Terms of Service

Last updated: 16 February 2026

These Terms of Service ("Terms") govern your access to and use of the MoniDoseQMS platform ("Service"), operated by MoniDose ("we", "us", "our"). By accessing or using the Service, you agree to be bound by these Terms.

If you are using the Service on behalf of an organisation, you represent that you have the authority to bind that organisation to these Terms.

1. Definitions

  • "Platform" means the MoniDoseQMS web application, APIs, and related infrastructure.
  • "Customer" means the organisation that has registered an account on the Platform.
  • "User" means any individual authorised by a Customer to access the Platform.
  • "Customer Data" means all data uploaded, entered, or generated by Users within the Platform.
  • "Personal Data" has the meaning given in the EU General Data Protection Regulation (GDPR).

2. Service Description

MoniDoseQMS is a cloud-based Quality Management System designed for medical device manufacturers. The Platform provides tools for document control, risk management, CAPA, audit management, training, electronic signatures, and other quality management functions.

The Service is provided on a Software-as-a-Service (SaaS) basis. We host and maintain the infrastructure, apply security updates, and perform backups on your behalf.

3. Account Registration and Access

To use the Service, you must:

  • Provide accurate and complete registration information.
  • Maintain the confidentiality of your account credentials.
  • Notify us immediately of any unauthorised use of your account.
  • Be at least 18 years of age.

We reserve the right to suspend or terminate accounts that violate these Terms, remain inactive for an extended period, or are associated with fraudulent activity.

4. Acceptable Use

You agree not to:

  • Use the Service for any unlawful purpose or in violation of applicable regulations.
  • Attempt to gain unauthorised access to other accounts, systems, or networks.
  • Interfere with the integrity or performance of the Service.
  • Reverse-engineer, decompile, or disassemble any part of the Platform.
  • Upload malicious code, viruses, or harmful content.
  • Share account credentials with unauthorised individuals.

5. Data Ownership and Custody

Your data is yours. The Customer retains all rights, title, and interest in Customer Data. We do not claim any ownership of your data.

We access Customer Data only as necessary to provide the Service, perform maintenance, respond to support requests, or comply with legal obligations. We do not sell, share, or use Customer Data for advertising purposes.

Upon termination of your account, you may request an export of your data in a standard format. We will retain your data for a reasonable period (not exceeding 90 days) after termination to facilitate retrieval, after which it will be securely deleted unless retention is required by law.

6. Data Protection (GDPR Compliance)

We process Personal Data in accordance with the EU General Data Protection Regulation (Regulation 2016/679) and applicable national data protection laws.

6.1 Roles

Where the Customer determines the purposes and means of processing Personal Data through the Platform, the Customer is the Data Controller and MoniDose acts as a Data Processor on the Customer's behalf.

6.2 Processing Activities

We process Personal Data solely for the purposes of:

  • Providing and maintaining the Service.
  • User authentication and access control.
  • Audit trail and compliance record-keeping (as required by medical device regulations).
  • Sending service-related notifications (e.g., approval requests, password resets).
  • Responding to support requests.

6.3 Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — processing necessary to deliver the Service.
  • Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, service improvement.
  • Legal obligation (Art. 6(1)(c)) — regulatory record-keeping requirements.
  • Consent (Art. 6(1)(a)) — where required for optional features (e.g., marketing communications).

6.4 Data Subject Rights

Under GDPR, individuals have the right to:

  • Access — request a copy of their Personal Data.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of data (subject to legal retention requirements).
  • Restriction — request limited processing of their data.
  • Portability — receive data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.

Important: Due to medical device regulatory requirements (FDA 21 CFR Part 11, EU MDR, ISO 13485), certain records including audit trails and electronic signatures cannot be deleted. These records must be retained for the legally mandated period. We will inform you if a deletion request cannot be fully honoured and explain the legal basis for continued retention.

6.5 Data Transfers

Customer Data is stored within the European Economic Area (EEA). If any transfer outside the EEA is required, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

6.6 Data Breach Notification

In the event of a personal data breach, we will notify the affected Customer without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.

6.7 Sub-processors

We may engage sub-processors to assist in providing the Service (e.g., hosting providers). A current list of sub-processors is available upon request. We will notify Customers before adding new sub-processors and obtain consent where required by our Data Processing Agreement.

7. Security

We implement appropriate technical and organisational measures to protect Customer Data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Role-based access controls and multi-factor authentication.
  • Regular security assessments and vulnerability scanning.
  • Automated backups with secure off-site storage.
  • Comprehensive audit logging of all system access and data modifications.
  • Tenant isolation ensuring strict separation of Customer Data between organisations.

8. Regulatory Record Retention

MoniDoseQMS is designed for use in regulated industries. Certain records are subject to mandatory retention periods under applicable medical device regulations:

  • Audit trails — retained for the lifetime of the device plus the applicable retention period.
  • Electronic signatures — immutable once captured; cannot be altered or deleted.
  • Quality records — retained as required by ISO 13485, EU MDR, and/or FDA regulations.
  • User accounts — deactivated rather than deleted to preserve audit trail integrity.

These retention obligations may override individual data deletion requests as permitted under GDPR Article 17(3)(b) (legal obligations) and 17(3)(e) (legal claims).

9. Service Availability

We strive to maintain high availability of the Service. However, we do not guarantee uninterrupted access. Scheduled maintenance windows will be communicated in advance. We are not liable for downtime caused by circumstances beyond our reasonable control.

10. Intellectual Property

The Platform, including its source code, design, documentation, and trademarks, is the intellectual property of MoniDose. These Terms do not grant you any rights to our intellectual property except the limited right to use the Service as described herein.

11. Limitation of Liability

To the maximum extent permitted by applicable law, MoniDose shall not be liable for any indirect, incidental, consequential, or punitive damages arising from your use of the Service.

Our total aggregate liability for any claims arising under these Terms shall not exceed the amount paid by the Customer for the Service in the twelve (12) months preceding the claim.

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.

12. Indemnification

You agree to indemnify and hold MoniDose harmless from any claims, damages, or expenses arising from your breach of these Terms, your use of the Service in violation of applicable law, or your infringement of any third-party rights.

13. Termination

Either party may terminate these Terms by providing 30 days' written notice. We may suspend or terminate your access immediately if you materially breach these Terms.

Upon termination, your right to access the Service ceases. You may request a data export within 30 days of termination. Provisions that by their nature should survive termination (including data protection obligations, limitation of liability, and intellectual property) shall continue in effect.

14. Changes to These Terms

We may update these Terms from time to time. We will notify you of material changes by email or through a notice on the Platform at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Terms.

15. Governing Law and Jurisdiction

These Terms are governed by the laws of Finland. Any disputes arising from these Terms shall be resolved in the courts of Helsinki, Finland, unless otherwise required by mandatory consumer protection laws of your jurisdiction.

16. Contact Information

For questions about these Terms or to exercise your data protection rights, contact us at:

MoniDose

Email: support@monidoseqms.com

Data Protection enquiries: privacy@monidoseqms.com

If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.