Terms of service

These general conditions (”General Conditions”) shall be applied to any and all services provided by Tangible Growth Oy Ltd (Lapinlahdenkatu 16 c/o Maria01, 00180, Helsinki, Finland, 2895395-4) (“Provider”), unless separately otherwise agreed in writing.

Agreement (“Agreement”) shall mean these General Conditions together with any purchase order or similar document submitted by Customer to Provider for rendering services as defined in Section “Service Description” (“Services”).

Billing and Pricing

All prices are VAT 0 and without any other taxes.

Billing shall take place monthly by charging Customer’s credit card according to the pricing of the Standard product offering valid on the date of accepting the Agreement.

Billing shall be applied for the number of users provisioned on the date of the billing.

Term and Termination

The Agreement term is ongoing starting at the date of the acceptance of the Agreement.

The Agreement can be terminated with 3 months notice period.  

Right to use as Reference

Provider has right to use the Customer logo in their sales and marketing material.

Provider has a right to use the Customer as a reference.

Limitation of Liability

The liability of a Party towards the other Party based on this Agreement for direct expenses and damages caused by a termination or breach of this Agreement shall not exceed the amount paid by Customer for the Services during the twelve (12) month period immediately prior to the Customer’s notice for the Services that are the subject matter of or directly related to the cause of action asserted. In case of a material breach of the Agreement, the liability of a Party towards the other Party based on this Agreement for direct expenses and damages shall not exceed the amount paid by Customer for the Services in total.  

In no event will either Party be liable for any indirect, incidental or consequential damages or expenses, including but not limited to loss of profits and lost savings, or for the loss of, damage to, or alteration of data or data files of the other Party due to any cause and the resulting damages and expenses incurred, such as expenses based on the recreation of data files.

The limitation of liability shall not apply to damages caused by gross negligence or willful conduct or breaches of confidentiality obligations.

General Legal Clauses

General Responsibilities of the Provider

Provide the service as per agreement, manage the security and availability of the service.

General Responsibilities of the Customer

  • Manage the security of the authorizations, manage the securely manage employee credentials used to access the service.
  • Manage the devices used to access the service and maintain up-to-date versions of browsers and operating systems.


Copyright and other intellectual property rights to the Services shall belong to the Provider or to a third party.

The Customer shall receive a worldwide, temporary, non-sublicensable, untransferable and paid license to use the Services as set forth in this Agreement. The Customer is entitled to make such copies of the material in the Services as may be necessary. The copies shall contain the same copyright, trademark, and other labels as the original copy of the Services.

For sake of clarity, the intellectual property rights for insight analysis, action suggestions, and other parts of the information that are provided as part of automated or expert analysis of the Customer employee input data belong to the Provider. The Customer receives a right to use this data to guide their decision making and competence development.

The intellectual property rights of Customer data that the Customer inputs to the service belong to the Customer, with the exception of the wellbeing part, where Customer employees may give sensitive information about themselves. Examples of this information include objective and target setting and follow-up and change program feedback.


Warranties Each Party warrants that it has the authority to enter into this Agreement and, in connection with its performance of this Agreement, shall comply with all laws applicable to it related to data protection and privacy, international communications and the transmission of technical or personal data.  

The Provider warrants that during the Term (i) the Service shall perform materially in accordance with the Documentation; (ii) the functionality of the Service will not be materially decreased during the Term; and (iii) to the best of its knowledge, the Service does not contain any malicious code.

The Provider further warrants that it will not knowingly introduce any malicious code into the service.

Warranty Remedies.

In the event of a breach of the warranty set forth above, (a) the Provider shall correct the non-conforming Service at no additional charge to Customer, or (b) in the event the Provider is unable to correct such deficiencies after good-faith efforts, The Provider shall refund Customer amounts paid that are attributable to the defective Service from the date Provider received such notice.  Customer shall use its reasonable endeavours to notify the Provider in writing within thirty (30) days of identifying a deficiency, but Customer’s failure to notify the Provider within such thirty (30) day period shall not affect Customer’s right to receive warranty remedies unless the Provider is unable, or impaired in its ability to, correct the deficiency due to Customer’s failure to notify Provider within the thirty (30) day period. Notice of breaches of the warranty above shall be made in writing to the Provider in accordance with the notice provisions of this Agreement.  The remedies set forth in this sub-clause shall be Customer’s sole remedy and the Provider’s sole liability for breach of these warranties. However,  if the breach of warranty constitutes a material breach of the Agreement and Customer elects to terminate the Agreement in accordance with the Clause entitled “Termination.”


Except as expressly provided herein and to the maximum extent permitted by applicable law, the Provider makes no warranties of any kind, whether express, implied, statutory or otherwise, and specifically disclaims all implied warranties, including any warranties of merchantability or fitness for a particular purpose with respect to the Service and/or related Documentation.  The Provider does not warrant that the Service will be error free or uninterrupted.  The limited warranties provided herein are the sole and exclusive warranties provided to Customer in connection with the provision of the Service.

Confidential Information

Definition. “Confidential Information” means information or materials disclosed by one Party (the “Disclosing Party”) to the other Party (the “Receiving Party”) that are not generally available to the public and which, due to their character and nature, a reasonable person under like circumstances would treat as confidential, including, without limitation, financial, marketing, and pricing information, trade secrets, know-how, proprietary tools, knowledge and methodologies, the Software (in source code and/or object code form), information or benchmark test results regarding the functionality and performance of the Software, any Software license keys provided to Customer, and the terms and conditions of this Agreement.

Confidential Information shall not include information or materials that (i) are generally known to the public, other than as a result of an unpermitted disclosure by the Receiving Party after the Effective Date (ii) were known to the Receiving Party without an obligation of confidentiality prior to receipt from the Disclosing Party; (iii) the Receiving Party lawfully received from a third party without that third party’s breach of agreement or obligation of trust; or (iv) are or were independently developed by the Receiving Party without access to or use of the Disclosing Party’s Confidential Information.  

Obligations. The Receiving Party shall (i) not disclose the Disclosing Party’s Confidential Information to any third party, except as permitted below (Permitted Disclosures) and (ii) protect the Disclosing Party’s Confidential Information from unauthorized use or disclosure by exercising at least the same degree of care it uses to protect its own similar information, but in no event less than a reasonable degree of care. The Receiving Party shall promptly notify the Disclosing Party of any known unauthorized use or disclosure of the Disclosing Party’s Confidential Information and will cooperate with the Disclosing Party in any litigation brought by the Disclosing Party against third parties to protect its proprietary rights. For the avoidance of doubt, this Section shall apply to all disclosures of the parties’ Confidential Information as of the Effective Date, whether or not specifically arising from a party’s performance under this Agreement.

Permitted Disclosures. Notwithstanding the foregoing, the Receiving Party may disclose the Disclosing Party’s Confidential Information without the Disclosing Party’s prior written consent to any of its Affiliates, directors, officers, employees, consultants, contractors or representatives (collectively, the “Representatives”), but only to those Representatives that (i) have a “need to know” in order to carry out the purposes of this Agreement or to provide professional advice in connection with this Agreement, (ii) are legally bound to the Receiving Party to protect information such as the Confidential Information under terms at least as restrictive as those provided herein, and (iii) have been informed by the Receiving Party of the confidential nature of the Confidential Information and the requirements regarding restrictions on disclosure and use as set forth in this Section. The Receiving Party shall be liable to the Disclosing Party for the acts or omissions of any Representatives to which it discloses Confidential Information which, if done by the Receiving Party, would be a breach of this Agreement. Additionally, it shall not be a breach of this Section for the Receiving Party to disclose the Disclosing Party’s Confidential Information as may be required by operation of law or legal process, provided that the Receiving Party provides prior notice of such disclosure to the Disclosing Party unless expressly prohibited from doing so by a court, arbitration panel or other legal authority of competent jurisdiction.


Except for procedures involving injunctive relief, any litigation arising from or in connection with this Agreement, also to its validity, interpretation, performance or its termination, shall be solved by the parties in an amicable way and, if not possible, the litigation shall be submitted to arbitration in Helsinki, Finland in conformity with the Rules of the Finland Chamber of Commerce. The arbitral decision is final and binding.  

Force Majeure

Neither Party shall be liable for any failure or delay in performance under this Agreement for causes beyond that Party’s reasonable control and occurring without that Party’s fault or negligence, including, but not limited to, acts of God, acts of government, flood, fire, civil unrest, acts of terror, strikes or other industrial action (other than those involving Provider or Customer employees, respectively), computer attacks or malicious acts, such as attacks on or through the Internet, any Internet service or telecommunications provider (a “Force Majeure Event”), but in each case, only if and to the extent that the non-performing Party is without fault in causing such failure or delay, and the failure or delay could not have been prevented by reasonable precautions and measures and cannot reasonably be circumvented by the non-conforming Party through the use of alternate sources, workaround plans, disaster recovery, business continuity measures or other means. The Party affected by the Force Majeure Event shall (a) as soon as reasonably practicable after the start of the Force Majeure Event, notify the other Party in writing of the Force Majeure Event, the date on which it started, its likely or potential duration, and the effect of the Force Majeure Event on its ability to perform any of its obligations under this Agreement; and (b) use all reasonable endeavors to mitigate the effect of the Force Majeure Event on the performance of its obligations. Dates by which performance obligations are scheduled to be met will be extended for a period of time equal to the time lost due to any delay so caused.


Each Party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Service.  Without limiting the generality of the foregoing, Customer shall not make the Service available to any person or entity that:  (i) is located in a country that is subject to a European Union, United Nations or U.S. government restriction or embargo, including being identified as prohibited or restricted parties on a European Union, United Nations or U.S. government list; or (ii) is engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction.   


All notices of this Agreement shall be in writing to the contact details listed under section “Contacts”.

Service Usage

Provider has right to block individual users or the Customer from using the Service if there is a strong reason to suspect the Service is being misused.

Any user accounts that are inactive for an extended period will be removed, thus anonymizing the data. This means the individual employee would not be able to see their personal history after a long-term leave of absence.

Other Clauses

The Provider uses third parties to deliver the Service and are responsible for them towards the Customer as if they were the Provider’s employees. In cases where the 3rd parties may process parts of Customer data for analysis, they are covered by at least as limiting contracts and practices as the provider.

Service Description

Service Summary

A cloud based modern service currently consisting of the following capability areas:

  • Target setting using OKRs, where Customer can define what level they choose to set the targets as and then continue to report on the status of those.
  • Insights, where Customer management can choose to ask relevant questions about engagement, strategy and other transformation understanding or ideas - and in the future receive a semantic topical analysis based on the input. We utilize machine learning for the topic analysis.
  • Transformation communication - where a 1-pager can be created/shared to help employees understand the chosen direction
  • Common Understanding - a module where teams create a shared picture of what the change means in their context

The Service is continually updated.

The Service includes the ability to gather insight from employees, which in future versions will be analyzed and then the results are made available.

Insight analysis is a combination of man and machine – when the machine is confident enough, the insight is made available near instantly. In cases where the machine is not sure, the results are verified with a human. In these cases, it can take a while to get the results, depending on the amount of results and the workload.  

Functionality and the grouping into service areas may change, and all new services or functionality are not necessarily included in the subscription. If something would be removed from the existing subscription (such as EOL of a feature) that will be communicated 3 months prior.

Provider reserves unilateral right to develop the Service. Older versions of the Service are not supported.

Service Limitations

Service works on modern common browsers (Chrome, Edge, Firefox, Safari) on PCs and Macs.

Service mobile application is supported for latest major versions of Android and iOS.

Responsibilities of the Provider

The provider commits to delivering the Service with agreed service levels as described in the service level agreement.

The provider is responsible for secure development and maintenance of the Service and all the subcomponents.

Responsibilities of the Customer

The Customer commits to using the Service only in ways that are legally allowed and as defined in this contract.

Service Levels

Service component / Service Level

Core Service Platform and API  Availability

99.5% over 30 days

Service Change Requests (user roles, etc)

5 business days

Service Incident response Time (excluding service outages)

5 business days

Security Incident Response Time

3 business days

Change Management Suggestions + Guidance

Through Consultancy, Credits or Partners

Planned maintenance Windows

The Provider reserves the right to perform planned maintenance of the Service on weekends.

The maintenance will be communicated two weeks prior to the planned outage.

Service support availability

Service Support requests and Incident Response requests are initiated by contacting Provider via email: support@tangible-growth.com

Service requests are only accepted from registered contact points.

If the request is pending action or more information from the Customer, the clock is stopped.

Business hours

Provider support organization resides in Finland, and thus on GMT+2 (+ daylight saving adjustment). Business hours and business days follow the Finnish holiday calendar. 


Privacy Officer


Authorized Technical Support Contacts








Processing of personal data


In accordance with the EU General Data Protection Regulation, the terms below are defined as follows:

“Controller” shall mean the Customer or the Customer’s client, who shall define the purposes and methods of Personal Data Processing.  

“Processor” shall mean the Provider, who shall Process Personal Data on behalf of the Controller based on the Agreement.  

“Processing” or “Processing Activities” shall mean any operation or set of operation which is performed on Personal Data or sets of personal data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal Data” shall mean any information relating to an identified or identifiable natural person, hereafter ”Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Obligations of the Provider and the Customer

The Provider shall process the Personal Data of the Controller on behalf of, and commissioned by the Customer, on the grounds of the Agreement. The Personal Data that the Provider Processes may relate to, e.g. employees or customers. The Customer or the Customer’s client shall be the Controller and the Provider shall be the Processor of the Personal Data Processed in the service. The parties undertake to abide by the legislation, decrees and authority orders and guidelines concerning Processing of Personal Data in force from time to time both in Finland and EU.

The Controller shall be liable for having the necessary rights and justifications, and for having obtained the necessary consents for the Processing of Personal Data. The Controller shall be liable for drafting the privacy policy and informing the Data Subjects. The Customer is responsible for the validity of the personal data is has delivered to the Provider.

The Controller is entitled and obligated to define the purpose and methods of the Processing of Personal Data. The subject, character and purpose of Processing is defined in more detail in the Agreement. The types of Personal Data and sets of data subjects Processed in the services have been defined in the section Processing Specification Form.  

The Provider is entitled to Process the Personal Data and other data of the Controller only on the grounds of the Agreement, this Agreement and according to the written guidelines of the Customer and only to the extent and in a manner, it is necessary in order to provide services. The Provider shall notify the Customer if any conflict with the data protection legislation of EU or Finland is detected in the guidelines and in such a case, the Provider may immediately decline and stop the application of the guidelines of the Customer.

The Provider shall maintain the service description or other record of the Processing Activities of the service in cases where it is required to do so by the EU General Data Protection Regulation. The Provider is entitled to collect anonymous and statistic data of the use of the services pursuant to the Agreement, that does not specify the Customer nor data subjects and uses it for analyzing and developing its services.

Deletion or Returning of Data

After the expiry of the Agreement, the Provider shall return or delete, according to the guidelines of the Customer, all the personal data of the Controller and delete all duplicates, unless applicable legislation requires the retention of the Personal Data.  


The Provider may use subcontractors for Processing the Controller’s Personal Data. The Provider is responsible for its subcontractor’s actions as for its own and shall draft written agreements with the subcontractors concerning the Processing of Personal Data. If requested, the Provider shall inform the Customer beforehand of subcontractors the Provider intends to use in processing the personal data pursuant to the Agreement. The Customer is entitled to oppose the use of a new subcontractor on reasonable grounds. If the Parties are unable to reach an agreement concerning the use of a new subcontractor, the Customer is entitled to terminate the Agreement with thirty (30) days’ notice, in so far as the change of subcontractor affects the Processing of Personal Data pursuant to the Agreement.

Provider’s Obligation to Provide Assistance

The Provider shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects, to the Customer. If requested by the Customer, the Provider shall support the Customer in fulfilling the requests of the Data Subjects.  

The Provider is obligated, taking into account the nature of the Processing of Personal Data and the data available, to assist the Customer in ensuring that the Customer complies with its legal obligations. These obligations may include requirements related to data security, notifying of data breaches, data protection impact assessments as well as obligations regarding prior consultations. The Provider is obligated to assist the Customer only to the extent that applicable legislation obligates the Processor of Personal Data. Unless otherwise agreed, the Provider is entitled to invoice the expenses incurred from action pursuant to this section 3.4 according to the Provider’s valid price list.

The Provider shall forward all inquiries made by data protection authorities directly to the Customer and shall await further guidance from the Customer. Unless otherwise agreed, the Provider is not authorized to represent the Customer or act on behalf of the Customer in relation to the authorities supervising the Customer.  

Processing Taking Place Outside EU/EEA

The Provider and its subcontractors may Process personal data outside the EU/EEA area. In case such transfers or Processing take place, the Provider ensures that the EU Commission standard contractual clauses 2010/87/EU concerning the transfer of Personal Data to outside the EU/EEA, or a similar legal safeguard approved by the Regulation, will apply to such transfer or Processing.

By signing this Agreement the Customer grants a power of attorney to the Provider to represent the Customer in signing the contractual clauses on behalf of and in the name of the Customer. Furthermore, the Customer explicitly accepts that the Provider may also represent the subcontractor in question in relation to the contractual clauses.  


The Customer or an auditor authorized by the Customer (however, not a competitor of the Provider) is entitled to audit the activities pursuant to the Agreement. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 14 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of the Provider or its subcontractors in regard to third parties. The representatives of the Customer and the auditor must sign conventional non-disclosure commitments.

The Customer shall be responsible for its own and the Provider’s  expenses caused by the auditing. If notable defects are perceived during auditing, the Provider shall be liable for the costs incurred from the auditing.

Data Security

The Provider shall implement the appropriate technical and organizational measures to protect the Personal Data of the Controller, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to Personal Data that has been transferred, saved or otherwise Processed. When organizing the security measures, the technical options and their costs shall be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data Processed.

The Customer shall be obligated to ensure that the Provider is notified of all the circumstances concerning the Personal Data the Customer has delivered, such as risk assessments and the Processing of special sets of Data Subjects that affect the technical and organizational measures pursuant to this Agremeent. The Provider shall ensure that the personnel of the Provider or a subcontractor of the Provider shall abide by the appropriate non-disclosure commitments.

Data Breaches

The Provider must notify the Customer of all Personal Data Breaches without undue delay after receiving information of the breach or after a subcontractor of the Provider has received information of the breach.  

If requested by the Customer, the Provider shall, without undue delay give the Customer all relevant information concerning the data breach. In so far as the information in question is available to the Provider, the Provider shall describe at least the following to the Customer:  

A) the occurred data breach,

B) if possible, the sets of data subjects and the number thereof, as well as the sets of personal data types and estimated numbers,  

C) a description of the likely consequences caused by the data breach, and  

D) a description of reparative measures, that the Provider has implemented or shall implement in order to prevent data breaches in the future, and if necessary, the measures to minimize the harmful effects of the data breach.  

The Provider shall document and report the results of the inquiry and the implemented measures to the Customer.  

The Customer shall be liable for the necessary notifications to the data protection authorities.  

Other Provisions

If any tangible or intangible damage is caused to a person due to a breach against the EU General Data Protection Regulation or the Agreement, the Provider shall be liable for the damage only in so far that it has not explicitly abided by the obligations directed to Personal Data Processors in the EU General Data Protection Regulation or this Agreement.  

Both parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage confirmed in the final decision of a data protection authority or a court of law. In all cases the liability of the parties shall be determined pursuant to the Agreement.

Processing Specification Form

This Processing specification form is an inseparable part of the terms and conditions concerning Personal Data Processing. The Processing Specification Form specifies a processing assignment the Processor performs for the benefit of the Controller in the manner provided for in the Agreement.



The Processing shall concern the following services (fill out the service description)

SaaS service for improving strategy execution, change execution, employee engagement and employee performance and wellbeing.

Geographical Location of Personal Data

The Personal Data is Processed in the following countries or areas:
Inside the EU/EEA area. IP addresses may be processed outside the EU for analytics purposes.

Sets of Data Subjects

The Personal Data Processed concerns the following sets of Data Subjects:
Employees of the customer company.

Types of Personal Data

The Personal Data Processed in the service consists of the following types of Personal Data:

  • Basic information such as name, title, photo
  • Contact information such as email address
  • Technical and user information such as login account and password (for non-federated users)
  • Information related to surveys and the service such as survey answers, comments and likes