Welcome to the privacy guide for Moment. Our company is committed to following the General Data Protection Regulation (GDPR) laws that have been put into place. Here you will find an overview of what data we are storing and why, what 3rd parties we work with, and the legal and ethical guidelines we follow as a company to ensure the protection of your privacy.

Our procedures

We are open in regards to our internal procedures and protections that we have put into place. All employees have been educated in data handling regulations and confidentiality. They are required to sign an agreement that they have completed their training, and must sign and agree to our data handling guidelines. In addition to educating all staff members, we regularly conduct access level audits and update staff if any changes to the law have taken place.

All of our systems are encrypted with SSL. We do not send any customer/personal data unencrypted over the internet.

Data Processor Agreement & Terms and Conditions

Here you will find the current version of our Data Processor Agreement (DPA) as well as Terms and Conditions:

Sub-processors information pages

Below is a list of the privacy pages to our data sub-processors (as listed in the DPA). Please note that the links below are to third party websites.

Impersonation

Who to contact

Last updated: 21.11.2022

Please read these Terms and Conditions ("Terms") carefully before using the https://app.moment.team/ website or mobile application (the "service") operated by Moment Team AS ("us", "we", or "our").

Your access to and use of the service is conditioned on your acceptance of and compliance with these Terms. These Terms apply to all visitors, users, and others who access or use the service.

By accessing or using the service you agree to be bound by these Terms. If you disagree with any part of the terms then you may not access the service.

Description of service

Moment is a cloud-based software for invoicing, project management, and time registration. When purchasing a subscription, the customer purchases the right to use the services as stated in these Terms as long as the customer has a valid and paid subscription.

Subscriptions and pricing

Moment (the service) is billed on a subscription basis. Billing is done in advance quarterly, unless another agreement has been made at the time of purchase. The customer will be asked to supply certain information relevant to your purchase (billing/financial, company information) in order for us to bill for the service. Invoices are sent by email or electronic invoice.

Unless otherwise specified, all subscriptions are renewed automatically. Services can be canceled and terminated at anytime by the customer, unless another agreement has been made at the time of purchase. If the service is terminated after an advance payment has been received, Moment will credit the customer the remainder of the balance.

Moment Team will add taxes or duties where Moment Team is required by law to pay or collect them, this will be paid by the customer in addition to the subscription fees.

All Moment prices are subject to a yearly index regulation, in line with the development in the market, with the effect from the 1st of January each year.

Additional services and purchases

When purchasing any Moment specific product or service (e.g., Moment courses or professional services), the same information that has been supplied for subscription billing will be used for the billing of purchases. If different billing information is to be used, this needs to be specified at the time of purchase.

Moment offers additional services including in-app purchases and sales in collaboration with third party partners. Payment methods for billing/paying these purchases/sales are specified at the time of purchase/sale.

Termination

If the customer wants to discontinue use of the service, notice including an end date must be given to Moment Team. The customer must ensure to collect all information and data that they desire to retain or have available after the termination takes effect. Moment Team reserves the right to irreversibly delete all company data belonging to the customer within 30 days, after the termination has taken effect.

Termination for default

Moment may, by written notice to the customer terminate the subscription and the terms with immediate effect without any liability whatsoever if, (i) The customer is in material breach of any provisions of the Terms or any agreement with Moment Team, or (ii) The customer or a user uses the services as a part of a crime or any illegal behavior (including without limitation any kind of fraud), (iii) The customer or user uses the services in a manner that may result in losses or the risk of loss for Moment Team AS or any third party; (iiii) Any proceeding in insolvency, bankruptcy, reorganization, or liquidation are instituted against the customer voluntarily or involuntarily.

Upon occurrence of any of the events referred to above, all payments to be made by the customer to Moment Team shall become immediately due and payable.

Payment default of more than 60 days is always considered a material breach, provided that Moment Team has given at least one payment reminder by email. After 60 days of non-payment, Moment team reserves the right to suspend services, which may be returned upon receipt of payment.

If entered into a fixed length subscription agreement, the customer shall be entitled to terminate the subscription and terms with immediate effect if (i) operational disruptions or error occur to such an extent that the customer does not have access to the services for a continuous period of 14 days/ 2 weeks or (ii) Moment Team is in material breach of its obligations under the terms and fails to effect rectification within 14 days.

Legal requirement applicable for the customer

The customer is responsible for compliance with any specific legal requirements for their business (e.g. health or financial). Moment does not guarantee compliance with legal requirements applicable for your use of the services. This includes but is not limited to any legal requirements regarding time registration, invoicing, enforcement of money claims, and outsourcing.

Liability

Subject to the limitations set forward in this clause, Moment Team shall only be liable for direct damages. Moment Team’s liability under the Terms shall be limited to an amount corresponding to the fees paid by the customer for the service during the period of 12 months immediately prior to the breach of contract that entitles damages. Moment Team is not liable for indirect or consequential losses, including but not limited to loss of profits or anticipated savings, loss of revenue, loss of content or any other data.

Maintenance and downtime

Moment Team and the customer agree that the service will not always be completely free of errors and that the improvement of Moment is a continuous process. The successful use of the service is dependent on equipment and other factors (such as internet connection) that the customer has responsibility for. Moment Team will ensure to our best ability that the service is up and running. If a complete disruption in service should occur, this will be resolved within a 24 hour period.

Moment Team reserves the right to make improvements, add, modify, or remove functionality, or correct any errors or defects in the service at its sole discretion, without any liability resulting from such acts.

Force Majeure

Moment Team is not responsible or liable for any failure or delay in performance due to circumstances beyond its reasonable control, including but not limited to, war, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, service outages resulting from equipment and or software failure, telecommunication failure, power failure, or failure of third party service provider. The performance of this agreement shall then be suspended for as long as any such event prevents the affected party from performing its obligations under this agreement.

Intellectual property rights

The agreement between Moment Team and the customer does not constitute a transfer of any intellectual property rights from Moment Team. Moment Team retains ownership of all intellectual property rights and know-how related to the service, including present and future versions. The customer has no right to sell, lend, sub-license, distribute in any way (free of charge), create derivative works of, copy, frame, access, or try to get access to the source code of, mirror or reverse engineer any part or feature of the service.

Proprietary rights in content

All content uploaded to, transferred through, posted, entered or processed through Moment by the customer/users shall remain the sole property and responsibility of the customer or its respective legal owner. Moment has no liability or responsibility for such content. The customer owns and is responsible for all data, information, and material of any kind uploaded into the service by the customer or users. The customer is data controller for all data inputted into the service, including personal data.

Confidentiality

Both parties agree not to disclose confidential information about the other party or contractual details to any third party except for the purpose of providing the services, fulfilling obligations set out in the Terms, or fulfilling any legal requirement.

Moment Analytics

We collect anonymized data for industry statistics, and publish this data for the customers and public. It is optional to participate.

Norwegian law

These terms shall be governed by and interpreted in accordance with the laws of Norway. Any disputes shall be referred to and finally resolved by the courts of Norway. The legal venue is Oslo City Court.

Changes

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material we will try to provide at least 30 days notice prior to any new terms taking effect. What constitutes a material change will be determined at our sole discretion.

Contact Us

If you have any questions about these Terms, please contact us at privacy@moment.team.

Last updated: 13.05.2022

What is impersonation?

Impersonation is a function that allows our support team, product owners, company administrators/management and senior developers to access your Moment account. We can impersonate a user’s live account, or their account in a mirrored environment that has no effect on their live account. This means that we can see and access all the contents of your Moment account.

Why do we use impersonation?

We use this feature to answer technical support questions and check on issues as they are reported. If a user reports a problem that we are not able to replicate in our mirrored environment, then it may be necessary for us to access your profile to investigate the problem.

How do we track this?

We maintain logs of who is impersonating what account, and at what time. This allows us to conduct internal audits to make sure that this feature is being used for its intended purpose.

Who has access to this function?

Currently, only staff that have an immediate need to access profiles to provide technical support have access to impersonation. We regularly audit security access for employees to ensure that only those who need access to these features have access. All employees are trained in data handling regulations and sign data handling guidelines.

We describe herein a typical onboarding process for a new customer. Based on our experience we offer an onboarding package. This package includes a specific number of hours for communication, meetings and preparation between Moment and the customer. This is enough for an ordinary onboarding as described in the phases of implementation in this page. However, should the hours included in the onboarding be exceeded then Moment will bill for these hours which will be priced as per Moment’s consulting rate. The customer will be notified when the included hours have been used.

Moment offer accepted

Moment Team will present the client with a detailed price offer, and ask for a decision within a certain date. The offer acceptance date is the starting point of the subscription to Moment, the implementation timeline herein described and the onboarding towards a transition of the client to Moment.

Preparations

Our initial preparations cover activities such as:

• Access to customer’s current systems.

• Consulting client on various topics.

• Plan the different flows that the client will use in Moment.

• Revised import based on feedback, if requested in the offer.

• Providing customer with a checklist of information needed for start-up consulting

During our final preparations we will:

• Prepare every detail for the start-up session.

• Perform the data import provided that it has been requested and approved by the customer in an offer from Moment.

Start-up Consulting

The start-up consulting consist of two remote/online sessions:

Single start-up session (remote)

In a defined date in which the customer will move over to Moment. It covers the setup of Moment and training based on the client’s needs:

• Review of the final import and Moment setup for employees (admin users)

• Introduction to system basics such as time registration, time balance, vacation and leave (all users)

• Introduction to setup of clients, projects, activities, price models (project managers)

• Introduction to invoicing and set up export/integration towards accounting system (administrative users)

• Introduction to reporting and set up export of hours and travel expenses towards salary system(s) (administrative users)

First billing session (remote)

Before you start billing in Moment we walk you through the whole process to make sure that everything runs smoothly when doing your first billing cycle with the new system. This is often done remotely by sharing screens.

We provide a wide range of consulting services that cover simple tasks such as setting up your tag system, creating and implementing new routines or setting up new systems or integrations with Moment. If you have more advanced needs, one of our consultants can help you address project management, profitability, workflow optimization, accounting integration, resource planning and best use of Moment on a more dedicated basis so we can make sure to assess areas for improvement and implement best practices for the client’s company.

A few examples of common additional consulting services related to onboarding and data import follows:

Finding the perfect workflow

Analysis of the company’s routines and advice on how to get the most out of Moment based on your needs, before training. We often see that when companies change systems, eg. for project management, a new line of possibilities opens, and there can be internal discussions on how to adapt routines to the possibilities Moment gives. This normally happens during training and we see that it is not necessarily the best use of time, since many project managers will take part and spend a lot of (non-billable) time. We highly recommend to book a meeting with our onboarding representative to go through your needs so that we can suggest solutions on how to use Moment in the best way - before the training starts. In that way you will feel more in control of how the system works and how you want your employees to use the system.

Tailored user manual for your company

We make a user guide for your company explaining the core steps of processes in Moment, eg. how to set up a project, add price models, create invoices and make reports

Last updated: 23.05.2022

Reporting Vulnerabilities

We will verify the report and take corrective action as soon as possible, then notify our users and the relevant authorities of the issue.

Compliance and Infrastructure

General Data Protection Regulation (GDPR)

Data controlled by our customers and provided via our application and API is ultimately our customers' responsibility under the GDPR, but we provide tools such as data retrieval via API, custom data retention policies through access control, as well as strict security practices which allows our customers to remain compliant as well.

Infrastructure

Amazon Web Services, which hosts Moment Team, supports multiple security standards and compliance certifications including EU-U.S. Privacy Shield, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-171, ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.

Infrastructure Security

• Physical security: All data centers have multiple 2FA checks, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics, laser beam intrusion detection, interior and exterior cameras with tracking, security guards, access logs, and more.

• Hardware security: Stripped-down, custom-built servers and network equipment with a chip-based root of trust for verification, identification, and authentication, a secure boot stack with cryptographically signed BIOS, bootloader, kernel, and base operating system image, and automated patching of firmware and software vulnerabilities. Virtual appliances are isolated from the host and each other via a highly customized version of the Xen hypervisor.

• Network security: A private, global fiber-optic network extending to points-of-presence near the end user's local ISP, with automatic encryption of all internal WAN traffic using AES, logically isolated virtual private cloud networks spanning all data centers, hardware-rooted cryptographically authenticated control plane calls, fully distributed firewall rule enforcement, IP spoofing protection, and systematic anomaly detection.

• Data security: All data is encrypted at rest with the industry-standard AES cipher, using regularly rotated encryption keys that are integrated with cryptographically authenticated service identities and automatically deleted on service termination. All storage is also encrypted at the hardware level, and decommissioned disks are securely erased with two independent verification processes and physically destroyed on-premise.

• Employee security: All Amazon employees undergo relevant background checks and security training, and must sign confidentiality agreements. Only a small group of employees have access to customer data, on a least-privilege need-to-know basis, with all access monitored by dedicated audit teams. Physical access to data centers is kept down to a bare minimum. All employee access is authenticated, authorized, and encrypted using a 2FA based security model.

Application Security

Authentication and Access Control

Users log in to their Moment Team accounts either by using our standard authentication system with two-factor authentication by default with a one-time password (OTP) provided through sms, email, or the Google Authenticator App, or via login page from a third-party using the OAuth2 protocol over secure connection.

We do not gain access to any external resources that might be linked to a Moment user account through an API key. Users of our API can also implement their own authentication solution to connect with external systems. The API key can be managed from within Moment.

Customers can customize access control for individual authenticated users by assigning them to various roles as required. Customers can also set custom access rules i.e. on absence or expense approval by matching individual authenticated users to specific self-defined tags.

Encryption

Data Retention and Removal

We record a complete version history for transactions and documents submitted via our web application and API. Much of the data in the system has very strict auditing requirements that extend to years (e.g. invoicing transactions) and that we are legally required to keep. Contact related data and files can be deleted via our application and API. After removal, data might still be retained in our backups, to allow for recovery in the case of accidental or malicious removal. Access to backups is highly restricted, and is provided only to Moment employees who work with infrastructure maintenance as part of their daily roles.

Application Development Lifecycle

We use continuous delivery to enable rapid and systematic development, testing, and deployment of our product, with automated error reporting and monitoring to alert us of problems. This ensures a quick and effective response to potential bugs and security issues, and reduces the risk of human error.

Data Security and Privacy

Encryption

Access Control

Employees access central resources using two-factor authentication via Moment, Google or Github Accounts, and only have access to the systems required for their role. All remote access is encrypted, either via HTTPS transport level security or via VPN connections. Employees will never directly access customer-controlled data unless required for support reasons which are always triggered by a direct customer request or related to a bug.

Internal services are isolated from the Internet to the extent possible, and only have access to the specific resources they need, with the minimum necessary privilege level, using a combination of service-specific cryptographically signed access tokens or passwords and network-level firewall rules.

Data Access

Users might need access to customer related data, processing of customer data and documentation of processing of customer data. This data will be available through the Moment platform for as long as the user has a valid Moment subscription. Otherwise Moment can make such information available to the user as raw data from a database dump of a customer's company or a set of companies in Moment for a fee.

Data Retention and Removal

Security Audits and Software Upgrades

We perform internal security audits on a need by need basis. Software upgrades are performed every 3 months to ensure our systems are secure and reliable, and take immediate measures whenever significant security vulnerabilities are discovered.

Geographic Location

Moment uses data centers in Norway and the EU. All customer-controlled data provided via our Service and/or API is stored permanently within the EU and/or Norway. However, during delivery to end users it may be stored transiently in locations outside of the EU, such as in CDN caches, networking equipment, and browser caches, depending on user location (e.g. offices abroad in Asia or the Americas).

Third-Party Processors

We have vetted the security and compliance of all such processors, and all transfers are performed securely and in line with best practices. Processors outside of the EU all comply with the current privacy law, and have signed data processing addendums with us for the processing of personal data. We never share any customer data, personal or otherwise, with third parties unless employed by us under contract as data processors.

Business Continuity

High Availability

Moment Team is built using fully redundant and distributed systems. We run our application and systems across multiple data centers, and can withstand the loss of a single component without significant service disruptions. Components are regularly taken out of service during routine maintenance, without affecting availability, and AWS migration technology transparently migrates virtual machines to other hosts prior to infrastructure maintenance.

Incoming traffic is load balanced across our backend infrastructure. Our backend systems can be scaled to handle increased load.

Data centers have primary and alternate power sources, as well as diesel engine backup generators, each of which can provide enough electrical power to run the data center at full capacity. Data centers also have automated fire detection and suppression equipment.

Backups

In addition to real-time replication across data centers, our databases are continuously backed up on location. Backup data is encrypted and is only accessible by employees working with infrastructure maintenance.

Disaster Recovery

We make reguler full copies of our data in backups on location, for disaster recovery purposes. This is managed by separate infrastructure, using separate access controls, and is only accessible by named employees.

Although our web frontend systems are distributed across the world (via the user’s browser), our backend systems currently run across data centers in the EU (Ireland, Germany and/or Sweden). If required by customers, we might consider implementing a fully global backend infrastructure, with customer-controlled data placement. In the highly unlikely event of a region-wide outage or similar disaster, we can fully recover to a different region with no data loss within 96 hours.

Uptime

Corporate Security

Employees

All employees of Moment Team AS and Millnet AB are required to sign confidentiality agreements, and are only given access to the systems they need for their role. Employee computers are secured with encrypted hard drives and firewalls, and access to central resources and third-party services are always encrypted and protected with two-factor authentication, using a combination of passwords, time-based one time passwords on dedicated devices, and cryptographic private keys. Our offices are secured with alarms and a combination of electronic and mechanical locks, with access logs.

Consultants and Freelancers

We use a number of consultants and freelancers in our daily operations. All consultants are carefully vetted and are required to sign a work agreement with Moment Team AS before beginning work. The agreement outlines the confidentiality of the data the consultant will have access to while working at Moment.

Access for consultants is carefully monitored, and we use a “least-privileged” access policy, meaning that consultants only have access to systems they strictly need to perform their day to day work.

Disclosure Policy

ProjectHelp Note

Summary

Moment uses the same security mechanisms for data transfer as standard online banking and is being developed with regard to privacy legislation with a strong focus on security. This, together with good routines for operation and production setting, ensures a very stable system.

We very rarely experience downtime or problems. The system runs on a set of servers that share the load between them. Thus, individual servers can be taken out for updating without downtime. This also allows for flexible scaling of capacity. The system provides low latency and good response times under high load from many concurrent users.

1. The purpose of the Data Processor Agreement

The purpose of this Data Processing Agreement (the “DPA”) is to regulate the parties' rights and obligations in connection with the Data Processor (Moment Team AS, org.nr: 927 234 238) processing personal data on behalf of the Data Controller (the customer). The purpose of the DPA is to comply with the requirements for data processor agreements according to the Norwegian Personal Data Act (LOV-2000-04-14-31) and Personal Data Regulations, cf. section 15 of the Personal Data Act. The Agreement also seeks to comply with the General Data Protection Regulation ((EU) 2016/679). This DPA therefore aims to fulfill the statutory requirements in Norway after the General Data Protection Regulation has been implemented in Norwegian law.

2. The processing of personal data

The Data Processor processes data on behalf of the Data Controller in order to provide the Service to the Customer. The Service is further described in the Terms. The Data Processor will process the following types of personal data on behalf of the Data Controller:

• Name, contact information, IP address, location, occupation, social identity, customer data, financial data, company data and other data inserted into the Service by the Data controller or the Data Controller’s representatives or Users. The personal data is connected to the following categories of data subjects: Employees of the Data Controller and customers of the Data Controller. The Data Processor shall only process personal data for the following purposes:

• Entering into and fulfilling the service agreement with the Data Controller.

The Data Processor shall not process personal data in any other manner than what is agreed in the terms and conditions or agreed upon between both parties.

3. The Data Processor's duties

When processing personal data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA. The Data Processor is obliged to give the Data Controller access to their written technical and organizational security measures. See clause 6.

Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all personal data being processed on behalf of the Data Controller and know the systems used for this purpose. Such access will be available for the Data Controller through the Service upon request. The Data Processor is subject to an obligation of confidentiality regarding documentation and personal data that the Data Processor gets access to under the DPA. This provision also applies after the termination of the DPA. The Data Processor is obliged to ensure that persons who process the data for the Data Processor, have committed themselves to confidentiality, and shall upon request disclose such declarations to the Data Controller or the authorities. The Data Processor shall not process personal data outside the EU/EEA without proper disclosure and consent of the Data controller. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in a EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.

4. The Data Processor’s opportunity to use sub-processors

The Data Processor may use the following sub-processor(s), divided into two categories. The first is sub-processors that are required for the daily function of the application and are universal for all users (hereafter “Universal sub-processors”). The second is integrations with sub-processors that the Data Controller must choose to opt into (hereafter “Optional sub-processors”). If the Data Controller chooses not to use an optional sub-processor, no data will be shared with this third party:

Universal sub-processors

• Mailchimp

• Mandrill

• Freshdesk (Freshworks)

• Amazon Web Services

• Google Analytics, Maps, Charts, Fonts

• Google Workspace Business Standard

• Slack

• Unit4

• Twilio

• Pipedrive

• Datadog

• Sentry

• Tripletex

• Microsoft Azure

• Consultants and Freelancers

• Netigate

• Hubspot

Optional sub-processors

• Nets

• InExchange

• Maventa

• Qlik Sense

• Scrive

• Iver

In addition, the Data Processor has the right to use other sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of Universal sub-processors, so that the Data Controller has the opportunity to object to the changes. The information shall be given at least 4 (four) weeks prior to the planned changes taking effect. If the Data Controller objects to the change, the Data Controller has the right to terminate the DPA. Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in this DPA shall be imposed on that other processor. The Data Processor is obliged to enter into a written agreement with any sub-processors to ensure this, and shall present the agreement(s) to the Data Controller on request.

5. Transfer of personal data outside the EU / EEA

The Data Processor uses the following sub-processor(s) outside the EU/EEA:

• Mailchimp, processing takes place in the USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification.

• Mandrill, processing takes place in the USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

• Freshdesk, processing takes place in the USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

• Google Analytics, Maps, Charts, Fonts, processing takes place in the EU and USA.The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

• Google Workspace, processing takes place in the EU and USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

• Twilio, processing takes place in the EU and USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification Full information on all sub-processors and the data they are processing can be found at https://privacy.moment.team/. Apart from this, the Data Processor may not process or use sub-processors that process personal data outside the EU/EEA. Processing outside EU/EEA is subject to prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such legal basis.

6. Security

The Data Processor shall fulfill the requirements for security measures in the Personal Data Act and the Personal Data Regulations. The Data Processor shall through planned and systematic measures implement appropriate technical and organizational measures to ensure a satisfactory level of security, e.g. in relation to confidentiality, integrity and availability. The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.

Any notification to the authorities regarding personal data breaches shall be given by the Data Controller, but the Data Processor shall notify any breach directly to the Data Controller. The Data Controller is responsible for reporting the breach to the Data Protection Authorities. Notifications regarding personal data breaches according to the General Data Protection Regulation shall be notified by the Data Processor to the Data Controller, and the notification shall contain sufficient information so that the Data Controller may assess whether the breach must be notified to the authorities or to the data subjects. The Data Processor’s obligations to assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36, is considered fulfilled by the Data Processor’s obligations according to this DPA. Considering the nature of the processing performed by the Data Processor and the information available for Data Processor, this assistance is considered sufficient. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfill the Data Controller’s obligations.

7. Documentation and security audits

The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller upon request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller. The Data Controller shall be entitled to request audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations and the General Data Protection Regulation. Audits may be carried out by the Data Controller or a third party mandated by the Data Controller.

8. Fulfilling the rights of the data subjects

The Data Processor’s processing on behalf of the Data Controller is not of a nature which makes it necessary or reasonable for the Data Processor to fulfill or assist in fulfilling the Data Controller’s obligations towards data subjects. To the extent the Data Controller requires assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfil the Data Controller’s obligations.

9. The duration of the DPA and the processing

The DPA applies as long as the Data Processor processes personal data on behalf of the Data Controller according to the Terms. The Data Processor will permanently erase all personal data and other data relating to the Customer and personal data for which the Customer is Data Controller according to the Terms within the timeframe stated therein, unless the Data Processor is required by law to store the personal data.

10. Termination

The DPA may be terminated in accordance with the termination clauses in the Terms. A termination of the Terms also constitutes a termination of the DPA.

11. Return, deletion and/or destruction of data upon termination of the DPA

Upon the termination of the DPA, the Data Controller may collect all personal data processed under the DPA through the Service. The technical aspects of this are set out in the Terms. The Data Processor will permanently erase or anonymize all personal data and other data relating to the Customer and personal data for which the Customer is Data Controller according to the Terms within the timeframe stated therein, unless the Data Processor is required by law to store the personal data.

12. Law and legal venue

This DPA is governed by the laws of Norway and the parties accept that Oslo District Court (Oslo tingrett) is the legal venue. The Data processor has limited legal liability as referenced in the Terms.

Last updated 8th of February 2023

Moment’s Standard Import includes data that we typically import as part of the transition from another project management system. The data we import is detailed in this page, but only if the data is available in your current system in a meaningful, logical format. We'll have an ongoing dialogue during the import process, and agree on solutions if any questions or challenges arise.

A Standard Import only covers what is described in this section. Should you request any additional data to be imported, or any additional consulting services related to data import, you will be billed for these services additionally. Such services are priced per consulting hour.

Employees

• Name

• Title

• Phone #

• E-mail

• Working hours

• Photograph

Customers

• Customer number

• Customer name

• Company registration number (org.no)

• Phone #

• Website URL

• Mail address for the customer (not email of the invoice receivable)

• Address

Contacts (for your customers)

• Name

• Job title

• Phone #

• E-mail

Projects

• Project number

• Project name

• Customer

• Start date

• End date

• Project status

• Address

Time Tracking Records (Hours)

• Coworker

• Project

• Activity, Phase or similar

• Date

• Hours

• Billable hours

• Work description

• Internal note

• Invoice status

Absence records

• Coworker

• Date

• Number of hours / minutes

• Absence category

• Description

Invoice information*

• Which project the invoice is from**

• Invoice number

• Invoice date

• Due date

• Original invoice text for each product line (where it is possible to retrieve), or a total line with information that it has been imported from the previous system

• VAT percentage

• Quantity

• Price***

• Currency

• Bookkeeping account

*NB! We do not import the actual PDF Invoice to Moment. If you need this to be done additionally, please see the Advanced Import section below for details.

**NB: Here we are dependent on a link between project and invoice in the previous system. Sometimes invoices are only connected to customers. If there is no link between invoice and project, we will create a "dummy" project where all invoices will be collected and then the invoices will be linked to the correct customer, if there is a link between invoice and customer in the previous system.

***NB: This is about prices in finished / old invoices and not pricing of hours / product / etc. that will be billed in the future. Project prices are NOT included as standard import, and it's best that you have control over and submit this yourself. You are responsible for updating the price model for all projects in Moment before billing can take place.

Last updated: 29.05.2020

We know how critical your billing system is. For this reason, we strive to make sure your transition to Moment is done as smoothly as possible. We onboard customers to Moment multiple times per week, and we approach this in a structured and streamlined way to make sure you and your team gain the confidence you need to get started with our services in a good way and until you are finished with your first billing as described below. From there on, our support team will be your contact point. End-user support for day-to-day Moment tasks is included in our subscription services.

‌A typical onboarding covers what is described in the “implementation timeline and services” section below. Should the customer request any optional add-ons, training or additional consulting services related to onboarding then Moment will bill these services additionally. Such services will be priced per consulting hour.

Customer responsibilities

During the transition from your existing system to Moment we need to be in contact with people in your end and we need that all stajkeholders in your end get a good understanding of the process and steps of a transition to Moment.

General onboarding information

We expect that you get acquainted with the onboarding process by following these steps:

• Send info about your main point of contact (name, email and phone number), who will be responsible for the transition to Moment. If more than one person, please specify.

• Give all necessary information concerning requirements from your accounting software and other software that needs info from/to Moment. The onboarding team will help you with the settings in Moment, but you are responsible that it is correct. This includes tax accounts, number series, KID and OCR-agreement.

• Stop registering hours and other elements in you previous system once you have started using Moment the import has started. If you register something in the previous system during/after you have started using Moment you must add it to Moment manually.

• If using Moment for invoicing, stop invoicing in previous system once import has started. Both invoices and expenses can only be made in Moment after import and start up.

• In general: Be available for requests from Moment Team AS in the transition phase.

• Contact the support team when you need help, at +47 22 82 87 00 / help@moment.team

Data import information

When doing an import our team will cooperate closely with the customer and we expect you to be available during the import process and get acquainted with the data importing process by following these steps:

• Give access to information (current tools, accounting software, etc) and let us know if there is anything special we should be aware of when doing the import.

• Stop registering hours and other elements in you previous system once the import has started. If you register something in the previous system during/after import you must add it to Moment manually.

• After the import, you must do a thorough review of the data, edit time balance and add price models manually.

• If using Moment for invoicing, stop invoicing in previous system once import has started. Both invoices and expenses can only be made in Moment after import and start up.

• In general: Be available for requests from Moment Team AS in the transition phase.

• Contact the support team when you need help, at +47 22 82 87 00 / help@moment.team

Moment responsibilities

In a transition to Moment you will likely be in contact with the following teams at Moment

Onboarding Team

A member of our onboarding team will be appointed as your main point of contact. This person will be in charge of your transition to Moment and will coordinate communication and activities such as access to your systems, data import, start-up consulting and help you during your first billing cycle. This team has a lot of experience doing this as we do this several times per month. We know that Moment is critical for your daily company operations, so we have good established routines and processes in place which we follow to make sure that your transition happens as smoothly as possible.

Support Team

When deemed necessary the Moment’s support team will provide additional support for general requests, and ensure support during the working day for the client’s employees. This includes support by phone, email and screen sharing - which will be provided upon request. Once the transition to Moment is finished, typically after the start-up session, our support team will be your main point of contact for day to day operations and any support inquiries you might have.

Product and Development Team

We have a highly competent product and development team which will be engaged when customers require Product Development or related advanced consulting services such as new functionality, features or integrations to be implemented in Moment. Such services are priced per consulting hour and are agreed upon separately from other services such as onboarding or data import. In the case of such assignments one of our Product Managers will be the customer’s main point of contact.

Last updated: 29.05.2020

Moment offers a range of courses for administrators, quality and project managers and other super users of our business tool. These are provided for your convenience in the form of private and open courses delivered online:

• Private courses: additional training for client’s staff in the form of a tailor made private course. We recommend that this training be performed after the client has been familiarized with Moment, eg. 1-6 months after start-up. Course package details will be presented separately and at client’s request.

• Public courses: We provide a range of public courses. Course package details will be presented separately through our newsletter, website, order form or at client’s request.

By ordering training from Moment you confirm order bookings and that your company will be sent an invoice for the course fee within 14 days. It is not possible to cancel courses, but if one or more attendees of your company are not be able to attend we can reserve a place for a course later.

Last updated: 29.05.2020

When your company transitions to Moment, you have the option of importing essential data from you current project management system. This is an optional service, but most of our new clients make use of it. With data import, you can start using Moment almost as if it's always been your project management system, since mostly all data will be there.

We offer the following options:

Import services only cover what's described in the respective import services sections. Every import is done per system and per company, so multiple companies require multiple imports and multiple systems require multiple imports. Should you request any additional data to be imported, or any additional consulting services related to data import, you will be billed for these services additionally. Such services are priced per consulting hour.

Import Data and Shipping Policies

Information we need from you before import, to ensure proper mapping:

• Bank Account Number.

  • To import invoices, we need to enter this number in advance.

• 2 sample invoices in PDF-format.

  • Occasionally there are many different numbers and fields that are similar to each other in a database or in the reports we receive before the import. By looking at the sample invoices, we make sure that the numbers we enter are actually correct.

• Example page from 2 different projects with a lot of project data.

  • Preferably with as much different information as possible - some hours, project name, project number, the customer it belongs to etc. We need this for the same reason we need the invoices.

This can be sent to us in the following ways

• If local server based: Backup of your database (.zip if large files).

• If cloud based: Username and password for admin account to the Moment import team so we can retrieve information directly.

• Alternative option: Complete database in XLSX format.

We offer a basic data import which is based on a Template provided by Moment and filled in by the customer.

A Basic import covers only what is described in this section. A minimum charge applies for every basic import requested by the customer.

Basic import only allows import of basic data on customers, projects and employees into Moment. This is a self-service option and you are in charge of filling in the information in our Moment Basic Import Excel file. The file will then be sent by you to the Moment's onboarding team, who will import the data into Moment.

In this section is described what we normally do not import during a transition to Moment. However, in some cases there is business-critical data that customers want in Moment, so we have compiled an overview of such needs which can be requested by the customer.

To the extent that it is possible to do so, we can provide the services described in the sections in this page. All such services will be provided by customer request and will be priced per consulting hour, without exceptions.

Help with organizing import data

We recommend this if you request a data import!

We have experienced several times that the data in the previous system (that we can import to Moment) needs a go through to make sure everything is in order. Systems often have different ways of organizing the data (eg. project and customer numbers, e-mail addresses and other info could be setup up in different ways, sometimes we have seen negative time records and there can be duplicates and other issues). We encourage all new users to do a “clean up” before starting the import. With our long experience of imports from different systems we can help you to find which data that should be gone through. In that way you will have a much better experience when you start with Moment and see that all the imported data is in order

Extra/additional imports

Sometimes you might want to have an extra round of import, either from another system, or you want something additional to what you agreed on in the first place, eg. invoice pdf’s or expenses. Also, if the data that was imported was not “cleaned up” correctly in advance of the import (which is the responsibility of the customer, but we can help you out - see point above), there might also be a need to do parts of the import over again. We can help you with extra imports as long as the data is available. See the Moment Onboarding - Data Import document for details.

Extra time balance / flex time

We do not import this, so you'll have to make adjustments to each employee's balance when you start using Moment. It's usually very simple and easy, and we'll show you how to do it. This is a one-time job that only needs to be done once.

Holiday balance

You must define this for each employee yourself. We do not have an overview of how many vacation days the different employees have each year and how much they can transfer from last year. This is very easy to adjust, and we'll show you how.

Some invoice info: Credit terms, due and payment status

Credit terms for specific projects are not transferred, and you should define this yourself for a) Company wide level, b) Customer level or c) Project level.

All invoices that are past due are set as paid. You must then go through and remove the payment on the overdue invoices that have not yet been paid.

Project pricing - hourly rate, fixed price, product price, etc. at both current and historical hours and projects

As a rule, we do not import this. Often it is more straightforward to set prices for projects that are to be invoiced in Moment than to have them imported. Especially when talking about different hourly rates for different employees, where the price may have also evolved over time. There may also be different prices for different activities / phases within the project. Such things make importing such data a little challenging. If there is a great desire to include hourly rates, we can look into it and get this imported if it can be done in a good way.

PDF Invoice

We have the option to import the actual invoice PDF (which has previously been sent to the customer). This requires that we either receive it or if it is possible to retrieve it for us in another way. Here we need to have 1 physical file per invoice (not 1 PDF with eg 10000 pages where each page is an invoice) and the file name contains the invoice number.

Set-up of invoice exports and integration

This is something you set up after the import, preferably together with the accountant. Some accounting systems only have the option of exporting (where your invoice manager manually exports via a button after each invoice via a download file or e-mail) and some have full integration where invoice information flows into the accounting system on an ongoing basis. You need to consult with your accounting consultant what is possible, and there is an overview in Moment which setup we have available. We can also help set this up if you wish.

Activities, tasks and products

If possible, this is something we can export from the old system and import into Moment.

Additional customer information

Additional customer information beyond what is described in our Standard import section is not included. If possible, this is something we can export from the old system and import into Moment:

• Customer status (whether the customer is active or not)

• Customer reference (which appears on the invoice)

• Invoice recipient (e-mail address to which invoices on the customer in question should be sent)

• Any tags

Status of hours - invoiced or not invoiced

This is something you have to go through yourself since in most cases we do not have the opportunity to have an overview of what is invoiced and not. At Moment, you can choose between "not approved", "approved", "invoiced" and "returned for correction". If possible, this is something we can export from the old system and import into Moment.

Expenses

This is something we don't normally import, but if the previously used system has a good overview of expenses that can easily be imported into Moment, this is something we can help with. These elements will then be possible to get into place in Moment:

• Which project and activity the expense belongs to

• Expense category if something has been used

• Description of the expense

• The title of the expense

• Employee who has had the expense

• Date

• Number

• Price

• Invoice status (if the expense has been invoiced or not)

• Whether the expense is billable or not

Tags

If feasible, this is something we can export from the old system and import into Moment.

Checklist

If feasible, this is something we can export from an old system or from existing documents and import into the Moment Quality Management System for use in projects and tasks.

Import from several different systems

This will be relevant when data is in both the accounting system and the time tracking system or similar. If possible, we can import from both systems although this will count as two different imports.

Updated number series to match the accounting system

Customers, projects and invoices may have number series that do not match what the accounting system requires. This means that the transfer of invoice information from Moment to the accounting system can crash. This is something we can help with updating.

Other

If you feel that something is missing from the overview here, that you really want to bring with you in Moment then just let us now and we will look into it. If it is possible to import, then we will do what we can to get it done.

Last updated: 13.05.2022

Overview

This is the privacy policy for the free Moment Mobile app. This service is provided by Moment Team AS at no cost and is intended for existing users of Moment project management web application. This app acts as an extension of the Moment project management web application, and requires a Moment subscription and login.

Personal data that we collect

In order to login to this app you need an existing Moment login. The personal data which you may provide to us could include:

• Name, email address

• IP address

• Any photos uploaded into the service (e.g. expense receipts)

Any data inputted into the service is used solely for the purpose it is provided for. Moment Team AS does not use any customer data for other purposes.

Data processing and storage

All data processing takes place in accordance with GDPR regulations. The app stores your login information. Any photos inputted into the app are uploaded into the Moment software and stored there. Any photos taken in the app are saved in your Camera Roll/Photo Gallery.

Third party processors

Security

The security of your personal data is very important to us. We put systematic measures into place to ensure a satisfactory level of security, in relation to confidentiality, integrity and availability. All data sent between the app and service is encrypted using HTTPS.

Norwegian law

This policy shall be governed by and interpreted in accordance with the laws of Norway. Any disputes shall be referred to and finally resolved by the courts of Norway. The legal venue is Oslo city court.

Changes to this privacy policy

We reserve the right to change, modify, add, or remove portions of this privacy policy at our discretion. If any material changes are made to this policy, we will provide at least 14 days notice prior to the new policy taking effect. What constitutes a material change will be determined at our sole discretion.

Contact us

Last updated: 31.03.2020

Fakturasalg av Moment og Aprila Bank

Fakturasalg er ny tjeneste som tilbys direkte i Moment. Det koster ingenting å aktivere tjenesten og den fungerer sømløst som et valg under faktureringen din som gir deg muligheten til å selge fakturaer og få penger inn på konto i løpet av 24 timer.

Du velger selv om du vil selge eller fakturere på vanlig måte. Det vil alltid vœre tydelig hva den nøyaktige kostnaden av å selge en faktura er.

Tjenesten er et samarbeid mellom Aprila og Moment. Banktjenesten leveres av Aprila som tilbyr enkle finansieringsløsninger for små og mellomstore bedrifter direkte i deres faktureringssystem. Moment er en formidlingskanal for tjenesten.

Ved å søke om bruk av denne tjenesten godkjenner du samtidig avtalevilkårene som beskrevet i dette dokumentet. For å kunne bruke tjenesten må du registrere selskapet ditt i Aprila Bank. Kort tid etter dette vil du få et varsel i Moment om at tjenesten er klar for bruk.

AVTALEVILKÅR FOR FAKTURASALG

Aprila er en leverandør av banktjenester for bedriftsmarkedet. Aprila og Moment har i samarbeid utviklet en løsning der Aprilas banktjenester tilbys direkte i Moment sitt faktureringssystem og Moment er en formidlingskanal for tjenesten.

For å kunne tilby denne tjenesten trenger vi ditt samtykke for å oversende følgende informasjon fra Moment til Aprila:

• Selskapsinformasjon for ditt firma

• Regnskapsinformasjon for ditt firma

• Din e-postadresse

• Dine kunders e-postadresse

Fakturaens kriterier:

• Fakturamottaker er en bedrift med adresse i Norge og et gyldig, norsk organisasjonsnummer

• Fakturaens beløp er i norske kroner og pålydende er 200 kroner eller mer

• Fakturaen er ikke av type abonnement eller samlefaktura

• Fakturaen er av type elektronisk og ikke en papirfaktura

• Fakturaens betalingsfrist er 90 dager eller mindre

• Fakturaen må være utstedt færre enn 45 dager etter levering/ferdigstillelse

• Det kan ikke være en internfaktura hvor det på en eller annen måte er et nærstående forhold mellom kjøper og selger

Alle personer med faktureringstilgang i Moment kan i utgangspunktet selge en faktura, så vœr oppmerksom på hvilke personer som har denne tilgangen i kontoen.

NB! Det er viktig at solgt faktura er oppført med korrekt fakturamottaker (org.nr). Salg av faktura kan ikke reverseres etter at transaksjonen er sent til utbetaling. Dersom fakturaen må krediteres kan ikke salgskostnaden tilbakebetales.