TERMS OF SERVICE (V.5/25/18)
May 25, 2018
BEFORE USING INFLUITIVE’S SERVICES (AS DEFINED BELOW), PLEASE READ THESE END USER TERMS OF SERVICE (THIS “AGREEMENT”). THIS AGREEMENT IS INCORPORATED BY REFERENCE INTO THE ORDER FORM EXECUTED BY THE COMPANY IDENTIFIED AS THE “CUSTOMER” IN THE ORDER FORM (“CUSTOMER”) AND INFLUITIVE CORPORATION (“INFLUITIVE”). PURSUANT TO THIS AGREEMENT, CUSTOMER SHALL RECEIVE THE RIGHT TO ACCESS AND USE THE INFLUITIVE’S ENGAGEMENT PLATFORMS; AND/OR RECEIVE OTHER SERVICES FROM INFLUITIVE. THIS AGREEMENT AND THE ORDER FORM TOGETHER FORM A BINDING AND EXECUTED WRITTEN AGREEMENT BETWEEN CUSTOMER AND INFLUITIVE, EFFECTIVE AS OF THE EARLIEST OF THE DATE OF MUTUAL EXECUTION OF THE ORDER FORM OR THE DATE IN WHICH THE CUSTOMER USES THE SERVICES.
“Advocate” means individuals who have been invited by Customer to join Customer’s Advocate community by using the Services and accepting Customer’s Advocate User Agreement. “Advocate User Agreement” means the terms and conditions under which Advocates will agree to use the Customer’s Advocate Platform. “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. “Customer Content” means all data or information uploaded, submitted or posted by Customer and its Users during the Service Term. “Documentation” means Influitive’s online knowledge base, documentation, and/or help and training materials, as updated from time to time, accessible via Influitive.com or login to the applicable Service. “Services” or “Subscription” means the online, Web-based application provided by Influitive on a Subscription basis, including but not limited to AdvocateHub, AdvocateAnywhere; and Upshot; associated offline components; third party applications; and professional services that are ordered by Customer under an Order Form or a Statement of Work. “User” means an individual who is authorized by Customer to use the Services on behalf of the Customer, including but not limited to employees, consultants, contractors, and agents of Customer.
- INFLUITIVE SERVICES
2.1 Provision of Services. Influitive shall make the Services available to Customer and its Users on a subscription basis pursuant to this Agreement and the applicable Order Forms during the Service Term (the “Subscription”).
2.2 Subscriptions. Unless otherwise specified in the applicable Order Form or the Statement of Work, (i) Services are purchased as Subscriptions; (ii) additional Subscriptions may be added during the Subscription Term at the same pricing as that for the pre-existing Subscriptions, prorated for the remainder of the Term in effect at the time the additional Services are added; and (iii) the added Subscriptions shall terminate on the same date as the pre-existing Subscriptions. Professional Services may be purchased by Customer at Influitive’s then current rates and shall be detailed in the corresponding Statement of Work.
2.3 Influitive Responsibilities. Influitive shall: (i) provide to Customer basic support for the Services at no additional charge, and/or upgraded support if purchased, provided that the terms of such upgraded support are described in the Order Form; (ii) make the Services available in accordance with Influitive’s policies; and (iii) provide the Services in accordance with applicable laws and government regulations.
2.4 Customer Responsibilities. Customer shall (i) be responsible for Users’ compliance with this Agreement, (ii) be solely responsible for the accuracy, quality, integrity and legality of Customer Content and of the means by which it acquired Customer Content, (iii) use commercially reasonable efforts to prevent unauthorized access to or use of the Services, and notify Influitive promptly of any such unauthorized access or use, and (iv) use the Services only in accordance with Influitive’s instructions and applicable laws and government regulations. Customer shall not (a) make the Services available to any third party other than Users, (b) sell, resell, rent or lease the Services, (c) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use the Services to store or transmit Malicious Code, as such term is defined in Section 8.3, (e) interfere with or disrupt the integrity or performance of the Services or third-party data contained therein, or (f) attempt to gain unauthorized access to the Services or their related systems or networks.
3.1 Fees. Customer shall pay Influitive all the fees specified in the Order Forms (the “Fees”). Except as otherwise provided in the Order Form, all Fees are quoted in United States currency; Fees are based on Subscriptions purchased and not on actual usage; payment obligations are non-cancellable; and Fees are non-refundable. Fees for the Services will be invoiced in advance in accordance with the terms of the Order Form.
3.2 Payment Terms. Unless otherwise stated in the Order Form, payment is due within thirty (30) days of the invoice date. Any payment not received from Customer by the due date shall accrue (except with respect to charges then under reasonable and good faith dispute), at the lower of 1.5% or the maximum rate permitted by law of the outstanding balance per month from the date such payment is due until the date paid. If any Customer account is 30 days or more overdue (except with respect to charges then under reasonable and good faith dispute), in addition to any other rights and remedies (including the termination rights set forth in this Agreement), Influitive reserves the right to suspend the Services without liability to Influitive, until such account is paid in full.
3.3 Taxes. Fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, and Customer shall be responsible for payment of all such taxes, levies, or duties, excluding only taxes based solely on Influitive’s income. If Influitive has the legal obligation to pay or collect taxes for which Customer is responsible, the appropriate amount shall be invoiced to and paid by Customer unless Customer provides Influitive with a valid tax exemption certificate authorized by the appropriate taxing authority.
- TERM AND TERMINATION
4.1 Term of the Agreement. This Agreement commences on the last date of execution of the Order Form and continues until all Services expire or this Agreement is mutually terminated by the parties.
4.2 Term of the Services. The Services are offered for the initial term of service specified in the Order Form (the “Initial Term”). The Initial Term shall begin on the Contract Start Date stated in the Order Form. Following the Initial Service Term, Services shall renew in accordance with the terms of the Order Form (each, a “Renewal Term”). If, during the Initial Term or any Renewal Term, Customer adds any additional Subscriptions to its use of the Service, the amount of Customer’s Fees shall increase the sum set forth in the Order Form and, the Service Term for any such additional Services shall be coterminous with the Initial Term or any Renewal Term in effect at the time.
4.3 Termination of the Agreement. This Agreement and any Services may be terminated by either party for cause: (a) upon thirty (30) days written notice of a material breach to the other party if such breach remains uncured at the expiration of such period; or (b) if either party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
4.4 Early Termination. If Customer wishes to terminate the Services under this Agreement prior to the expiration of the current Term and such termination is not due to Influitive’s breach, all Fees which would otherwise be due through the end of the Term in effect at the time, including any applicable taxes shall be due and payable within thirty (30) days of the effective date of termination and no refunds for pre-paid Services will be provided. The parties agree that these early termination charges are a reasonable estimate of anticipated actual damages and not a penalty.
- PROPRIETARY RIGHTS
5.1 Grant of License. Subject to the terms herein, Influitive grants Customer a non-exclusive, non-transferable, non-assignable, worldwide limited license to access and use the Services solely for Customer’s own business purposes and only for the specific number of Users and time periods as set forth in each fully executed Order Form
5.2 Reservation of Rights. Subject to the limited rights expressly granted hereunder, Influitive reserves all rights, title and interest in and to the Services, including all related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein.
5.3 Restrictions. Customer shall not, and shall not allow third parties to: (i) license, sublicense, lease, rent, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Services in any way provided however that the Customer may permit use of Services, strictly in accordance with this Agreement, by third parties working on behalf of the Customer; (ii) access (or attempt to access) any of the Services by any means (including automated means) other than through the User ID that is provided by Influitive; (iii) reverse engineer, adapt, translate, decompile, or otherwise derive the source code for the Services; or access the Services in order to copy or imitate any ideas or features; or build a product or service similar to the Services; or use similar features, software, functions or graphics as those of the Services, whether or not intended to compete with the Services; (iv) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit Malicious Code or material in violation of third-party privacy rights, or (v) access the Services for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purpose.
5.5 Excluded Customer Content. Customer acknowledges that the Services are not intended to be a repository of personal identifiable information (“PII”) or personal data that may be considered sensitive or privileged, such as financial information, non-public personally identifiable information that could be legally considered private or sensitive, including without limitation, social security numbers, driver’s license numbers, birth dates, personal bank account numbers, and credit card numbers (the “Excluded Customer Content”). Notwithstanding the above, in the event that Customer or any of its Users uploads Excluded Customer Content to the Services in violation of this Agreement, Customer agrees to remove such information immediately, or at its reasonable discretion and upon prior written notice, Influitive may purge such data from its systems.
5.6 User passwords. Customer shall ensure that its Advocate and Users protect their unique user identification name and not make them available to persons or entities not authorized to use the Services. Influitive will only store User’s passwords in encrypted form. Influitive personnel will not be able to read User’s passwords.
5.7 Advocate User Agreement. Customer shall be responsible for ensuring that Advocates agree to the Advocate User Agreement, substantially in the form of Exhibit A, prior to using the Services.
5.8 Destruction of Customer Content. Upon written request by Customer made within 30 days after the effective date of termination, Influitive will provide Customer with temporary access to the Services so that Customer can retrieve its Customer Content. After such 30-day period, Influitive shall have no obligation to maintain or provide any Customer Content and shall reasonably thereafter, unless legally prohibited, delete all Customer Content in Influitive’s systems or otherwise in its possession or control.
6.1 Definition of Confidential Information. As used herein, “Confidential Information” means all confidential information disclosed by a party (“Disclosing Party“) to the other party (“Receiving Party“), that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including but not limited to Customer Content, the terms and conditions of this Agreement and any Order Form, as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by either party. However, Confidential Information (other than Customer Content) shall not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.
6.2 Protection of Confidential Information. Except as otherwise permitted in writing by the Disclosing Party: (i) the Receiving Party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care); (ii) the Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement; and (iii) the Receiving Party shall limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. Neither party shall disclose the terms of this Agreement to any third-party other than its Affiliates and their legal counsel and accountants without the other party’s prior written consent.
6.3 Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.
- REPRESENTATIONS AND WARRANTIES
7.1 Corporate Authority. Each party represents and warrants that it has the legal power and authority to enter into these Terms, and that the Order Form is executed by an employee or agent of such party with all necessary authority to bind such party to the terms and conditions of this Agreement.
7.2 Functionality Warranty. Influitive warrants that the Services will operate in a manner consistent with general industry standards reasonably applicable to the provision hereof and in substantial conformity with the then current version of the applicable Documentation
7.3 Data Security and Warranty. Influitive has implemented Appropriate Security Measures (as hereinafter defined) and maintains the Services at reputable third-party Internet service providers and co-location facilities. “Appropriate Security Measures” means commercially reasonable efforts to ensure that the Customer Content will be maintained accurately and safeguarded as well as technical and physical controls to protect Customer Content against destruction, loss, alteration, unauthorized disclosure to third parties or unauthorized access by employees or contractors employed by Influitive, whether by accident or otherwise. If Customer’s use of the Services involves processing personal data pursuant to Regulation 2016/679 (the “GDPR”) and/or transferring personal data outside the European Economic Area or Switzerland to any country not deemed by the European Commission as providing an adequate level of protection for personal data, the terms of the data processing addendum shall apply to such personal data and be incorporated into the Agreement upon the execution and submission of the Data Processing Addendum to Influitive in accordance with its terms. The Data Processing Addendum is attached and incorporated hereto as Exhibit B.
7.4 Additional Warranties. Influitive represents and warrants that: (i) the Services will be provided in a professional, timely and workman like manner by persons with the proper skill, training and background, and consistent with generally accepted industry standards; (ii) the Services will comply with all written specifications; (iii) the Services will be free of material defects; (iv) the Influitive technology shall not deliver any viruses, Trojan horses, trap doors, back doors, Easter eggs, worms, time bombs, cancelbots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate the contents of any databases and/or the normal operation of any computer systems (“Malicious Code”); (v) at the time of delivery, all Documentation required hereunder (if any) shall be complete so as to enable Customer personnel with ordinary skills and experience to utilize the Services for the purposes for which they are being acquired by Customer, (vi) it will at all times utilize reasonable and appropriate practices and technologies common and prevalent in Influitive’s industry to avoid causing damage to Customer’s computer systems or other technology.
7.5 Disclaimer. Except as expressly provided herein, Customer acknowledges and agrees that the Services are provided on an “As Is”, as available basis. Other than as expressly provided herein, Influitive disclaims warranties, whether expressed, implied, STATUTORY OR otherwise AND specifically disclaims all implied warranties including without limitation the conditions AND/or warranties of merchantability or fitness for any purpose to the maximum extent permitted by law. Influitive does not warrant that the Services will meet the Customer’s requirements or that the operation of the Services will be uninterrupted or error-free. Further, Influitive does not warrant that all errors in the Services can be corrected.
- LIMITATION OF LIABILITY
EXCEPT FOR DAMAGES ARISING FROM BREACHES OF CONFIDENTIALITY AND EITHER PARTY’S INDEMNIFICATION OBLIGATIONS HEREIN, IN NO EVENT SHALL EITHER PARTY’S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, (1) IN THE AGGREGATE, EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER HEREUNDER OR, (2) WITH RESPECT TO ANY SINGLE INCIDENT GIVING RISE TO LIABILITY, EXCEED THE AMOUNT PAID OR PAYABLE BY CUSTOMER HEREUNDER IN THE TWELVE MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
9.1 Influitive Indemnification. Influitive shall indemnify and hold harmless the Customer against any loss, damage or cost (including reasonable attorney’s fees) incurred in connection with claims, demands, suits or proceedings (“Claims”) made or brought against Customer by a third party alleging that the use of the Services, as contemplated hereunder, infringes the intellectual property rights of a third party. Notwithstanding the foregoing if Influitive reasonably believes that the Customer’s use of any portion of the Services is likely to be enjoined by reason of a Claim of infringement, violation or misappropriation of any third party’s intellectual property rights then Influitive may, at its expense: (i) procure for the Customer the right to continue using the Services; (ii) replace the same with other software, services or other material of equivalent functions and efficiency that is not subject to an action of infringement; or (iii) modify the applicable software, support services or other material so that there is no longer any infringement or breach, provided that such modification does not adversely affect the capabilities of the Services as set out herein. Influitive shall have no liability respecting any Claim of infringement or breach as aforesaid to the extent such Claim is based upon the combination, operation or use of the Services with other equipment or software not supplied by Influitive or in a manner not consistent with Influitive’s instructions. THIS SECTION SETS FORTH INFLUITIVE’S SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM OF INTELLECTUAL PROPERTY INFRINGEMENT.
9.2 Customer Indemnification. Customer agrees to indemnify and hold Influitive harmless against any loss, damage or costs (including reasonable attorney’s fees) incurred in connection with Claims made or brought against Influitive by a third party arising from or relating to Customer’s use of the Customer Content or the Services in violation of this Agreement.
9.3 Mutual Provisions. Each party’s indemnity obligations are subject to the following: (i) the aggrieved party shall promptly notify the indemnifier in writing of the Claim; (ii) the indemnifier shall have sole control of the defense and all related settlement negotiations with respect to the Claim (provided that the indemnifier may not settle or defend any Claim unless it unconditionally releases the aggrieved party of all liability); and (iii) the aggrieved party shall cooperate fully to the extent necessary, and execute all documents necessary for the defense of such Claim.
- GENERAL PROVISIONS
10.1 Publicity. Customer agrees that Influitive may use Customer’s name and logo on Influitive’s website, and as a part of a general list of customers for use and reference in corporate, promotional and marketing literature. Without limiting the generality of the foregoing, Customer agrees that “Powered by Influitive” or similar marks may appear in forms, web pages and other outputs of Influitive Services.
10.2 Assignment. Neither party shall assign its rights or delegate its duties under the Agreement either in whole or in part without the prior written consent of the other party, except to a party that acquires all or substantially all of the assigning party’s assets as part of a corporate reorganization, merger or acquisition. The Agreement will bind and inure to the benefit of each party’s successors and permitted assigns.
10.4 Amendments. No amendment, supplement, modification, waiver or termination of this Agreement shall be binding unless executed in writing by the Parties to be bound thereby.
10.5 Governing Law. This Agreement shall be construed in accordance with and governed by the laws of the state of New York and subject to the exclusive jurisdiction of the state of New York.
10.6 Relationship. The Parties are independent contractors. This Agreement does not create a joint venture, partnership, employment, franchise, or agency relationship exists between Customer and Influitive.
10.7 Waiver and Severability. The failure of either party to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision unless acknowledged and agreed to by such party in writing. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.
10.8 Force Majeure. Neither party will be liable for any failure or delay in its performance under the Agreement, due to any cause beyond its reasonable control provided that the delayed party (a) gives the other party prompt notice of such cause, and (b) uses reasonable commercial efforts to correct promptly such failure or delay in performance.
10.9 Entire Agreement. This Agreement, together with any applicable Order Form(s) (including any other documents referenced therein), comprises the entire agreement between Customer and Influitive regarding the subject matter contained herein and supersedes all prior or contemporaneous negotiations, discussions or agreements. In the event of any conflict between the terms of this Agreement and the terms of any Order Form, the terms of the Order Form shall prevail.
10.20 Surviving Provisions. The sections titled “Fees” “Payment Terms,” “Proprietary Rights,” “Confidentiality,” “Warranties and Disclaimers,” “Mutual Indemnification,” “Limitation of Liability,” Surviving Provisions,” and “General Provisions” shall survive any termination or expiration of this Agreement.
Advocate User Agreement Form
Welcome to the XXX Advocate Community. When you use the Community (defined below), you’re agreeing to these terms and conditions of use, which is a contract between you and us.
We are XXX with office address is at ____________________________________________.
1.1. The XXX Advocate Community (“Community”) is a web-based platform that enables you and other XXX advocates to receive invitations from us to participate in various challenges related to promoting XXX, such as but not limited to sharing items of importance to us on social media, speaking at one of our conferences, or talking about us to others (each a “Challenge”).
1.2. You agree that by providing us with your information and clicking “Accept”, you are entering into a legally binding agreement with us in your capacity as an authorized representative of XXX.
2.1. Your participation in the Community is completely voluntary. You may cancel your account at any time. Participation in a Challenge is also voluntary. You are free to refuse to participate in any Challenge.
2.2. The Community may allow you to interact with us and other advocates by posting your own content to the Community. “Content” means anything you post to the Community, including opinions, expressions, points of view, articles, videos, messages, photos, advice or any other information.
2.3. As between you and us, you own the Content that you post to the Community. However, by posting Content, you give us the right to use this Content, subject to certain limitations that we set out below. In legal language, this means that if you post Content, you give us and our corporate affiliates (which are companies that we own or that are under common ownership with us) a non-exclusive, royalty-free, perpetual, transferable and sublicensable license to use, copy, modify, distribute, publish and process your Content, without any further consent, notice, or compensation to you or any other third party.
2.4. Our rights to the Content are limited in the following ways:
a. You can end our license for any particular piece of Content by deleting it from the Community or by closing your Community account. However, if you have shared the Content with others and they have made a copy or stored your Content, it may not be completely deleted from the Community.
b. We will get your consent if we want to give others the right to publish your Content outside of the Community. However, other advocates of the Community may access and share your Content consistent with the functionality of the Community.
c. While we will not modify or amend your Content, we may make formatting changes to your Content.
2.5. If you participate in any Challenges, we may award you points based on your successful completion of the Challenge. We will automatically track your points for you. We will also display a leaderboard within the Community that sets out the number of points each Advocate has. This leaderboard is viewable by all other advocates of the Community. Please note that you can remove yourself from the leaderboard at any point in time, in your sole discretion.
2.6. We appreciate your thoughts about the Community. By submitting suggestions or other feedback about the Community to us, you agree that we can use and share (but do not have to use or share) such feedback for any purpose without compensation to you.
- The Community Rules
3.1 We have certain rules that we require all of the advocates of our Community to follow. These rules help to ensure that the Community functions properly and benefits all participants, including us.
3.2 You agree that you will:
a. be at least 18 years old (and you cannot use the Community if you are younger than 18);
b. choose a strong password, keep your password secure and confidential, and not transfer any part of your account to anybody else. You are responsible for anything that happens through your account unless the use happens after you’ve closed your account;
c. use the Community in a professional manner and in accordance with any usage guidelines we may make available from time to time
d. provide accurate and correct information about yourself to us and keep it updated, including using your real name in your Community profile; and
e. only post Content that does not violate the law or anyone else’s rights (including somebody’s intellectual property rights).
3.3. You agree that you will not:
a. create an account for somebody else;
b. use or attempt to use another advocate’s account;
c. harass, abuse, or harm another person;
d. scrape or copy profiles and information of others through any means;
e. act in an unlawful, libelous, abusive, obscene, discriminatory, or otherwise in an objectionable manner (to be determined within our sole discretion);
f. post Content that you do not have the right to post;
g. violate our intellectual property rights or use our intellectual property rights in anyway other than as expressly permitted by us;
h. post any Content that constitutes unsolicited or unauthorized advertising, such as junk mail, spam, or any other form of solicitation that we have not authorized;
i. post any Content or otherwise interact with the Community in any way that contains and/or spreads viruses, worms, or any other harmful code;
j. copy or use the Content of others, in connection with a service that competes with the Community;
k. reverse engineer, decompile, disassemble, decipher, or otherwise attempt to derive all or part of the source code for the Community or any related technology;
l. use bots or other automated methods to access the Community;
m. monitor the availability, performance, or functionality of the Community for any competitive purpose;
n. engage in framing, mirroring, or otherwise simulating the appearance or function of the Community;
o. rent, lease, loan, trade, or sell/re-sell access to the Community or any related information, data or Content;
p. imply or state that you are affiliated with us or endorsed by us without our prior written consent;
q. remove any intellectual property rights notices in the Community;
r. collect, use, copy, or transfer any third party Content without our consent; or
s. override or attempt to override any security features of the Community.
4. Messages, the service, and limitations
4.1. The Community may allow the sharing of Content and communication with other advocates. Other advocates or the public may see Content that you post, depending on the settings we offer and your choice of how to manage such settings.
4.2. We do not have to publish your Content, nor do we have to allow you to post Content. We reserve the right to remove any Content at any time for any reason, within our sole discretion.
4.3. We may change, suspend, or end any part or all of the Community at any time for any reason, in our sole discretion. To the extent permissible under applicable law, these changes are effective upon notice to you. Following such a change, if you do not want to continue to use the Community, please close your account immediately.
4.4. Depending on the functionality of the Community as it may exist from time to time, we may allow messaging amongst users of the Community. Any such messages must be sent in accordance with this Agreement and our usage guidelines.
4.6. Since we do not review Content before it is published, you may see Content that is inaccurate, incomplete, delayed, misleading, illegal, offensive or otherwise harmful. Although we do our best to encourage advocates to follow the Community rules, you agree that we are not responsible for Content posted by anybody but us, or for any damages as a result of your use or reliance on such Content.
4.7. By joining the Community, you give us consent to email you about the Community, related services from us, and/or related services from third parties. If we send you a marketing email, you will always have the opportunity to opt-out of future marketing emails in the footer of every email we send you.
- Disclaimer of Warranties; Exclusions and Limits of Liability
***Please read this entire section 5, as it excludes and limits our liability to you in certain ways***
5.1. We do not exclude or limit any liability that cannot be excluded or limited under applicable law. If you live in a country where any of the exclusions and/or limitations set out in this section 5 are not allowed, such exclusions and/or limitations do not apply to you.
5.2. Subject to section 1, we:
a. will provide you access to the Community and any related services with reasonable skill and care, provided that we disclaim all other warranties, conditions, representations or other terms, whether express or implied;
b. do not guarantee that the Community will function without interruption or errors, or at all; and
c. will provide the Community on an “as is” and on an “as available” basis, subject to 2(a).
5.3. Subject to sections 1 and 5.2, we exclude all liability, whether in tort (including for negligence), breach of statutory duty, contract, misrepresentation, restitution or otherwise, direct or indirect, whether foreseeable, known, foreseen or otherwise, for any: (a) lost profits (of any kind); (b) loss or corruption of data; (c) loss of reputation or goodwill; or (d) for any special, indirect or consequential loss, costs, damages, charges or expenses, however arising.
5.4. Subject to sections 1, 5.2 and 5.3, our total liability, however arising, will under no circumstances exceed in aggregate, the greater of $1,000.
5.5. If anyone brings a claim against us related to your actions or any Content you post to the Community, you will indemnify us from all damages, losses, and expenses of any kind (including reasonable legal fees and costs) that we suffer arising out of claim.
- Suspension and termination
6.1. We may suspend your access to your account if you violate any material obligation of this Agreement.
6.2. Both you and us may terminate this Agreement at any time for any reason, with notice to the other party. On termination, you lose the right to access or use the Community.
6.3. The sections of this Agreement that need to survive termination in order to give full effect to their provisions, survive this Agreement’s termination
- Complaints about content
7.1. We respect the intellectual property rights of others. It is our aim that the Community contains no content that violates any third party rights. We try to accomplish this via this User Agreement. In addition, we also set out the policies and procedures in this section 8 for individuals to identify potentially problematic or infringing Content.
7.2. When you submit a complaint to us, whether or not we take action, we may make a good faith effort to notify the individual who posted or submitted the Content, including by providing the complainant’s contact information, so that the individual who posted the Content is notified of the alleged violation of intellectual property rights or other content violation.
7.3. Please note that any notice or counter-notice you submit must be truthful and must be submitted under penalty of perjury. A false notice or counter-notice may give rise to personal liability. You may therefore want to seek the advice of legal counsel before submitting a notice or a counter-notice.
Claims regarding copyright infringement
Notice of copyright infringement
7.4. Pursuant to the Digital Millennium Copyright Act (“DMCA”), we have implemented procedures for receiving written notification of claimed infringements. We have also designated an agent to receive notices of claimed copyright infringement. If you believe in good faith that your copyright has been infringed, you may submit a written communication to us at _________________________ or our address set out above, setting out the following:
a. an electronic or physical signature of the person authorized to act on behalf of the owner of the copyright interest;
b. a description of the copyrighted work that you claim has been infringed;
c. a description specifying the location on our website of the material that you claim is infringing;
d. your telephone number and e-mail address;
e. a statement by you that you have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law; and
f. A statement by you, made under penalty of perjury, that the information in your notice is accurate and that you are the copyright owner or authorized to act on the copyright owner’s behalf.
7.5. If you believe that a notice of copyright infringement has been improperly submitted against you, you may submit a counter-notice, in accordance with the DMCA. You may submit your counter-notice to ___________________________or to our office address set out above, setting out the following:
a. your physical or electronic signature;
b. identification of the Content removed or to which access has been disabled; and
c. a statement under penalty of perjury that you have a good faith belief that removal or disablement of the Content was a mistake or that the Content was misidentified
8.1. The only way you can provide us legal notice is to the address we have provided at the beginning of this User Agreement.
8.2. The following rules of interpretation apply to this Agreement: (a) the words “include” and “including” are deemed to have the words “without limitation” following them; (b) references to the singular include the plural and vice versa; and (c) references to “will” are to be construed as having the same meaning as “shall”.
8.3. If any term of this Agreement is found invalid, illegal or unenforceable, the rest of the Agreement remains in effect.
8.4. If we do not enforce a term of the Agreement, it is not a waiver of that term or any other term.
8.5. This Agreement makes up the entire agreement between you and us, and supersedes any prior agreements.
8.6. You will not transfer any of your rights or obligations under this Agreement to anyone else without our consent. All of our rights and obligations under this Agreement are freely assignable by us in connection with a merger, acquisition, sale of assets, by operation of law or otherwise.
8.7. If you are a resident of the United States, this Agreement shall be construed in accordance with and governed by the laws of the state of New York and subject to the exclusive jurisdiction of the state of New York. If you are not a resident of the United States this Agreement shall be construed in accordance with and governed by the laws of the province of Ontario, Canada and subject to the exclusive jurisdiction of the province of Ontario.
Data Processing Addendum
Dear Valued Customer,
You believe to be a customer for which Influitive may process personal information on your behalf. As part of our GDPR compliance effort, we want to ensure that we have the appropriate Data Processing Addenda in place with our customers.
The new General Data Protection Regulation of the EU (2016/679, 27th of April 2016), concerning the processing of personal data, became into effect on the 25th of May 2018. Article 28 of the General Data Protection Regulation (GDPR) requires that specific rights, obligations and information concerning the processing of personal data are registered in all existing contracts with entities that may process personal data. For the existing customer agreements, we have developed an amendment in the form of a DATA PROCESSING ADDENDUM, the clauses of which are imposed by the General Data Protection Regulation, and which you will find attached here. We emphasize that this GDPR Addendum is only intended to bring our agreement in line with the requirements of the new legislation on the matter and therefore does not affect any other element of our current service agreement.
We thank you for completing this DPA, signing it for agreement, and returning it via email send to: this address, or email@example.com. Please structure the subject of your email as follows: “DPA”. If you do not have the possibility to send the GDPR contract in PDF via email, you can send the paper version to: Privacy Officer, Influitive Corporation, 111 Peter Street, 3rd Floor, Toronto, ON M5V 2H1 Canada. We draw the attention to the fact that the data, to be filled in in the schedules attached to the Data Processing Addendum, is essential to comply with the regulations. For additional questions, reach out to firstname.lastname@example.org.
Raif Barbaros, Privacy Officer
Data Processing Addendum
This EU Data Processing Addendum (the “Addendum”) is entered into between Influitive Corporation, with address at 111 Peter Street, 3rd Floor, Toronto, ON M5G 2V9 (the “Processor”) and the company identified as the “Controller” in this Addendum (“Controller”). From the date of the last signature below, the Addendum shall form part of the agreement executed between the Processor and Controller governing the services provided by Supplier (the “Agreement”). This Addendum applies to personal data from individuals located in the European Union processed by Processor in connection with the services provided by Processor to Controller (“EU Personal Data”).
- Data Processing. Processor will process EU Personal Data on behalf of Controller in accordance with the standard contractual clauses under Commission Decision C (2010)593 (or superseding contractual clauses enabling non-EEA data Processors), as executed in Exhibit A to this Addendum (the “SCCs”). The SCCs are incorporated into this Addendum by reference.
- Parties Rights and Obligations. The parties will comply with their respective obligations under the EU Data Protection Directive 95/46/EC (the “Directive”) and the superseding General Data Protection Regulation 2019/679 (the “GDPR”) when it goes into effect on May 25, 2018 and any subordinate legislation and regulation implementing the Directive or GDPR that may apply (“Data Protection Laws”). “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach” and “Supervisory Authority” have the meaning given in the Directive, GDPR, and/or Data Protection Laws. For the purpose of the Services, Controller is the Data Controller, and Processor is the Data Processor. In furtherance of each party’s compliance with the GDPR, including but not limited to the requirements of Article 28, Processor agrees as follows:
a. Processor will only process the EU Personal Data as set out by Appendix 1 to the SCCs and only on documented instructions from Controller;
b. Processor shall take steps to ensure that any natural person acting under Processor’s authority does not process EU Personal Data except on instructions from Controller;
c. Processor shall ensure that any personnel it authorizes to process EU Personal Data have committed themselves to confidentiality and/or treat the EU Personal Data as confidential information;
d. Processor shall implement the technical and organizational measures set forth in Appendix 2 to the SCCs to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and ensure a level of security appropriate to the risk of its processing of the EU Personal Data processing consistent with its obligations under Article 32 of the GDPR;
e. Processor is authorized to engage additional Processors to process EU Personal Data provided that (1) Processor contractually obligates such Processor(s) to at least the same data protection obligations as stipulated by this Addendum (including the SCCs) and imposes obligations providing sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR; and (2) Processor provides written notice to Controller at the email address included in the signature block at least thirty (30) days prior to EU Personal Data being processed by such additional Processor. Upon receipt of such notice, Controller shall have thirty (30) days to object to such processing and, if Processor cannot perform the Services without such additional Processor or otherwise prevent such additional Processor from processing EU Personal Data, Controller shall have the right to terminate the Agreement without penalty and receive a pro rata refund of any pre-paid amounts not yet accrued. Where any additional Processor fails to fulfill its data protection obligations, Processor shall remain fully liable to Controller for the performance of that Processor’s obligations;
f. Processor shall, and taking into account the nature of the processing, assist Controller in fulfilling its responsibilities to respond to data subject requests to exercise rights under the GDPR;
g. Processor shall, and taking into account the nature of the processing and information available to the Processor, assist Controller in ensuring compliance with the obligations in Articles 32–36 of the GDPR;
h. Processor shall notify Controller without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a Personal Data Breach and where available, provide a description of the nature of the personal data breach, the name and contact information of the data protection officer or point of contact, likely consequences of the Personal Data Breach, and description of any measures taken or proposed to address the Personal Data Breach and/or mitigate its possible adverse effects. Processor shall use reasonable efforts to assist Controller with any communications required as a result of such a Personal Data Breach;
i. Processor shall provide reasonable assistance to Controller in any applicable data protection impact assessment and/or prior consultations and communications with supervisory authorities;
j. At the choice of Controller, Processor will delete or return all EU Personal Data to Controller upon completion of the Services and/or termination of the Agreement and Processor will delete all existing copies in its possession (unless required to store such personal data under applicable law);
k. Processor will make available to Controller all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits, including inspections, conducted by Controller or a third-party auditor required by Controller; and
l. Processor will inform Controller if, in Processor’s opinion, an instruction from Controller infringes the GDPR.
The parties hereby agree that this Addendum supersedes any conflicting or inconsistent provisions in the Agreement related to data protection and, in any event of ambiguity, this Addendum will prevail. The Agreement, as amended and modified by this Addendum, otherwise remains in full force and effect. In case of a conflict between the body text of this Addendum and the SCCs as attached as Exhibit A, the SCCs shall prevail.
IN WITNESS WHEREOF, the parties’ authorized signatories have duly executed this Agreement:
|CONTROLLER:||PROCESSOR: INFLUITIVE CORPORATION|
|Email Contact (for breach notifications):|
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection,
Name of the data exporting organization: __________________
Other information needed to identify the organization:
(the data exporter)
Name of the data importing organization: Influitive Corporation
Address: 111 Peter Street, 3rd Floor, Toronto, ON M5G 2V9
Other information needed to identify the organization:
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘Controller’, ‘Processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data( );
(b) ‘the data exporter’ means the Controller who transfers the personal data;
(c) ‘the data importer’ means the Processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-Processor’ means any Processor engaged by the data importer or by any other sub-Processor of the data importer who agrees to receive from the data importer or from any other sub-Processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data Controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the sub-Processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-Processor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-Processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-Processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorized access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so:
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-Processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-Processor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-Processor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
3. The data importer may not rely on a breach by a sub-Processor of its obligations in order to avoid its own liabilities.3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-Processor agrees that the data subject may issue a claim against the data sub-Processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-Processor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-Processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-Processor preventing the conduct of an audit of the data importer, or any sub-Processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-Processor which imposes the same obligations on the sub-Processor as are imposed on the data importer under the Clauses. Where the sub-Processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-Processor’s obligations under such agreement.
- The prior written contract between the data importer and the sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-Processor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-Processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-Processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph
On behalf of the data exporter:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
(stamp of organization)
On behalf of the data importer:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
(stamp of organization)
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The Data Exporter is (please specify briefly your activities relevant to the transfer):
Data Exporter is __________________ and its affiliates established within the European Economic Area (EEA) and Switzerland, and that have purchased services from the Data Importer pursuant to the Agreement.
The data importer is (please specify briefly activities relevant to the transfer):
The Data Importer is the legal entity that has executed the Clauses as a Data Importer.
The personal data transferred concern the following categories of data subjects (please specify):
Categories of data
The personal data transferred concern the following categories of data (please specify):
- personal master data (name, address, title, company)
- contact details (telephone number, mobile phone number, email address, fax number, address data, shipping address)
- Others: Social Media profiles
Special categories of data (if appropriate):
The personal data transferred concern the following special categories of data (please specify):
Purposes of the transfer / Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
Processing activities to provide the services in accordance with the Agreement, including communication with the Data Exporter
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data Importer maintains and enforces various policies, standards and processes designed to secure personal data and other data to which Data Importer employees are provided access, and updates such policies, standards and processes from time to time consistent with industry standards. Following is a description of some of the core technical and organizational security measures implemented by Data Importer as of the date of signature:
- General Security Procedures
1.1 Data Importer shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Data Importer, if any, comply with all of the foregoing. Data Importer shall designate an individual to be responsible for the information security program. Such individual shall respond to Data Exporter inquiries regarding computer security and to be responsible for notifying Data Exporter-designated contact(s) if a breach or an incident occurs, as further described herein.
1.2 Data Importer shall conduct formal privacy and security awareness training for all personnel and contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Data Importer, confirming that this training and subsequent annual recertification process have been completed.
1.3 Data Exporter shall have the right to review an overview of Data Importer’s information security program prior to the commencement of Service and annually thereafter upon Data Exporter request.
1.4 In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Data Importer shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within one (1) business day following confirmation of any such event, provide Data Exporter notice thereof, and such further information and assistance as may be reasonably requested. Upon Data Exporter request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Data Exporter.1.
1.5 Data Importer shall not transmit any unencrypted Personal Data over the internet or any unsecured network, and shall not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Data Importer shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.
2. Network and Communications Security
2.1 All Data Importer connectivity to Data Exporter computing systems and/or networks and all attempts at same shall be only through Data Exporter’s security gateways/firewalls and only through Data Exporter-approved security procedures.
2.2 Data Importer shall not access, and will not permit unauthorized persons or entities to access Data Exporter computing systems and/or networks without Data Exporter’s express written authorization and any such actual or attempted access shall be consistent with any such authorization.
2.3 Data Importer shall take appropriate measures to ensure that Data Importer’s systems connecting to Data Exporter’s systems and anything provided to Data Exporter through such systems does not contain any computer code, programs, mechanisms or programming devices designed to, or that would enable, the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of Data Exporter’s systems.
2.4 Data Importer shall maintain technical and organisational measures for data protection including: (i) firewalls and threat detections systems to identify malicious connection attempts, to block spam, viruses and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; and (iii) encrypted data in transit over public networks using industry standard protocols.]
3. Personal Data Handling Procedures
3.1 Disposal of Personal Data on paper shall be done in a secure manner, to include shredders or secure shredding bins within Data Importer space from which Personal Data is handled or accessed (“Data Exporter Work Area”). Shredding must take place within the Data Exporter Work Area before disposal or transit outside of the Data Exporter Work Area or be performed offsite by a reputable third party under contract with Data Importer.
3.2 Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP800-88 Guidelines for Media Sanitization, prior to departing Data Exporter Work Area(s), with the exception of encrypted Personal Data residing on portable media for the express purpose of providing service to the Data Exporter. Data Importer shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources. This evidence must be available for review at the request of Data Exporter.
3.3 Data Importer shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Personal Data, including: (i) granting access rights on the basis of the need-to-know-principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) encrypting, logging and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits.
3.4 Data Importer shall maintain logical controls to segregate Personal Data from other data, including the data of other customers.
3.5 Data Importer shall maintain measures to provide for separate processing of data for different purposes including: (i) provisioning Data Exporter within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.
4. Physical Security
4.1 All backup and archival media containing Personal Data must be contained in secure, environmentally-controlled storage areas owned, operated, or contracted for by Data Importer. All backup and archival media containing Personal Data must be encrypted.
4.2 Technical and organisational measures to control access to data center premises and facilities are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.
4.3 Data Importer shall maintain measures to protect against accidental destruction or loss of Personal Data including: (i) fire detection and suppression, including a multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system and a Very Early Smoke Detection and Alarm (VESDA); (ii) redundant on-site electricity generators with adequate supply of generator fuel and contracts with multiple fuel providers; (iii) heating, ventilation, and air conditioning (HVAC) systems that provide stable airflow, temperature and humidity, with minimum N+1 redundancy for all major equipment and N+2 redundancy for chillers and thermal energy storage; and (iv) physical systems used for the storage and transport of data utilizing fault tolerant designs with multiple levels of redundancy.
5. Security Testing
During the performance of services under the Agreement, Data Importer shall engage, at its own expense and at least one time per year, a third-party vendor (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Data Importer’s systems containing and/or storing Personal Data.
The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Data Importer systems containing and/or storing Personal Data, which could expose Data Exporter’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Data Importer systems containing and/or storing Personal Data that could be exploited by a malicious party.
Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un-sanitized input; broken or excessive access controls; broken authentication and session management; cross-site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.
Within a reasonable period after the Security Test has been performed, Data Importer shall notify Data Exporter in writing of any critical security issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Data Importer shall subsequently engage, at its own expense, the Testing Company to perform an additional Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Data Exporter upon request.
6. Security Audit
Data Importer, and all subcontracted entities (as appropriate) shall conduct at least annually an SSAE 18 (or higher) audit covering all systems and/or facilities utilized to provide the Service to the Data Exporter, and will furnish to Data Exporter the results thereof promptly following Data Exporter’s written request. If, after reviewing such audit results, Data Exporter reasonably determines that security issues exist relating to the Service, Data Exporter will notify Data Importer, in writing, and Data Importer will promptly discuss and where commercially feasible, address the identified issues. Any remaining issues shall be documented, tracked and addressed at such time as agreed upon by both Data Importer and the Data Exporter.
Last updated: May 25, 2018