
5. OBLIGATIONS OF THE DATA PROCESSOR
The Processor undertakes to:
a) Process data based on instructions: Process personal data exclusively upon the documented instructions of the Data Controller (whether in written or electronic form), unless required to do so by Union or Member State law to which the Data Processor is subject;
b) Implement security measures: Implement appropriate technical and organizational security measures in accordance with Article 32 of the GDPR and Articles 8 and 9 of this DPA to ensure a level of security appropriate to the risk;
c) Ensure confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (e.g., via employment contracts or Non-Disclosure Agreements);
d) Assist the Data Controller: Taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller’s obligations, including:
o Responding to requests for exercising the data subject's rights (access, rectification, erasure, restriction of processing, data portability, objection);
o Providing assistance in ensuring compliance with obligations regarding the security of processing, data breach notifications to the supervisory authority and data subjects;
o Providing necessary information for the Data Protection Impact Assessment (DPIA) and prior consultation with supervisory authorities, where applicable.
e) Allow for audits: Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller;
f) Return or deletion of data: Upon termination of the provision of services relating to processing, at the choice of the Data Controller, delete or return all the personal data to the Data Controller and delete existing copies, in accordance with the timelines and procedures defined in Article 4 of this DPA, unless Union or Member State law requires storage of the personal data.
6. SECURITY AUDITS
The Data Processor undertakes to conduct security audits performed by an independent certified organization at least once every two years (biennially) in accordance with recognized standards such as ISO 27001 or NIST. A summary of the audit report or a certificate of compliance shall be made available to the Data Controller upon request.
7. INSURANCE
The Data Processor undertakes to maintain a professional liability insurance policy, including coverage for cyber risks and data breaches, with a minimum coverage amount of EUR 100,000.00 per claim or in aggregate. The insurance policy must remain in force for the entire duration of this DPA.
8. MINIMUM SECURITY STANDARDS
The Data Processor undertakes to apply the following minimum security standards for the protection of personal data processed through the Service:
· Encryption of data at rest: AES-256 or an equivalent standard for all databases and file systems containing personal data;
· Encryption of data in transit: Implementation of TLS 1.3 or a newer protocol for all communication channels between the Subscriber and the System;
· Multi-factor authentication (MFA): Mandatory for all administrative access and privileged user accounts;
· Access control: Restriction of access to personal data exclusively to authorized personnel in accordance with the principle of least privilege
9. SUB-PROCESSORS
9.1 Engagement of Sub-processors
The Data Processor is authorized to engage sub-processors for the provision of the Service. The Data Controller hereby grants general written authorization for the engagement of sub-processors as of the effective date of this DPA.
9.2 Notification and Objection Procedure
The Data Processor shall notify the Data Controller in writing via email regarding any intended changes concerning the addition or replacement of sub-processors, at least 30 days prior to the engagement of the new sub-processor. The notification shall contain the information specified in Article 9.4.
The Data Controller has the right to object to the engagement of a new sub-processor within 14 days of receipt of the notification. If no objection is submitted within this period, the change shall be deemed accepted.
If the Data Controller objects to the appointment, the parties shall endeavor in good faith to resolve the objection within a reasonable timeframe. If a mutually acceptable solution cannot be reached, the Data Controller is entitled to terminate the subscription relationship without a notice period and without penalty.
9.3 Liability for Sub-processors
Where the Data Processor engages a sub-processor for carrying out specific processing activities, the Data Processor shall remain fully liable to the Data Controller for the performance of that sub-processor's obligations and for any acts or omissions of the sub-processor.
9.4 Availability of the List of Sub-processors
The Data Processor shall maintain an accurate and up-to-date list of all sub-processors, which shall be made available to the Data Controller free of charge:
a) Upon written request via email (info@redok.net), within 2 working days;
b) By personal inspection at the Data Processor’s premises, upon the Data Controller’s request, with a prior notice of 5 working days
The list must contain the following information for each sub-processor:
a) Name of the sub-processor and registered office/location;
b) Type of service provided (e.g., hosting, email service, database management);
c) Categories of personal data processed;
d) Location of primary data processing (country/region).
The list shall be updated immediately upon the occurrence of any change.
10. PLACE OF PROCESSING AND DATA TRANSFER
Personal data shall be processed exclusively within the European Economic Area (EEA). The Data Processor shall not transfer personal data to a third country or an international organization outside the EEA without the prior written authorization of the Data Controller and without ensuring that appropriate safeguards are in place in accordance with Chapter V of the GDPR (e.g., Standard Contractual Clauses under Article 46).
11. PERSONAL DATA BREACH
In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach. The notification shall describe the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach. The Data Processor shall fully cooperate with the Data Controller in the investigation, mitigation, and remediation of the breach.
12. FINAL PROVISIONS
This DPA forms an integral part of the subscription relationship between the Data Controller and the Data Processor based on the General Terms of Service. In the event of any discrepancy between this DPA and the General Terms of Service, the provisions of this DPA shall prevail regarding all matters related to the protection of personal data.
The provisions of this DPA concerning confidentiality, data retention, and final deletion shall survive the termination of the subscription relationship and remain in force for as long as the Data Processor holds any personal data belonging to the Data Controller.