Terms and conditions
For the use of Cardtokens Services
Last revised August 30, 2022
The following are terms of accessing and/or using Cardtokens website and Service (hereinafter “the Service”). By accepting the terms described in this document (hereinafter “the Agreement”) and/or using the Service, you are stating that you agree to be bound by all terms without modification, conditions, or notices.
Cardtokens was created by and is a Service of Cardtokens ApS, CVR. 42967920 (hereinafter “Cardtokens”)
Cardtokens is a Scheme Token aggregator and offers all the benefits of scheme tokenization with a single, API-based integration. Our platform is scheme agnostic, providing access to the tokenization services of multiple schemes without the need for separate integrations and certifications with each platform/scheme.
At any time, Cardtokens tries to have as high an uptime as possible. However, a specific uptime cannot be guaranteed, among others, due to the nature of the internet. Cardtokens uptime, measured over a month, is usually about 99,9 %.
Cardtokens continuously maintains and updates the infrastructure, servers, and software to ensure high uptime. Such maintenance that can lead to downtime in shorter periods is, as far as possible, carried out when there is minimal impact on our Customers. Cardtokens will warn the Customers about maintenance by email in good time before the maintenance is carried out.
Encryption of data
All communication in the Service of the cardholder data from the Customers to Cardtokens and Cardtokens storage of such data happens in encrypted form. Cardtokens uses in this connection an SSL certificate issued by AWS. The SSL certificate's validity can be verified anytime on Cardtokens website; www.cardtokens.io.
Cardtokens performs a daily backup of all servers and software. The backup is carried out and stored according to VISA/MasterCards PCI DSS Standard. Go to the official website to review the PCI DSS Standard compliance requirements.
If the Customer loses data because of Cardtokens conditions, Cardtoken will assist the Customer in re-establishing these data based on the last functioning backup. The Customer cannot make further claims against Cardtokens regarding data loss.
If the Customer loses data due to conditions that Cardtokens is not responsible for, including the Customers own conditions, Cardtokens will, at a separate cost, assist the Customer in re-establishing the data from the last functioning backup to the extent possible. However, the Customers are always recommended to make backups of their data.
In relation to the establishment of the present Agreement, the Customer is given a username and password, which the Customer must use to access the back office of Cardtokens Service.
Customer should always keep their username and password a secret. If the Customer suspects that a third party knows their password, they must immediately inform Cardtokens.
Cardtokens can make requirements to the length and complexity of the Customers password and can at any time discretionarily require that the Customer changes their password.
API Keys and access
The Customer must create API keys before connecting to the Cardtokens API. The API keys can be created and deleted from the back office to Cardtokens Service.
Customer should always keep their API keys a secret. If the Customer suspects that a third party knows their API keys, they must immediately inform Cardtokens and delete the API keys.
All Cardtokens servers are secured with an updated anti-malware software.
Customer should ensure their computers and/or servers with updated anti-malware software. If Cardtokens, on several occasions, receives malware or similar from the Customer, Cardtokens can interrupt the connection to the Customer and can also require that the Customer installs and updates their anti-malware software.
Control of security
Cardtokens infrastructure is certified and security approved according to the PCI DSS Standard of VISA/Mastercard and undergoes a yearly IT audit performed by an approved IT security company.
Quarterly, an approved IT security company performs scanning of Cardtokens servers and networks to increase security and avoid unauthorized intrusion.
Cardtokens strives to avoid any misuse of its Services but cannot guarantee that misuse or intrusion in Cardtokens infrastructure cannot happen.
If the Customer suspects misuse of cardholder data or Cardtokens Services, or that intrusion in Cardtokens infrastructure has happened or will happen, Cardtokens must be informed. Likewise, the Customer must immediately notify Cardtokens if they have been a victim of misuse of cardholder data or attempt to or actually intrusion of the infrastructure that the Customer uses.
If Cardtokens considers that the Customer is misusing the Service, violating the security regulations and guidelines issued by Cardtokens or provider, or that misuse is happening from a domain belonging to the Customer, Cardtokens is, without warning, entitled to cease the Customers use of the Service or deny access to the Service from the domain in question.
Forwarding of cardholder data
The Customer is not entitled to forward cardholder data to own or third-party’s servers unless the payee, including the Customer, is specifically PCI DSS certified.
If Cardtokens discovers that the Customer carries out such forwarding, Cardtokens will immediately interrupt the Customers use of Cardtokens Services. The Customer can only regain access to Cardtokens Services when they can demonstrate compliance with all legal requirements and PCI DSS Standard rules for payees.
Cardtokens is, in such cases, entitled to inform the relevant authorities and companies, including the providers, etc., just as Cardtokens can require that the Customer informs specific authorities, companies, or card holders.
Cardtokens complies with the at any time existing legislation for its firm and its Services. Cardtokens also comply with the requirements from the related acquirers, VISA and Mastercard, and Cardtokens also comply with the PCI DSS Standard.
The Customer is obliged to comply with the existing legislation, conditions imposed by the provider(s) with whom the Customer has made an agreement, as well as the current requirements for payees in the PCI DSS Standard.
Cardtokens does not assume responsibility for the legality of the Customers use of the Service or the content of the data sent by the Customer in connection with the solution. It is solely the Customers responsibility to comply with legislation towards their customers and third party.
The Customer indemnifies Cardtokens for any claim that third party or public authorities might raise against Cardtokens in the case of alleged violations of third-party rights or the Customers violation of existing legislation or conditions imposed by the provider. In the case of such requirements, Cardtokens is, without warning, entitled to hinder the Customers use of Cardtokens Services.
Price and payment
The current prices for Cardtokens Services are shown on Cardtokens website. The prevailing price at the time of the Customers order of the Services in question also appears from the order confirmation sent to the Customer by mail. All prices are stated excl. of VAT.
Cardtokens is entitled to change its prices with 3 months notice. The Customer will be notified of an increase in prices by an email sent to the email address that was informed by the Customers contact person.
The Customer is invoiced prior to a subscription period. Related to the first invoice, which is issued when entering into the Agreement, the Customer will also be invoiced for the establishing and other agreed Services for the subscription period.
The invoice is sent to the Customer by email to the email address informed by the Customers contact person.
Sent invoices are due for payment 8 days after the invoice date at the latest.
Objections to the invoice must be sent to Cardtokens within 5 working days. After this, the invoice is considered to be accepted by the Customer.
In the case of late payment, Cardtokens is entitled to charge interest of 1,5 % per month commenced of the whole due amount from the due date to payment is carried out.
Support and communication
Contact to Cardtokens
If the Customer has questions about the operation of Cardtokens Services, they can find answers to many questions on Cardtokens website or technical documentation.
If the Customer does not find the answer on the website, they can contact Cardtokens by email or chat.
Contact to the Customer
The Customer is always obliged to and responsible for informing Cardtokens of a change of address, email address, or other contact information.
The Customer must ensure that Cardtokens is always in possession of at least one of the Customers email addresses, which the Customer regularly checks for new emails. The Customer is obliged to whitelist emails from Cardtokens. The email address will be used by Cardtokens, among others, to send invoices, information about the operation etc.
The Customer accepts that Cardtokens is continuously sending emails regarding changes and news about Cardtokens to the email address given by the Customer. If the Customer does not want to receive such emails, they must inform Cardtokens in writing.
The Agreements entry into force and termination
The agreement and the subscriptions entering into force
Customers can try Cardtokens for free in the test environment. The subscription will start when the Customer agrees to upgrade the account to the production environment.
Unless otherwise specifically agreed between the Customer and Cardtokens the subscription period is 1 month.
Automatic renewal of subscription
Unless the Customer has ended the agreement with Cardtokens, see item "Termination", or it has been otherwise terminated, a new subscription period starts when the previous subscription period ends.
If the Customer is not using the Service, Cardtokens will not consider it a discontinuance of the Service.
The agreement can by each party be terminated in writing with three months notice to the end of the subscription period.
If the Customer wishes to terminate the agreement, they can send a written termination to Cardtokens.
If one of the parties is substantially breaching his/her obligations according to the present agreement and the breach has not been remedied, at the latest, 14 days after the non-breaching party has sent a written claim hereof to the breaching party, the non-breaching party is entitled to repeal the agreement for the future.
A substantial breach is, among others, missing or late payments.
Right to repeal
As a business professional, the Customer has not the right to repent regarding the entered agreement.
Privacy, Personal Data etc.
The parties are obliged to keep confidential any information brought to their knowledge about the other party or his/her conditions related to the carrying out of the present agreement, including the content of the present agreement.
The Customer is not entitled to use Cardtokens Services to do business in competition with Cardtokens, unless this is specifically agreed upon.
Nothing in the agreement hinders Cardtokens do business in competition with the Customer. Thus, Cardtokens are entitled to do any form of business, regardless that it is competing with the Customers business.
Transfer of agreement
The Customer is not entitled to transfer rights and obligations to a third party regarding the present agreement without Cardtokens written consent.
Cardtokens is entitled to entirely or partly transfer its rights and obligations to a third party regarding the present agreement.
Cardtokens is at any time entitled to change specifications for the Services, just as Cardtokens, at any time without notice, can change security rules and guidelines if, after Cardtokens estimation, it is necessary or appropriate for security reasons.
Such changes will be notified on Cardtokens website, and Cardtokens will also send an email informing about the changes to the Customer. Cardtokens will try to give a time limit before the changes enter into force but cannot guarantee this.
At any time, the present terms and conditions can be changed by Cardtokens with 3 months notice. A change of the terms and conditions will be notified on Cardtokens website, and Cardtoken will also send an email to the Customer informing about the change. If Cardtokens has notified changes of the terms, which are to the Customers disadvantage, the Customer is entitled to terminate the present agreement with one month notice to expiration at the same time as Cardtokens 3 months change notice. If the Customer has not terminated the agreement to expiration at the same time as Cardtokens 3 months change notice, the Customer will be bound by the changed terms.
Cardtokens has all rights, including copyrights, to the code and other material made available to the Customer in connection with the present Agreement.
The Customer only obtains a time-limited, non-exclusive user right for the code and other material made available to them and is not entitled to copy the code or other material to a larger extent than necessary, in consideration of the use that the present Agreement is providing.
The Customers usage of the code and other material made available to them is always conditional on timely payment of any outstanding to Cardtokens.
The Customers violation of these rights is considered a substantial breach of the agreement.
The parties are responsible to each other according to the general rules of Danish law.
Cardtokens liability to pay damages to the Customer, regardless of the degree of negligence, including liability for accidental damage, can never exceed an amount equal to the fee for the last 12 months paid by the Customer to Cardtokens before the damage occurred, and Cardtokens cannot be held accountable for the Customers indirect losses, including but not limited to; loss of earning, lost profit, lost goodwill or other business-related losses, e.g. losses suffered by third party, loss of data and other consequential damage. The disclaimer also applies to product liability to the extent not precluded by invariable laws.
No party can be held accountable for non-compliance of the agreement or damage suffered by the other party as a direct or indirect consequence of the party suffering from force majeure. Force majeure is among others, war, mobilization, natural disasters, strike, lockout, fire, damage by water, trade restrictions, virus or hacker attacks, breakdown or failures of communication systems, blackout, subcontractors’ force majeure as well as other unforeseen circumstances, which the party in question could not prevent by fulfillment of reasonable efforts.
Any dispute between Cardtokens and the Customer concerning or arising from the present terms and conditions must always be decided upon by Danish law – with the exception of Danish legal rules on choice of law and venue – under Cardtokens home jurisdiction in Denmark.