October 2024
“Account” means any accounts or instances created by or on behalf of Customer within the Services.
“Affiliate(s)” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.
“API” means the application programming interfaces developed, made available, and enabled by Provider that permit Customers to access certain functionality provided by the Services, including without limitation, any interface that enables the interaction with the Service(s) automatically through HTTP requests and the Provider application development API that enables the integration of the Service(s) with other web applications.
“Applicable Data Protection Law(s)” means the laws and regulations of the United States (including the California Privacy Rights Act (the “CPRA”), the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom (including the General Data Protection Regulation or GDPR and any applicable national laws made under it where Customer is established in the European Economic Area), the Swiss Federal Act of 19 June 1992 on Data Protection, and the Brazilian General Data Protection Law (LGPD), all as may be amended or superseded.
“Applicable Law(s)” means all applicable local, state, federal, and international laws, rules, and regulations, including, without limitation, those related to data privacy and data transfer.
“Authorized User” means Customer’s employees, consultants, Contractors, and agents (i) who are authorized by Customer to access the Services on behalf of Customer under the rights granted to Customer pursuant to this Agreement and (ii) in the case of SaaS Services, for whom a unique user name and password to access to the Services has been provisioned per the terms and conditions of this Agreement. Where Customer has purchased the right to white label the Licensed Software or SaaS Services and allow Customer’s customer(s) to access the same, “Authorized User” shall include Customer’s customer(s) for whom Customer has purchased Users as specified on the Order Form.
“Confidential Information” means all information disclosed by one Party to the other Party that is marked confidential or which a reasonable person would understand to be confidential or proprietary given the nature of the information and circumstances of disclosure and includes, without limitation: any non-public information regarding Provider’s or Customer’s business, products and services (including, without limitation, the discovery, invention, research, improvement, development, marketing or sale thereof as well as templates, scorecards, modules, coaching cards, rubrics and the like), pricing, financial data, models and information, business and marketing plans, customer information, business opportunities, plans for development of future products, unreleased versions of products, know-how, technology, the Services, the Software, and the API. Notwithstanding the foregoing, Confidential Information shall not include information that: (a) was already known to the receiving Party at the time of disclosure by the disclosing Party without an obligation of confidentiality;
(b) was or is obtained by the receiving Party from a third party not known by the receiving Party to be under an obligation of confidentiality with respect to such information; (c) is or becomes generally available to the public other than by violation of this Agreement or another valid agreement between the Parties; or (d) was or is independently developed by the receiving Party without use of the disclosing Party’s Confidential Information.
“Contractor” means an independent contractor or consultant of a Party.
“Customer Data” means all content and data, including without limitation any Personal Data, technical material, customer records, or other materials submitted by or on behalf of Customer and which remains in Provider’s possession and control for further processing. “Customer Data” does not include Feedback.
“Customer Environment” means the computing environment (excluding any software provided by Provider) separately procured, prepared or maintained by Customer for the access and use of the products and Services.
“Defect” means a material non-conformance within the Warranty period that Provider can replicate or Customer can duplicate to Provider. “Derivative Works” means a revision, enhancement, modification, translation, abridgment, condensation or expansion of any Provider IP.
“Documentation” means any written or electronic documentation, images, video, text, or sounds specifying the functionalities of the Services provided or made available by Provider to Customer or Users through the Site.
“DPA” means the data privacy agreement contained in Schedule 1.
“Effective Date” means the effective date designated on the relevant Order referencing this Agreement.
“Error” means a failure of the products or services provided by Provider to substantially conform to the Documentation that Provider can replicate or Customer can duplicate.
“Error Correction” means revisions, modifications, alterations, and additions to the products or services provided by Provider to Customer as bug fixes or workarounds, each to resolve Errors.
“Fees” means each of the License Fees, Professional Services Fees, Subscription Fees, support fees, hosting fees, and any other fees specified in the Order Form.
“Hosted Environment” means Provider or its third party’s technical environment required to operate and provide access to the relevant Provider service.
“Hosting Services” means the services that the Provider provides to Customer to allow Authorized Users to access and use the Software, including hosting set-up and ongoing services, as described in the Documentation.
“Intellectual Property Rights” means any and all respective patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights.
“License Fees” means the fees payable to license the Licensed Software.
“License Metrics” means the permitted volume of use of each of the software, maintenance and/or support services as designated, as defined in the applicable Order.
“Licensed Software” means the software product(s) licensed to the Customer and installed either on the Customer’s premises or equipment or in a hosted environment, in each case as specified in the applicable Order.
“License Term” means the duration of the license use granted by the Provider to the Customer commencing on the date specified in the Order Form and, in the case of non-perpetual licenses, continuing thereafter in accordance with Section 12(a).
“Order Form” or “Order” means the order form incorporating this Agreement specifying the products and services to be provided by Provider to Customer and the Fees to be paid.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’), where such data subject is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person and any other data which any Applicable Data Protection Law(s) identify as being personal data.
“Professional Services” means installation, configuration, implementation, training, consulting, project management, and/or other services that the Provider may provide to the Customer.
“Professional Services Fees” means the fees payable for the Professional Services.
“Provider IP” means the Services, the catalog, the catalog data, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Provider IP includes any information, data, or other content derived from Provider’s monitoring of Customer’s access to or use of the Services, including any use by Customer of the catalog data, but does not include Customer Data.
“SaaS” means Software-as-a-Service offerings, as generally known in the industry.
“Security Breach” means the unlawful destruction, loss, alteration, disclosure of, or access to Confidential Information caused by Provider’s breach of its confidentiality obligations set forth in Section 7(a).
“Service(s)” means any products, subscriptions, licenses, and/or services, that Customer orders via an Order referencing this Agreement, including, as applicable, the API, SaaS, Software, Documentation, and Professional Services but specifically excludes Third-Party Services.
“Software” means software provided by the Provider either by download or access through the internet that allows a User to use any functionality in connection with the Services.
“Statement of Work” means any statement of work executed or approved by each Party identifying those Professional Services to be provided by the Provider.
“Subscription Fees” means the fees charged on a per-User basis for the Service(s).
“Subscription Services” means the SaaS or subscription services provided by Provider to Customer under this Agreement via the website specified in the Order Form or any other website notified to Customer by Provider from time to time, as more particularly described in the Documentation.
“Subscription Term” means the period during which Customer has agreed to subscribe to a Service with respect to any individual User starting on the Effective Date and continuing thereafter in accordance with Section 12.
“Support Services” means the maintenance and/or support services (a) provided for Licensed Software offered by the Provider as set out in Section 5 and purchased by the Customer as specified in an Order Form or (b) included with the Subscription Services as more particularly detailed in section 5(c).
“Term” means the License Term and/or the Subscription Term, as the context requires.
“Third-Party Services” means third party products, applications, services, software, networks, systems, directories, websites, databases and information to which a Service links, or which Customer may connect to or enable in conjunction with a Service, including, without limitation, Third-Party Services which may be integrated directly into Customer’s Account by Customer or at Customer’s direction.
“Updates” means periodic improvements or additions to the Licensed Software or Services provided by Provider, including Error Corrections, but excluding any new features or substantial additional functionality.
“User” means an individual authorized to use the Licensed Software and/or the Service(s) through the Customer’s Account as an agent, manager, team leader, administrator or any other role as identified through a unique login.
“Version” means the software configuration identified by a numeric representation, whether left or right of a decimal place.
“Website” means www.revalizesoftware.com or such other URL, mobile or localized versions thereof owned or operated by Provider as provided in the Order Form.
“White Label” means to present the Licensed Software or Services under the Customer’s own brand, conditional on prominently displaying the phrase “powered by Revalize” on each page of the Licensed Software.
(a) Licensed Software. In consideration of the License Fees paid by Customer to Provider, Provider grants to the Customer a non-exclusive, non-transferable, revocable, non-assignable personal license to use the then current version of Licensed Software for the License Term. The License is limited to License Metrics specified in the Order Form. The Licensed Software shall be used solely for Customer’s internal business purposes except where the right to White Label the Licensed Software has been purchased, in which case the Customer may grant access to Authorized Users employed by customers of the Customer provided that the number of Users does not exceed that specified on the Order Form. Licensed Software may be installed either in Customer’s own on-premise environment or may be hosted by or on behalf of Provider, as specified in the Order Form. Where Customer chooses the Licensed Software to be delivered in a Hosted Environment, Customer will purchase Hosting Services from Provider.
(b) Subscription Services. In consideration of the Subscription Fees paid by Customer to Provider, Provider grants to Customer a non-exclusive, non-transferable, revocable, non-assignable, personal right to access and use the Subscription Services specified in the Order Form through internet access, up to the number of Users specified on the Order Form. The Subscription Services shall be used solely for Customer’s internal business purposes, except where the right to White Label the Services has been purchased, in which case the Customer may include employees of Customer’s customers as Authorized Users of the Services, provided that the number of Users accessing the Subscription Services does not exceed the number specified on the Order Form.
(c) Authorized Users. Provider will issue Authorized Users with passwords and network links or connections to allow access to the Licensed Software and/or Subscription Services. The total number of Authorized Users will not exceed the number set forth in the Order Form, except as expressly agreed to in writing by the Parties and subject to any appropriate adjustment of the Fees payable hereunder. Customer acknowledges that Authorized User credentials cannot be shared or used by more than one Authorized User and that no User credential sharing is allowed, but may be reassigned to new Authorized Users replacing former Authorized Users who no longer require use of or access to the Licensed Software or Subscription Services.
(d) Modifications. Provider reserves the right, at its discretion, to modify, add, or discontinue any Licensed Software or Subscription Services or any portion thereof, at any time, for any reason and without liability to Customer except as provided in this Section 2(d). Further, Customer acknowledges that Provider may modify the features and functionality of the Licensed Software and Subscription Services during the Term. Provider shall use reasonable efforts to provide Customer with advance notice of any deprecation of any material feature or functionality. In the event any such modification materially impairs Customer’s ability to use the Licensed Software or Subscription Services in the manner contemplated by this Agreement, Customer may terminate the Agreement upon written notice to Provider and Provider shall refund Customer, on a pro-rated basis, any pre-paid Fees corresponding to the unused portion of the applicable Services after such termination.
(e) Monitoring. Customer acknowledges that Provider reserves the right, at any time and without notice, to monitor compliance with the terms of this Agreement and to otherwise protect its rights in and to the Licensed Software and Subscription Services by incorporating license management technology into the Licensed Software and Subscription Services and monitoring usage, including, without limitation, time, date, internet protocol address, access or other controls, counters, serial numbers and/or other security devices.
(f) Use Restrictions. Customer shall require that its Authorized Users comply with all relevant terms of this Agreement and any failure or failures to comply with this Agreement by any Authorized User will constitute a breach by Customer. Subject to permission under the applicable German Copyright Act (UrhG), in particular 69d) and 69e) UrhG, and only under the conditions specified in the Act, the Customer may use the Licensed Software or the Subscription Services for purposes beyond the scope of the licence or right of access granted in this Agreement.. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users or third party to: (i) copy, modify, or create derivative works of the Licensed
Software or Subscription Services, in whole or in part in any manner or allow the Customer or any third party the ability to reverse engineer or utilize the Licensed Software or Subscription Services; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Licensed Software or Subscription Services; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Licensed Software or Subscription Services, in whole or in part; (iv) remove any proprietary notices from the Licensed Software or Subscription Services (except in compliance with Customer’s right (if such has been purchased from Provider) to White Label the Licensed Software or Subscription Services); (v) permit any third party to access or use the Licensed Software or Subscription Services other than an Authorized User; (vi) use the Licensed Software or Subscription Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any Applicable Law; or (vii) use any Licensed Software or Subscription Services, or allow the transfer, transmission, export, or re-export of the Licensed Software or Subscription Services or portion thereof, in violation of any Applicable Law or regulation, including any export control laws or regulations administered by the U.S. Commerce Department or any other national or international government or government agency.
(g) Reservation of Rights. Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP. Without limiting the foregoing, Provider and its licensors retain all right, title, and interest in the Licensed Software and Subscription Services, all copies and derivatives, modifications, and improvements thereof, and all proprietary rights in the Licensed Software and Subscription Services, including copyrights, patents, trademarks, and trade secret rights.
(h) Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may, in its sole discretion, suspend Customer’s and any Authorized User’s access to any portion or all of the Licensed Software and/or Subscription Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities; (D) subject to Applicable Law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; (E) Provider’s provision of the Licensed Software and/or Services to Customer or any Authorized User is prohibited by Applicable Law or such suspension is necessary to comply with any law, regulation, court order, or other governmental request or to otherwise protect Provider from potential legal liability; or (F) a user of the Provider IP is suspected to not be an Authorized User or if an Authorized User has shared credentials or allowed access to the system by a non-Authorized User; (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any Third-Party Services or products required to enable Customer to access the Licensed Software and/or Subscription Services; or (iii) in accordance with Section 5(c)(iii) (any such suspension described in Subsection (i), (ii), or (iii), a “Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Licensed Software and/or Subscription Services (as applicable) following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Licensed Software and/or Subscription Services (as applicable) as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.
(i) Use of Non-Identifiable Aggregated Data. Provider has the right to collect and use anonymized generic information derived from Customer Data (not to include Personal Data) processed by the Licensed Software and/or Services or to aggregate it with anonymized generic information from other customers (“Non-Identifiable Aggregated Data”) for Provider’s reasonable business purposes, including without limitation for analyzing customer needs and improving the Licensed Software and Subscription Services. Customer agrees that Provider may (i) make Non-Identifiable Aggregated Data publicly available in compliance with Applicable Law, and (ii) use Non-Identifiable Aggregated Data to the extent and in the manner permitted under Applicable Law.
(j) Third-Party Services. Customer acknowledges that the Services may contain software licensed to Provider from third parties (“Third Party Software”) and that the Third-Party Software is not owned by Provider, and may be subject to additional restrictions imposed by the Third-Party Software licensor. Customer agrees to abide by such additional restrictions.
(a) System and Equipment. Customer and Authorized Users are solely responsible for (i) obtaining, deploying, and maintaining all hardware, software, modems, routers, telecommunication or Internet connections, and other communications equipment required for Customer and its Authorized Users to access and use the Licensed Software and Subscription Services; and (ii) paying all third-party fees and access charges incurred in connection with the foregoing. Except as specifically set forth in this Agreement, an Order Form, or Statement of Work, Provider shall not be responsible for supplying any hardware, software, or other equipment to Customer or Authorized Users under this Agreement. Customer will be responsible for all timely payments despite any delays caused by its failure to timely obtain any necessary Customer equipment.
(b) Access and Use. Customer is responsible and liable for all uses of the Licensed Software and Subscription Services resulting from access provided by Customer or provided to parties at Customer’s direction, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Licensed Software and Subscription Services (as applicable) and shall cause Authorized Users to comply with such provisions.
(c) General. Customer represents and warrants that Customer has all necessary rights, title, and permissions for Customer and Provider to access, collect, share, and use Customer Data as contemplated by this Agreement and that Customer Data will not violate or infringe (i) any intellectual property, publicity, privacy or other rights, or (ii) any Applicable Laws. Customer acknowledges and agrees that Customer shall not submit to or process via the Services any sensitive Personal Data as defined by Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Customer shall comply with all Applicable Laws, rules, and regulations in using the Licensed Software and Subscription Services (as applicable).
(a) Licensed Software: To the extent specified and during the current Term of the Order (the “Support Period”), Provider will provide Support Services for the then-current Version of the Licensed Software for one (1) year after Provider has released a new Version (“End of Service” or “EOS”) (not including add-on licenses for existing installations of the previous Versions) and in accordance with Provider’s Support Services policy located at https://revalizesoftware.com/legal/customer-support-policy/ as may be updated from time to time without notice to the Customer. The EOS period commences when Provider announces that the next Version of the Licensed Software is generally available. Support Services may include, but are not limited to basic technical support, bug fixes, and Updates to Licensed Software as delivered to the Customer at the time of provisioning, without modification. Following the initial Support Period, the Support Services will automatically renew annually for successive one-year terms unless Customer gives Provider written notice at least ninety (90) days prior to the end of the then-current Support Period. If Customer terminates Support Services for Licensed Software, Customer acknowledges and agrees that in addition to not receiving Support Services, Customer shall no longer have access to the support portal, communications, customer support team, or the self-service knowledge base. If Customer terminates Support Services, but later desires to reinstate Support Services, Customer and Provider will mutually agree upon the cost of those reinstated Support Services, which may include, in Provider’s sole discretion, a reinstatement fee or the purchase and installation of the then-current Version of the Licensed Software. Provider may terminate Support Services on no less than thirty (30) days prior written notice to Customer. If Provider terminates Support Services, Provider will provide Customer with a refund of any fees prepaid for Support Services that are terminated. Notwithstanding Provider’s support obligations hereunder, Provider will have not responsibility or liability of any kind arising or resulting from Customer’s failure to (i) correctly install Updates or other modifications to the Licensed Software; or (ii) prepare a computing environment that meets the specified Customer Environment prior to the Licensed Software installation or to maintain such Customer Environment and Licensed Software thereafter.
(b) Updates and Upgrades. Provider may update or enhance the Licensed Software and/or Subscription Services from time to time. Unless otherwise specified in an applicable Order Form, Provider will include in the Licensed Software or Subscription Services (as applicable) any such Updates or enhancements that Provider generally makes available in the ordinary course to all of its customers of such Licensed Software or Subscription Services (as applicable); provided, however, that nothing in this Agreement will obligate Provider to provide Licensed Software or Subscription Services that include any upgrades (i.e., revisions to the Licensed Software or Subscription Services that include new features or substantial increases in functionality) at no additional cost. All Updates, upgrades, or other modified or updated versions of the Licensed Software and Subscription Services provided to Customer are subject to the terms of this Agreement.
(c) Subscription Services: During the Subscription Term and subject to payment of all applicable Fees hereunder, Provider shall provide support for the Subscription Services in accordance with the terms and conditions of this Section and Provider’s Support Services policy located at https://revalizesoftware.com/legal/customer-support-policy/ as may be updated from time to time without notice to Customer.
i. Maintaining the components of the Hosted Environment that the Provider deems necessary for the Services. Provider will use commercially reasonable efforts to implement any Error Corrections. Customer’s Authorized Users will have access to Provider’s support personnel through Provider’s support portal and responses to support requests will be provided during the support hours applicable to the specified Services purchased by Customer.
ii. With respect to any on-premise components, the Customer shall be responsible for the installation and configuration in the Customer Environment. Provider shall provide technical support for on-premise components through Provider’s support portal and responses to support requests will be provided during the support hours applicable to the specified Services purchased by Customer.
iii. Management of Services: In addition to any other rights Provider has under this Agreement, Provider reserves the right, in Provider’s sole discretion, to temporarily suspend Customer’s access to and use of any of the Services: (a) during planned downtime for upgrades and maintenance to such Service(s) (of which Provider will notify Customer as soon as reasonably practicable through our forum page and/or through a notice to Customer’s Account owner and Users) (“Planned Downtime”); or (b) during any unavailability caused by Force Majeure Events. The Provider will use commercially reasonable efforts to schedule Planned Downtime for weekends and other off-peak hours.
(d) Additional Services. If Customer desires Provider to install any Updates or upgrades, configure any Updates or upgrades, or configure any Updates or upgrades to any integrations or Licensed Software that were specifically configured by the Customer or at the Customer’s request, or exceeds the scope of Support Services specified in the Support Services policy, Provider may charge Customer for such services at Provider’s then-current hourly rates. Additionally, requests for changes to the Support Services by Customer that do not fall under Support Services, will be forwarded to the Professional Services team. Customer and Provider will agree, in writing (either, via an Order, Statement of Work, email, or through the approved ticketing system), to the estimated level of effort and fees required for Customer’s requests. All work will be completed on a time and materials basis at Provider’s current hourly rates unless stated otherwise in a Statement of Work.
(a) Payment and Billing. Unless otherwise indicated on an Order referencing these terms, all Fees will be invoiced in full up front at the time of commencement of the applicable Service(s) and are non-refundable. Unless otherwise indicated in the Order, Customer shall pay all undisputed invoices within 30 days of Customer’s receipt of each invoice without set-off, counterclaim or deduction. Customer is responsible for providing valid and current payment information and Customer agrees to promptly update Customer’s Account information, including payment information, with any changes that may occur (for example, a change in Customer’s billing address or credit card expiration date).
(b) Additional Users. If Customer chooses to increase or exceeds the number of Users authorized to access and use the Licensed Software during the License Term or Subscription Services during Customer’s Subscription Term, Customer shall pay Provider the applicable Fees for each such additional User at Provider’s then-current list prices.
(c) No Refunds or Credits. Except as otherwise expressly set forth herein, no refunds or credits for Fees or other charges or payments will be provided to Customer if Customer terminates its License subscription to the Services or cancels Customer’s Account in accordance with this Agreement prior to the end of Customer’s then-effective License Term or Subscription Term.
(d) Payments. Customer shall make all payments hereunder in US dollars, unless stated otherwise in the Order Form, on or before the due date. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Provider for all reasonable costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for seven (7) days or more Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Licensed Software and/or Subscription Services until such amounts are paid in full.
(e) Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.
(f) Auditing Rights and Required Records. Customer agrees to maintain complete and accurate records of Customer’s use during the Term of this Agreement and for a period of one year after the termination or expiration of this Agreement with respect to matters necessary for accurately determining amounts due hereunder. Provider may, at its own expense, on reasonable prior notice, annually inspect and audit Customer’s records with respect to matters covered by this Agreement, provided that if such inspection and audit reveal that Customer has underpaid Provider with respect to any amounts due and payable during the License Term or Subscription Term, Customer shall promptly pay the amounts necessary to rectify such underpayment, together with interest in accordance with Section 6. Customer shall pay for the costs of the audit if the audit determines that the Customer’s underpayment equals or exceeds ten percent (10%) for any year. Such inspection and auditing rights will extend throughout the Term of this Agreement and for a period of one year after the termination or expiration of this Agreement.
(a) Protection of Confidential Information. With respect to any Confidential Information disclosed under this Agreement by the disclosing Party, the receiving Party will treat such Confidential Information as confidential and will handle it using at least the same procedures and degree of care which it uses to prevent the misuse and disclosure of its own confidential information of like importance, but in no event less than reasonable care. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder and subject to confidentiality and nonuse obligations at least as protective of the disclosing Party as those set forth in this Agreement (in which case the receiving Party will remain responsible for any noncompliance by such employees or other individuals or entities). Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of this Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.
(b) Protection of Customer Data. Without limiting the foregoing and subject to the provisions of Schedule 1 in relation to Personal Data, to the extent Provider is in possession of Customer Data, Provider will use commercially reasonable efforts to protect Customer Data through use of administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data consistent with prevailing industry practices. Provider will not (i) modify Customer Data, (ii) disclose Customer Data except as compelled by law in accordance
with Section 7(a) or as expressly permitted in writing by Customer or otherwise under this Agreement, or (iii) access Customer Data except to provide the Services under or in connection with the prevention of or to address service or technical problems, improve the functionality of Services, to generate Non-Identifiable Aggregated Data, or at Customer request in connection with customer support matters.
(c) Personal Data. To the extent Customer is Controller and Provider is Processor (as those terms are defined in Schedule 1 (“DPA”)) the provisions of the DPA (which is hereby incorporated into this Agreement) shall govern the Parties’ respective rights and obligations relating to Personal Data.
(a) Provider IP. Customer acknowledges that, as between Customer and Provider, Provider owns all right, title, and interest, including all intellectual property rights, in and to the Provider IP, Non-Identifiable Aggregated Data and Provider’s Confidential Information. For purposes of this Agreement, all Provider IP shall be deemed to be Confidential Information of Provider. Provider shall be the owner of any and all right, title, and interest (including without limitation, all Provider IP) in, of and to any Derivative Works.
(b) Customer Data. Provider acknowledges that, as between Provider and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data and Customer’s Confidential Information. Customer hereby grants to Provider a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Services to Customer, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data incorporated within the Non-Identifiable Aggregated Data for any purpose, including benchmarking.
(c) Feedback. If Customer, its Authorized Users, or any of its other employees or Contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features, corrections, modifications or functionality relating thereto, or any comments, questions, suggestions, or the like (collectively, “Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Provider, on Customer’s behalf, and on behalf of its Authorized Users and its other employees, Contractors and/or agents, all right, title, and interest in, and Provider is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Provider is not required to use any Feedback.
(d) Further Assurances. To the extent any of the rights, title, and interest in and to Feedback or intellectual property rights therein cannot be assigned by Customer to Provider, Customer hereby grants to Provider an exclusive, royalty-free, transferable, irrevocable, worldwide, fully paid-up license (with rights to sublicense through multiple tiers of sublicensees) to fully use, practice and exploit those non-assignable rights, title, and interest. If the foregoing assignment and license are not enforceable, Customer agrees to waive and never assert against Provider those non-assignable and non-licensable rights, title, and interest. Customer agrees to execute any documents or take any actions as may reasonably be necessary, or as Provider may reasonably request, to perfect ownership of the Feedback. If Customer is unable or unwilling to execute any such document or take any such action, Provider may execute such document and take such action on Customer’s behalf as Customer’s agent and attorney-in-fact. The foregoing appointment is deemed a power coupled with an interest and is irrevocable.
(e) Customer Trademark License. Customer hereby grants to Provider a non-exclusive, worldwide, non-transferable, royalty-free license to use, reproduce and display Customer’s name, logo and trademarks (collectively, the “Customer Marks”) as necessary for Provider to fulfill its obligations under this Agreement. Provider will comply with Customer’s trademark usage guidelines as Customer provides to Provider in writing from time to time.
(a) Provider’s Obligation.
(i) Licensed Software
The Provider warrants
(A) in the case of a perpetual license (purchase), that the Licensed Software has the characteristics described in the Documentation within the warranty period of one (1) year from the date of initial deployment;
(B) in the case of a Temporary License (Rental), that the characteristics of the Licensed Software described in the Documentation will be retained during the License Term.
(ii) Subscription Services
Provider warrants that the characteristics of the Subscription Services described in the Documentation will be maintained during the Subscription Term.
Provider will remedy material defects or errors within a reasonable period of time. Provider may fulfil its obligation to remedy defects or errors by providing Updates to the Customer.
(b) Customer’s Obligation.
The Client is obliged to notify the Provider of any defects in the Licensed Software or errors in the Subscription Services immediately after their discovery, stating the time of occurrence of the defects or errors and the more detailed circumstances.
(c) Additional Obligations
The Provider does not owe any quality of the Licensed Software or the Subscription Services beyond the characteristics described in the Documentation. In particular, the Customer may not derive such an obligation from other representations of the Licensed Software or the Subscription Services in public statements or in the advertising of the Provider and/or the Manufacturer or Licensor, as well as their employees or sales partners, unless the Provider has expressly confirmed the further quality in writing.
(a) Provider Indemnification.
i. Provider shall indemnify, defend, and hold harmless Customer, Customer’s officers, directors, employees and agents (each, a “Customer Indemnitee”) from and against direct damages ordered by a court of competent jurisdiction to the extent they result from any claim, suit, action, or proceeding by a third party that Customer’s use of the Licensed Software or Subscription Services in accordance with this Agreement, infringes or misappropriates such third party’s copyright, patent or trade secret rights in the United States.
ii. If such a claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Licensed Software or Subscription Services (as applicable), or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer.
iii. This Section 10 will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with any data, software, hardware, equipment, network, system, or technology not provided by Provider or authorized by Provider in writing; (B) modifications or alterations to the Licensed Software or Subscription Services (as applicable) not made by Provider; (C) Customer’s continued use of the Licensed Software or Subscription Services (as applicable)
after Provider notifies Customer to discontinue use because of an infringement claim; or (D) Customer Data.
iv. THE FOREGOING STATES THE ENTIRE LIABILITY OF PROVIDER WITH RESPECT TO THE INFRINGEMENT OF ANY INTELLECTUAL PROPERTY OR PROPRIETARY RIGHTS BY THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES OR OTHERWISE, AND CUSTOMER HEREBY EXPRESSLY WAIVES ANY OTHER LIABILITIES OR OBLIGATIONS OF PROVIDER WITH RESPECT THERETO.
(b) Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider, Provider’s officers, directors, employees and agents (each, a “Provider Indemnitee”) from and against all claims, losses, expenses, costs (including legal fees), damages, losses arising from any breach by Customer or any User of Sections 2, 4, 13(i) or the DPA.
(c) Indemnification Procedures. Each party’s indemnification obligations in this Section 10 are subject in each instance to the indemnified party: (i) promptly notifying the indemnifying party in writing of the threat or notice of the claim; (ii) giving the indemnifying party sole and exclusive control and authority to select defense attorneys, defend, and/or settle any such claim (however, the indemnifying party shall not settle or compromise any claim that results in liability or admission of any liability without the indemnified party’s prior written consent); and (iii) the indemnified party fully cooperating with the indemnifying party in connection with the defense or settlement of any claim.
(a) The Provider and its Affiliates shall be liable without limitation
(i) for intent or gross negligence,
(ii) for damages resulting from injury to life, body or health
(iii) in accordance with the provisions of the German Product Liability Act (ProdHaftG)
(iv) to the extent of a guarantee assumed by the Provider.
(v) in the event of fraudulent concealment of a defect.
(b) In the event of a slightly negligent (leichte Fahrlässigkeit) breach of an obligation which is essential for achieving the purpose of the contract and on the fulfilment of which the customer may regularly rely (cardinal obligation), the liability of the Provider and Affiliates shall be limited to the amount of the foreseeable and typical damage. A breach of a cardinal obligation within the meaning of this section 11 b) shall be deemed to exist in the event of a breach of an obligation, the fulfilment of which is essential for the proper performance of the contract or the breach of which jeopardises the achievement of the purpose of the contract and on the observance of which the customer may regularly rely.
(c) The Provider and its Affiliates shall only be liable for the loss of data up to the amount of the typical recovery costs that would have been incurred if the Customer had properly and regularly backed up the data.
(d) The Provider and its Affiliates shall have no further liability. In particular, the Provider shall not be liable for initial defects in a temporary Licensed Software or a Subscription Service, unless 11 a) (i) or (ii) applies.
(e) The above limitation of liability shall also apply to the personal liability of the Provider’s employees, workers, staff, representatives and executives as well as to the Provider’s agents.
(a) Initial Term and Renewal. The initial Term of each License or Subscription shall be twelve (12) months from the Effective Date, unless otherwise stated on the applicable Order Form (“Initial Term”). At the end of the initial Term, the License or Subscription shall automatically renew for periods (each a “Renewal Term”) equal to the Initial Term, unless either Customer or Provider has served written notice on the other not less than thirty (30) days prior to the end of the then-current Term. Unless otherwise provided for in any Order, Provider has the right to automatically increase the Fees applicable to Customer’s License or Subscription for any such Renewal Term at Provider’s then-current rates. If Provider determines, in its reasonable discretion, that material product or feature enhancements to the Licensed Software or Services require an increase in Fees for a Renewal Term, Provider will first obtain Customer’s prior written consent before applying such increase before such Renewal Term.
(b) Termination. In addition to any other express termination right set forth in this Agreement:
i. Provider may terminate this Agreement, effective on written notice to Customer, if Customer: (A) fails to pay any amount when due hereunder, and such failure continues more than thirty (30) days after Provider’s delivery of written notice thereof; or (B) breaches any of its obligations under Section 2(b) or Section 6;
ii. either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach;
iii. either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (B) makes or seeks to make a general assignment for the benefit of its creditors; or (C) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business; or
(c) Effect of Expiration or Termination. Unless the Parties agree otherwise, termination of this Agreement will terminate each of the Order Forms and other Service Addenda, even if the Order Form or other Service Addenda specifies an expiration date after the effective termination date of this Agreement. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination, or entitle Customer to any refund except as expressly provided herein. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obligations under Section 6, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed.
(d) Exporting Customer Data. During the Term and up to expiration or termination of this Agreement, Customer will have the ability to export or download Customer’s Data. After such expiration or termination, Provider will have no obligation to maintain or provide any of Customer’s Data, and Provider will, unless prohibited by law or legal order, delete Customer’s Data in the Services in accordance with Provider’s then-current deletion policy without notice or liability to Customer.
(e) Survival. Provisions herein which by their context and content are intended to survive termination or expiration shall so survive including Sections 1, 2, 4, 5, 6, 7, 8, 10, 11, 12, and 13 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement. Termination of this Agreement shall not limit either Party’s liability for obligations accrued as of or prior to such termination for breach of this Agreement.
(a) Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related schedules and exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of
this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. If there is a conflict between the terms of this Main Services Agreement and the terms of any of its attachments, then this Main Services Agreement will prevail unless the conflicting attachment explicitly specifies the attachment to prevail in case of such a conflict.
(b) By placing an Order with Provider, Customer agrees that the terms and conditions of this Agreement shall apply to and govern that Order. Except with respect to product, services and pricing applicable to an Order, additional or conflicting terms in any Order shall have no force or effect on either party, unless that Order is signed in hardcopy form by each party, and then those terms shall apply to the parties solely for that Order. Except as otherwise specified herein, any additional or conflicting terms contained in any other document (including, without limitation, any preprinted, additional or conflicting terms on any Customer purchase order, or acknowledgement from either party) shall be null, void and of no effect on either party. If there is a conflict between the terms of this Agreement and the Order Form, the terms of the Order Form shall take precedence. Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and delivered by personal delivery, via a internationally recognized overnight courier (with all fees pre-paid), or certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in this Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section. All notices to be provided by Provider to Customer under this Agreement may be delivered in writing by electronic mail to the electronic mail address provided by Customer on the applicable Order and/or Statement of Work. All notices shall be deemed to have been given immediately upon delivery by electronic mail, or if otherwise delivered upon the earlier of receipt or two (2) business days after being deposited in the mail or with a Courier as permitted above.
(c) Force Majeure. In no event shall Provider be liable to Customer, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond Provider’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, epidemic or pandemic, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo. Provider shall notify Customer of such force majeure within ten (10) days after such occurrence by giving written notice to Customer stating the nature of the event, its anticipated duration, and any action being taken to avoid or minimize its effect. The suspension of performance shall be of no greater scope and no longer duration than is necessary and Provider shall use commercially reasonable efforts to remedy its inability to perform.
(d) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege. (e) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
(f) Limitation of Claims. No claim or action, regardless of the form, which in any way arises out of or in connection with this Agreement may be made or brought by or on behalf of Customer or its Affiliates more than one (1) year following the earlier of (a) the expiration or sooner termination of this Agreement and (b) the date that Customer first has knowledge of the events giving rise to such claim or action.
(g) Governing Law. This Agreement shall be governed by and construed in accordance with the substantive laws of Germany, without regard to its conflicts of law principles, and shall be subject to the exclusive jurisdiction of the courts of Germany. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply in any respect to this Agreement or the parties.
(h) Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by merger, sale of assets, operation of law or otherwise, without the prior written consent of Provider, which consent may be conditioned on Customer paying any remaining payments due hereunder in full. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns. In the event that Customer or its business using the Subscription Services or Licensed Software is acquired by a third party that is also a customer of Provider, Customer shall continue to pay the Fees in accordance with this Agreement and any applicable Order Form and other Service Addenda unless the Parties mutually agree in writing otherwise, even if the other customer may have more favorable terms than those offered to Customer hereunder. § 354 a HGB (assignment of monetary claims) remains unaffected by the above provision.
(i) Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties. Nothing herein shall prevent either Party from entering into any further agreements or business relationships, nor prevent either Party from conducting similar business with others as long as such Party observes its obligations under this Agreement.
(j) Export Regulation. The Services utilize software and technology that may be subject to US export control laws, including the US Export Administration Act and its associated regulations. Customer shall not, directly or indirectly, export, re-export, release or make accessible the Licensed Software or Subscription Services from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Customer shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Licensed Software or Subscription Services or the underlying software or technology available outside the US. Customer represents, warrants and covenants that (i) Customer is not named on any U.S. government list of persons or entities prohibited or restricted from receiving U.S. exports, or transacting with any U.S. person, (ii) Customer is not a national of, or a company registered in, any Prohibited Jurisdiction, (iii) Customer shall not permit its Users to access or use the Services in violation of any U.S. or other applicable export embargoes, prohibitions or restrictions, and (iv) Customer shall comply with all Applicable Laws regarding the transmission of technical data exported from the United States and the country in which Customer and its Users are located.
(k) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.
(l) Expenses. All costs and expenses incurred in connection with this Agreement and each other agreement, document and instrument contemplated by this Agreement and the transactions contemplated hereby and thereby shall be paid by the Party incurring such costs and expenses.
(m) Attorneys’ Fees and Costs. In the event of a dispute arising under this Agreement, whether or not a lawsuit or other proceeding is filed, the prevailing party shall be entitled to recover its reasonable attorneys’ fees and costs, including attorneys’ fees and costs incurred in litigating entitlement to attorneys’ fees and costs, as well as in determining or quantifying the amount of recoverable attorneys’ fees and costs. The reasonable costs to which the prevailing party is entitled shall include costs that are taxable under any applicable statute, rule, or guideline, as well as non-taxable costs, including, but not limited to, costs of investigation, copying costs, electronic discovery costs, telephone charges, mailing and delivery charges, information technology support charges, consultant and expert witness fees, travel expenses, court reporter fees, and mediator fees, regardless of whether such costs are otherwise taxable.
(n) Publicity. Provider may, with Customer’s consent, which shall not be unreasonably withheld, conditioned or delayed, (i) issue a press release announcing the relationship between the parties within thirty (30) days after the Effective Date and (ii) use Customer’s name or logo in Provider’s advertising, promotion, and similar public disclosures with respect to the Services. Provider may disclose the terms of this Agreement to prospective investors and prospective acquirors of Provider’s business, assets or stock solely for such purposes provided that any such investor or acquirer is subject to a written confidentiality agreement.
(o) Non-Solicitation of Employees. Customer agrees that, during the Term of this Agreement, and for a period of one (1) year following the Term, it will not employ, solicit for or offer employment, or enter into any contract for services with the employees, agents or representatives of Provider without Provider’s prior written consent; provided, however, that the foregoing prohibition shall not preclude the hiring by Customer of any individual who responds to a general solicitation or advertisement, whether in print or electronic form, on job postings and social networking sites. In the event that any of Provider’s employees, agents or representatives are employed by or enter into a contract for services (whether as an employee or a Contractor) with Customer or any Affiliate of Customer in breach of the foregoing sentence, Customer shall, upon demand, pay to Provider a sum equal to six months’ basic salary or the fee that was payable by Provider to that employee, agent or representative plus the recruitment costs incurred by Provider in replacing such person by way of compensation for the cost and inconvenience incurred by Provider. The above payment shall not be in lieu of Provider’s other remedies at law and in equity.
(p) Legal Provisions. The official language of this Agreement is, and all attachments or amendments to this Agreement, contract interpretations, notices and dispute resolutions shall be in English. Translations of this Agreement shall not be construed as official or original versions. No exclusive rights are granted by Provider under this Agreement. All rights or licenses not expressly granted to Customer herein are reserved to Provider, including the right to license the use of the Subscription Services and any Software to other parties. Any reference to a law or statute in this Agreement shall be deemed to include any amendment, replacement, re-enactment thereof for the time being in force and to include any by-laws, statutory instruments, rules, regulations, orders, notices, directions, consents, or permissions (together with any conditions attaching to any of the foregoing) made in respect thereof.
This Data Processing Addendum (“DPA”) forms part of the Main Subscription Agreement (“Agreement”) between Provider and Customer. The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
Whereas the Parties have entered into an agreement for the provision of software and/or other services by Provider to Customer (“Agreement” or “MSA”), this DPA governs the rights and obligations of the Parties in relation to Processing of Personal Data undertaken in connection with the provision and receipt of such software and/or other services.
For and in consideration of the representations and promises of the parties set forth herein, and other good and valuable consideration the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 Adequacy Decision means, for a jurisdiction with Privacy Laws that have data transfer restrictions, a decision that the Supervisory Authority or other body in such jurisdiction recognizes as providing an adequate level of data protection as required by such jurisdiction’s Privacy Laws such that transfer to that country shall be permitted without additional requirements;
1.1.2 Affiliate means any entity which now or in the future controls, is controlled by, or is under common control with the Parties of this DPA, with “control” defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such person or entity, whether through the ownership of voting securities, by contract, or otherwise;
1.1.3 CCPA means the California Consumer Privacy Act of 2018 (California Privacy Act Cal Civ Code § 1798.100 et seq) and its implementing regulations;
1.1.4 Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data including “business” as that term is defined by the CCPA, and in the context of this DPA shall mean the Customer;
1.1.5 Data Processing Instructions means the Processing instructions set out in Annex I B;
1.1.6 Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller (including “service provider” as that term is defined by the CCPA), and in the context of this DPA shall mean Provider;
1.1.7 Data Subject means the identified or identifiable person to whom Personal Data relates (including “consumer” as that term is defined by the CCPA);
1.1.8 EU GDPR means all EU regulations applicable (in whole or in part) to the Processing of Personal Data such as Regulation (EU) 2016/679;
1.1.9 EU SCCs means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and set out as Appendix 1 to this DPA;
1.1.10 Information Security Schedule means the information security, technical and organizational measures specified in Annex II, as may be updated from time to time;
1.1.11 Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
1.1.12 Privacy Laws means all data protection and privacy laws and regulations applicable to the Personal Data in question, including (without limitation and as applicable) the EU GDPR, UK GDPR, and CCPA, in each case as amended, superseded or replaced from time to time.
1.1.13 Process or Processing means any operation or set of operations that is performed upon Personal Data in connection with the Services, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, as described in the Data Processing Instructions;
1.1.14 Restricted Transfer means:
1.1.14.1 a transfer of Personal Data from Customer or a Customer Affiliate to Provider; or
1.1.14.2 an onward transfer of Personal Data from Provider to a Sub processor, in each case, where such transfer would be prohibited by Privacy Laws in the absence of an approved method of transfer (such as (a) an Adequacy Decision, (b) Standard Contractual Clauses, (c) by the terms of other recognized forms of data transfer agreements or processes under applicable Privacy Laws or (d) a permitted derogation), or would be in breach of the terms of such an approved method of transfer or permitted derogation;
1.1.15 Services means the services and other activities to be supplied to or carried out by or on behalf of Provider for Customer pursuant to the Agreement;
1.1.16 Standard Contractual Clauses means the contractual clauses approved by a Supervisory Authority pursuant to Privacy Laws, as may be updated from time to time, which permit the transfer of Personal Data where such transfer would otherwise be a Restricted Transfer;
1.1.17 Sub processor means any third party (including any third party and any Provider Affiliate) appointed by or on behalf of Provider to undertake Processing in connection with the Services, which are listed in Annex III;
1.1.18 Supervisory Authority means a public authority or government or quasi-governmental agency which is established in a jurisdiction under Privacy Laws with competence in matters pertaining to data protection;
1.1.19 Swiss Addendum means the addendum to the EU SCCs set out in Appendix 3 to this DPA.
1.1.20 UK Addendum means the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018, a copy of which is set out in Appendix 2 to this DPA; and1.1.21 UK GDPR means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
1.2 References to Annexes are to annexes of the EU SCCs.
2.1 Provider will not:
2.1.1 retain, use, disclose or otherwise Process Personal Data for any purpose (including its own commercial purposes) other than
on Customer’s documented instructions (as set out in this DPA and in the Agreement) unless Processing is required under applicable law and under the terms of the Standard Contractual Clauses (where applicable); or
2.1.2 sell Personal Data received from Customer or obtained in connection with the provision of the Services to Customer.
2.2 Customer on behalf of itself and each Customer Affiliate:
2.2.1 instructs Provider:
2.2.1.1 to Process Personal Data; and
2.2.1.2 in particular, transfer Personal Data to any country or territory; in each case as reasonably necessary for the provision of the Services and consistent with this DPA.
2.3 The Data Processing Instructions sets out the subject matter and other details regarding the Processing of the Personal Data contemplated as part of the Services, including Data Subjects, categories of Personal Data, special categories of Personal Data, Sub processors and description of Processing.
2.4 The parties acknowledge that Customer’s transfer of Personal Data to Provider is not a “sale” of Personal Data within the meaning of applicable Privacy Laws (including the CCPA) and Provider provides no monetary or other valuable consideration to Customer in exchange for the Personal Data.
Provider shall ensure that persons authorized to undertake Processing of the Personal Data have:
3.1 Committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in respect of the Personal Data; and
3.2 Undertaken appropriate training in relation to protection of Personal Data.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall in relation to the Personal Data implement appropriate technical and organizational measures designed to provide a level of security appropriate to that risk in the provision of the Services and for the purposes of this DPA Provider’s technical and organizational measures are set out in the Information Security Schedule.
4.2 In assessing the appropriate level of security, Provider shall take account in particular of the risks that are presented by Processing.
5.1 Provider shall only appoint Sub processors which enable Provider to comply with Privacy Laws. Customer authorizes Provider to appoint Sub processors in accordance with this Section 5 subject to any restrictions or conditions expressly set out in the Agreement. Sub processors appointed as at the effective date of this DPA are listed in the Data Processing Instructions. Provider shall remain liable to Customer for the performance of Sub processors’ obligations subject to the Agreement.
5.2 Notwithstanding any notice requirements in the Agreement, before Provider engages any new Sub processor, Provider shall give Customer notice of such appointment, including details of the Processing to be undertaken by the proposed Sub processor. Any new Sub processor shall be added to the following
https://revalizesoftware.com/legal/ and notified to Customer via email. In addition to any other notifications, Provider may provide such notice by updating the list of Sub processors in the Data Processing Instructions. Customer may notify Provider of any objections (on reasonable grounds related to Privacy Laws) to the proposed Sub processor or Data Processing Instructions (“Objection”), within 15 days of the notification from Provider of the updated Sub processor list, then Provider and Customer shall negotiate in good faith to agree to further measures including contractual or operational adjustments relevant to the appointment of the proposed Sub processor or operation of the Services to address Customer’s Objection. Where such further measures cannot be agreed between the parties within forty-five (45) days from Provider’s receipt of the Objection (or such greater period agreed by Customer in writing), Customer may by written notice to Provider with immediate effect terminate that part of the Services which require the use of the proposed Sub processor or another part of the Services which are so terminated.
6.1 Provider shall:
6.1.1 Upon becoming aware, promptly notify Customer if Provider receives a request from a Data Subject relating to an actionable Data Subject right under any Privacy Law in respect of Personal Data;
6.1.2 Not respond to that request except on the documented instructions of Customer or as required by a Supervisory Authority or under applicable law; and
6.1.3 Upon request from Customer where required by Privacy Laws and in the context of the Services, reasonably assist Customer in dealing with an actionable Data Subject rights request to the extent Customer cannot fulfil this request without Provider’s assistance. Provider may fulfil this request by making available functionality (at Customer’s expense) that enables Customer to address such Data Subject rights request without additional Processing by Provider. To the extent such functionality is not available, in order for Provider to provide such reasonable assistance, Customer must communicate such request in writing to Provider providing sufficient information to enable Provider (at Customer’s expense) to pinpoint and subsequently amend, export or delete the applicable record.
7.1 Provider shall notify Customer without undue delay upon Provider or any Sub processor confirming a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Privacy Laws. Subject to Section 7.3 below, such notification shall as a minimum:
7.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
7.1.2 communicate the name and contact details of Provider’s data protection officer or other relevant contact from whom more information may be obtained;
7.1.3 describe the likely consequences of the Personal Data Breach in so far as Provider is able to ascertain having regard to the nature of the Services and the Personal Data Breach; and
7.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
7.2 Provider shall co-operate with Customer and take such commercially reasonable steps as are necessary to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 Where and in so far as, it is not possible to provide the information or Provider is prohibited by law or law enforcement from providing the information referred to in Section 7.1 at the same time, the information may be provided in phases without undue further delay.
8.1 To the extent necessary, Provider shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Privacy Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Provider. To the extent that such impact assessment and/or prior consultation requires assistance beyond Provider providing the applicable Provider processing record(s) and Documentation, Provider shall reserve the right to charge Customer such engagement at Provider’s then current daily rates.
9.1 Within thirty (30) days from termination or expiry of the Agreement (the “Return Period”), and subject to Section 9.2 below, at Customer’s request, Provider will either delete or return available Personal Data. At the expiry of the Return Period, if Customer has not elected either of the foregoing Provider may delete and destroy all Personal Data without notice or liability to Customer. Where Customer requests Provider return available Personal Data, Provider may fulfil this request by making available functionality that enables Customer to retrieve the Personal Data without additional Processing by Provider. If Customer declines to use this functionality, Customer may, within the Return Period, request that Provider return the available Personal Data under an Order for the applicable professional services. In the event the Agreement is terminated for Customer’s breach, Provider shall have the right to require that Customer prepay for such professional services. Provider shall provide written confirmation to Customer that it has fully complied with this Section 9 within thirty (30) days of Customer’s request for such confirmation.
9.2 Provider may retain Personal Data to the extent required by Privacy Laws or any other statutory requirement to which Provider is subject and only to the extent and for such period as required by Privacy Laws or any other statutory requirement to which Provider is subject and always provided that (a) during such retention period the provisions of this DPA will continue to apply, (b) that Provider shall ensure the confidentiality of all such Personal Data, and (c) Provider shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Privacy Laws requiring its storage or any other statutory requirement to which Provider is subject and for no other purpose.
10.1 Upon Customer’s reasonable request, Provider shall provide all relevant and necessary material, documentation and information in relation to Provider’s technical and organizational security measures used to protect the Personal Data in relation to the Services provided in order to demonstrate compliance with Privacy Laws. Such information may be provided in summary form to minimize the risk of such measures being circumvented.
10.2 Provider shall ensure a security audit of its technical and organizational security measures is carried out at least annually in compliance with Privacy Laws. The results of such security audit will be documented in a summary report. Provider shall promptly provide Customer upon request with (i) a confidential summary of such report; and (ii) evidence of appropriate remediation of any
critical issues within four (4) weeks from date of issuance of the audit report.
10.3 If, following the completion of the steps set out in Sections 10.1 and 10.2, Customer reasonably believes that Provider is non-compliant with Privacy Laws, Customer may request that Provider make available, either by webinar or in a face-to-face review, extracts of all relevant information necessary to further demonstrate compliance with Privacy Laws. Customer undertaking such review shall give Provider reasonable notice, by contacting Provider’s Information Security Director at privacy@revalizesoftware.com, and any review will be conducted under this Section 10.3.
10.4 In the event that Customer reasonably believes that its findings following the steps set out in Section 10.3 do not enable Customer to comply materially with Customer’s obligations mandated under the Privacy Laws in relation to its appointment of Provider, then Customer may give Provider not less than thirty (30) days prior written notice of its intention, undertake an audit which may include inspections of Provider to be conducted by Customer or an auditor mandated by Customer (not being a competitor of Provider). Such audit and/or inspection shall (i) be subject to confidentiality obligations agreed between Customer (or its mandated auditor) and Provider, (ii) be undertaken solely to the extent mandated by, and may not be further restricted under applicable Privacy Laws, (iii) not require Provider to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Sub processors), and (iv) not be undertaken where it would place Provider in breach of Provider’s confidentiality obligations to other Provider customers vendors and/or partners generally or otherwise cause Provider to breach laws applicable to Provider. Customer (or auditor mandated by Customer) undertaking such audit or inspection shall avoid causing any damage, injury or disruption to Provider’s premises, equipment, personnel and business in the course of such a review. To the extent that such audit performed in accordance with this Section 10.4 exceeds one (1) business day, Provider shall reserve the right to charge Customer for each additional day at its then current daily rates.
10.5 If following such an audit or inspection under Section 10.4, Customer, acting reasonably, determines that Provider is non-compliant with Privacy Laws then Customer will provide details thereof to Provider upon receipt of which Provider shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the parties are unable to reach agreement on the Remediation Plan, or in the event of agreement, Provider materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the Services in part or in whole which relates to the non-compliant Processing and the remaining Services shall otherwise continue unaffected by such termination.
10.6 The rights of Customer under this Section 10 shall only be exercised once per calendar year unless Customer reasonably believes Provider to be in material breach of its obligations under either this DPA or Privacy Laws.
11.1 Customer (as “data exporter”) and Provider, as appropriate, (as “data importer”) hereby agree that the applicable Standard Contractual Clauses shall apply in respect of any Restricted Transfer from Customer or any Customer Affiliate to Provider to the
extent required by Privacy Laws. The parties agree that the provisions of the Standard Contractual Clauses shall apply to the Restricted Transfer. Where Personal Data is subject to the EU GDPR, the applicable Standard Contractual Clauses shall be the EU SCCs, and where Personal Data is subject to the UK GDPR, the applicable Standard Contractual Clauses shall be the UK Addendum, in each case completed as described herein and as set out in the Appendices. Where Personal Data is subject to Swiss Federal Data Protection Act, the provisions of the Swiss Addendum shall apply.
11.2 For the purposes of Annex I or other relevant part of the applicable Standard Contractual Clauses, the Data Processing Instructions sets out the Data Subjects, categories of Personal Data, special categories of Personal Data, Sub processors and description of Processing (processing operations). Where the EU SCCs apply to transfers from the Customer or a Customer Affiliate to Provider, they will be completed as set out in Annex I. Optional clauses in the applicable Standard Contractual Clauses shall not apply unless otherwise set out in Annex I.
11.3 For the purposes of Annex II or other relevant part of the applicable Standard Contractual Clauses, the Information Security Schedule sets out the description of the technical and organizational security measures implemented by Provider (the data importer).
11.4 Wherever the applicable Standard Contractual Clauses enable a choice of law or jurisdiction, the laws and courts of Ireland shall apply, unless otherwise required under applicable Privacy Law.
11.5 Provider shall not make any Restricted Transfer of Personal Data that it has received under this DPA, unless it has lawful grounds to do so under applicable Privacy Laws. Such lawful grounds may include (a) an Adequacy Decision, (b) Standard Contractual Clauses, (c) the terms of other recognized forms of data transfer agreements or processes); or (d) any permitted derogation under Privacy Law.
12.1 To the extent that Processing relates to Personal Data originating from a jurisdiction or in a jurisdiction which has any mandatory requirements or introduces any such requirements in the future, in addition to those in this DPA, both Parties may agree to any additional measures required to ensure compliance with applicable Privacy Laws and any such additional measures agreed to by the Parties will be documented as an Annex to this DPA or in an Order to the Agreement.
12.2 The Customer further agrees that to the extent that Provider is required to enter into an appropriate transfer mechanism or additional safeguards to transfer Personal Data under applicable Privacy Laws, Provider may enter into an agreement to affect such a transfer on its own behalf, and where required on behalf of the Customer, on a named or unnamed basis.
12.3 Due to the fact that Provider has no control over the type, character, properties, content, and/or origin of Personal Data Processed hereunder, notwithstanding anything to the contrary herein, Provider shall not be in breach of this DPA or the Agreement or liable to Customer to the extent Personal Data subject to jurisdictional requirements mandating security, processing or other measures not set forth in, or contrary to the terms of, this DPA is provided by Customer without amending this DPA or entering into an Order addressing the same.
12.4 If any variation is required to this DPA as a result of a change in Privacy Laws, including any variation which is required to the Standard Contractual Clauses, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary
variations to this DPA, including the Standard Contractual Clauses, to address such changes.
13.1 This DPA shall be governed by and construed in accordance with the laws of the State of Delaware and the Parties hereby submit to the courts in the State of Delaware with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
13.2 The applicable law provisions of this DPA are without prejudice to clauses 7 (Mediation and Jurisdiction) and 10 (Governing Law) of the Standard Contractual Clauses where applicable to Restricted Transfers of Personal Data from the European Union (including the United Kingdom) to a third country.
14.1 Nothing in this DPA reduces Provider’s or any Provider Affiliate’s obligations under the Agreement in relation to the protection of Personal Data or permits Provider or any Provider Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of inconsistencies between the provisions of this DPA and (i) the Information Security Schedule), or (ii) any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. For the avoidance of doubt, the limitations and exclusions of liability set out in the Agreement shall also apply in respect of this DPA, to the fullest extent permitted under applicable law.
15.1 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
(iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
(iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Not Used.
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject
would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach
(including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
8.1 Instructions
(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to
believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same
data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
(a) The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module 3: The data exporter shall forward the notification to the controller.]
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [For Module 3: if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [For Module 3: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority [For Module 3: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3)
of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Ireland.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
Data Exporter | |
---|---|
Name | Customer as identified in the Agreement |
Address | As detailed in the Agreement |
Contact person name, position and contact details | As detailed in the Agreement |
Activities relevant to the data transferred under these Clauses | Receipt of services under the Agreement |
Signature and date | By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement. |
Role (controller/processor) | Controller |
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Data Importer | |
---|---|
Name | Provider as identified in the Agreement, being Revalize, Inc or such subsidiary thereof as identified in the Agreement |
Address | As detailed in the Agreement |
Contact person name, position and contact details | Kristen Shaheen, General Counsel & Chief Privacy Officer, Revalize, Inc, kristen.shaheen@revalizesoftware.com |
Activities relevant to the data transferred under these Clauses | Provision of services under the Agreement |
Signature and date | By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement. |
Role (controller/processor) | Processor |
Categories of data subjects whose personal data is transferred | Employees, clients, customers and suppliers of Customer. Employees or contractors of Customer who contact Provider’s technical support facilities. |
Categories of personal data transferred |
Customer’s employee categories: name, title, department, ID number, system usage, email address, job title, login credentials and/or contact telephone number. Customer’s end-user or consumer categories: name, email address, contact telephone number, account number. Additional Categories of Personal Data may be provided by Customer either as part of a Support request or through Customer’s use of Hosted Subscription Services. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and risks involved such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | Not applicable. |
The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis) |
Support & Professional Services: Personal Data is processed only for as long as is necessary to provide the particular Support and/or Professional Services. Subscription Services: Personal Data is stored for the duration of the Services and is deleted or returned to Customer as set out in the data processing agreement or as otherwise amended or deleted by Customer during the Term. |
Nature of the processing | Provider may Process Personal Data as necessary to perform the Services, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration,implementation,configuration and performance testing. |
Purpose(s) of the data transfer and further processing |
Support may be provided by Provider in accordance with Provider’s Support Plan. When providing Support, Provider may be required by Customer to Process Personal Data. Provider may access and/or receive Personal Data when providing Support. Personal Data is not accessed and/or received in every Support case because some errors can be analyzed and rectified without such access if the background to the error is known. Depending on the issue, Provider or third-party vendors may provide Support and therefore an international transfer of Personal Data may occur. If, as part of an Order, Customer requires Provider to perform Professional Services to assist in deployment of the product during the term, then Provider may be required by Customer to Process Personal Data as part of that engagement. Customer will upload data to the Hosted Subscription Services in order to maximize the functionality of the product. Some of the data which may be uploaded to the Hosted Subscription Services may include Personal Data. Provider will store (either directly or using a third party Subprocessor as noted below) all data uploaded into the Hosted Subscription Services on behalf of Customer in accordance with the terms and conditions of service underthe Agreement as mutually agreed to by the Parties. Customer will determine how and why the product will be used to its benefit which may include the frequent or infrequent use of Personal Data. Customer acknowledges that in relation to these Processing operations, Provider has no control over the submission of Data Subject’s Personal Data and that the design of the data to be submitted to Provider’s Hosted Subscription Services is at all times under the control of Customer. Except for the storage of the data within the Hosted Subscription Services (and the provision of Support, if applicable, described above), Provider is not involved in any Processing activities associated with this use of the product. If, as part of an Order, Customer requires Provider to perform Professional Services to assist in deployment of the product or application managed services during the Term, then Provider may be required by Customer to Process Personal Data for those purposes. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | For as long as necessary to perform the Services. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | The Provider may transfer Personal Data to sub-processor(s) for the purposes of performing the Services for such period as is necessary for such performance. |
Identify the competent supervisory authority/ies in accordance with Clause 13
European Economic Area: The State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg
(https://www.baden-wuerttemberg.datenschutz.de)
Switzerland:
The Swiss Federal Data Protection Authority
(https://www.edoeb.admin.ch/edoeb/en/home.html)
United Kingdom:
The Information Commissioner’s Office (ICO) (https://ico.org.uk/)
Technical Measures to Ensure Security of Processing | Description |
---|---|
1. Inventory and Control of Hardware Assets | Actively manage all hardware devices on the network so that only authorised devices are given access, and unauthorised and unmanaged devices are found and prevented from gaining access. |
2. Inventory and Control of Software Assets | Actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution. |
3. Continuous Vulnerability Management | Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. |
4. Controlled Use of Administrative Privileges | Maintain processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, applications, and data. |
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers | Implement and manage the security configuration of mobile devices, laptops, servers, and workstations using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
6. Maintenance, Monitoring, and Analysis of Audit Logs | Collect, manage, and analyse audit and security logs of events that could help detect, understand, or recover from a possible attack. |
7. Email and Web Browser Protections | Deploy automated controls to minimise the attack surface and the opportunities for attackers to manipulate human behaviour through their interaction with web browsers and email systems or content. |
8. Malware Defenses | Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimising the use of automation to enable rapid updating of defense, data gathering, and corrective action. |
9. Limitation and Control of Network Ports, Protocols, and Services | Manage (track, control, correct) the ongoing operational use of ports, protocols, services, and applications on networked devices in order to minimise windows of vulnerability and exposure available to attackers. |
10. Data Recovery Capabilities | Maintain processes and tools to properly back up personal data with a proven methodology to ensure the confidentiality, integrity, availability, and recoverability of that data. |
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches | Implement and manage the security configuration of network infrastructure devices using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
12. Boundary Defenses | Detect, prevent, and correct the flow of information transferring networks of different trust levels with a focus on personal data. |
13. Data Protection | Maintain processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the confidentiality and integrity of personal data. |
14. Controlled Access Based on the Need to Know | Maintain processes and tools to track, control, prevent, and correct secure access to critical or controlled assets (e.g. information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical or controlled assets based on an approved classification. |
15. Wireless Access Control | Maintain processes and tools to track, control, prevent, and correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems. |
16. Account Monitoring and Control | Actively manage the life cycle of system and application accounts, their creation, use, dormancy, and deletion in order to minimise opportunities for unauthorised, inappropriate, or nefarious use. |
1. Implement a Comprehensive Information Security Programme | Through the implementation of a Comprehensive Information Security Programme (CISP), maintain various administrative safeguards to protect personal data. These measures are designed to ensure: security, confidentiality and integrity of personal data protection against unauthorized access to or use of (stored) personal data in a manner that creates a substantial risk of identity theft or fraud that employees, contractors, consultants, temporaries, and other workers who have access to personal data only process such data on instructions from the data controller. |
2. Implement a Security Awareness and Training Programme | For all functional roles (prioritizing those mission critical to the business, its security, and the protection of personal data), identify the specific knowledge, skills and abilities needed to support the protection and defense of personal data; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organisational planning, training, and awareness programmes. |
3. Application Software Security | Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses. |
4. Incident Response and Management | Protect the organisation's information, including personal data, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight, retainers, and insurance) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the organisation’s network and systems. |
5. Security and Privacy Assessments, Penetration Tests, and Red Team Exercises | Test the overall strength of the organisation’s defense (the technology, processes, and people) by simulating the objectives and actions of an attacker; as well as, assess and validate the controls, policies, and procedures of the organisation’s privacy and personal data protections. |
6. Physical Security and Entry Control | Require that all facilities meet the highest level of data protection standards possible, and reasonable, under the circumstances relevant to the facility and the data it contains, process, or transmits. |
The controller has authorised the use of the following sub-processors: please see the list at https://revalizesoftware.com/legal/
Start Date | The commencement date of the Agreement. | |
---|---|---|
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties' details | Customer as identified in the Agreement | Provider as identified in the Agreement |
Trading name (if different): | Trading name (if different): | |
As identified in the Agreement | As identified in the Agreement | |
Official registration number (if any) (company number or similar identifier): As identified in the Agreement | Official registration number (if any) (company number or similar identifier): As identified in the Agreement | |
Key contacts | Full name (optional): | Full name (optional): Kristen Shaheen |
Job title: As identified in the Agreement | Job title: General Counsel & Chief Privacy Officer | |
Contact details including email: As identified in the Agreement | Contact details including email: kristen.shaheen@revalizesoftware.com | |
Signature (if required for the purposes of Section 2) |
Addendum EU SCCs |
[X] The version of the Approved EU SCCs, which this Addendum is appended to, detailed below, including the Appendix Information. Date: date of the Agreement Reference (if any): Other identifier (if any): OR [ ]The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.] |
|||||
---|---|---|---|---|---|---|
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | ||||||
2 | ||||||
3 | ||||||
4 |
Annex 1A: List of Parties: |
Annex 1B: Description of Transfer: |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: |
Annex III: List of Sub processors (Modules 2 and 3 only): |
Ending this Addendum when the Approved Addendum changes |
Which Parties may end this Addendum as set out in Section 19: [X] Importer [X] Exporter [ ] Neither Party |
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs, those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCS: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information: As set out in Table 3.
Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) of the UK GDPR.
Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO: The Information Commissioner.
Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
UK: The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR: As defined in section 3 of the Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the
inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation ((EU)
2016/679), then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
(b) Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
(c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
(a) references to the “Clauses” mean this Addendum, incorporating the Addendum EU SCCs;
(b) In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
(c) Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
(d) Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
(e) Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
(f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s)
of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
(g) References to Regulation (EU) 2018/1725 are removed;
(h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with “the UK”;
(i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module 1 is replaced with “Clause 11(c)(i)”;
(j) Clause 13(a) and Part C of Annex I are not used;
(k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
(l) In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
(m) Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
(n) Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
(o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
(b) reflects changes to UK Data Protection Laws.
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
(a) its direct costs of performing its obligations under the Addendum; and/or
(b) its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
This Data Processing Agreement is accepted and agreed to by the Parties acting by their respective duly Authorized Representative.