General Terms and Conditions
The customer identified on the Order Form in which these General Terms and Conditions (the “GTCs”) are referenced (the “Customer”), and Catalyst Computer Systems Ltd., a company registered in England with number 02382593 whose registered office is Granite House, 58 Loughborough Road, Mountsorrell, Leicestershire, LE12 7AT (the “Supplier”) each of whom may be referred to herein as a “Party” and collectively as the “Parties,” hereby agree as follows:
1. Definitions.
Capitalized terms not otherwise defined in this Agreement have the meaning ascribed to them below:
(a) “Affiliate” means with respect to an entity, any other person or entity now or hereafter that (i) directly or indirectly owns or controls, is owned or controlled by, or is under common ownership or control with such entity, and (ii) is under common management with such entity.
(b) “Agreement” means these GTCs, including any schedules or appendices attached hereto, as they exist on the date that they are incorporated, by reference or otherwise, into any fully executed Order Form, and as these GTCs may be modified in accordance with Section 15(g), together with the additional terms and conditions set forth in any Order Form or addenda which incorporates the GTCs by reference. The Parties agree that upon execution of an Order Form in which these GTCs are expressly referenced, these GTCs shall also be deemed to be incorporated into any and all Order Forms previously entered into by the Parties and, to the extent such prior Order Forms were subject to other terms and conditions, these GTCs shall amend and replace any such terms and conditions.
(c) “Authorized User” means those individuals or entities who are authorized by Customer to access and use the Software, including any third-parties that are authorized pursuant to Section 2(a)(ii) below, subject to the limitations and obligations of Customer under the Agreement. An individual cannot be an Authorized User if that individual, or class of individuals to which it belongs, is otherwise ineligible per the terms of the Agreement.
(d) “Customer Data” means all information, data, and other content that is provided by Customer or its Authorized Users to Supplier, or Supplier’s Affiliates or Personnel, through Customer’s or its Authorized Users’ use of the Software as well as all information, data, and other content that results from processing the same through the Software, but only to the extent that any such information, data, and other content does not contain any Supplier Materials.
(e) “Documentation” means the technical and functional documentation that Supplier distributes in connection with is Products, as revised by Supplier from time to time, and which may include end user manuals, operation instructions, installation guides, release notes, and on-line help files regarding the use of the Products.
(f) “Hardware” means the equipment, hardware and accessories supplied or sold by Supplier pursuant to an Order Form.
(g) “IP Rights” means any and all registered and unregistered rights granted, applied for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection, or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.
(h) “Maintenance Services” means the maintenance services that are provided to Customer by Supplier in support of its Products pursuant to the Agreement.
(i) “Order Form” means (i) an ordering document, quotation, statement of work, or any online order, entered into by the Parties, which incorporates these GTCs by reference or otherwise, together with (ii) all other ordering documents, quotations, statements of work or online orders previously entered into by the Parties that specify any Products to be provided by Supplier. To the extent that any such ordering document, quotation, statement of work, or online order incorporates any addenda or supplements thereto (“Product Specific Terms” or “PSTs”), any such PSTs shall be included in this definition of Order Form.
(j) “Personnel” means any employee, director, officer, or subcontractor for a given Party or Affiliate.
(k) “Professional Services” means the implementation, integration, configuration, installation, training, and other professional services performed by Supplier as described in an Order Form.
(l) “Products” means, collectively, the Software, Services, and Hardware.
(m) “Regular Business Hours” means 09.00h – 17.30h Monday to Friday, excluding bank and public holidays, in London, England.
(n) “Services” means, collectively, the Professional Services, Support Services, Maintenance Services, and Hosting Services.
(o) “Software” means the object code version of a computer program that is developed by or for Supplier and/or one of its Affiliates, and delivered to Customer pursuant to an Order Form, along with any related Documentation, Embedded Third-Party Content, and any Updates made available to Customer via Support Services and Supplier Materials necessary for Customer to make use of the Software in accordance with the terms of the Agreement. Software does not include Third-Party Content.
(p) “Supplier Materials” means any and all information, data, documents, materials, works, and other content, devices, methods, processes, hardware, software, and other technologies and inventions, including any technical or functional descriptions, requirements, plans, or reports, that are developed, provided, or used by Supplier or any of its Personnel in connection with the Products or otherwise comprise or relate to the Products. Supplier Materials include Usage Data and Deliverables, but do not include Customer Data or Third-Party Content.
(q) “Support Services” means customer support services that are provided to Customer by Supplier in support of its Products pursuant to the Agreement.
(r) “Territory” means the geographic area in which Customer is permitted to use the Products, as may be specified in an Order Form.
(s) “Update” means any update, upgrade, release, or other adaptation or modification of the Software, including any updated Documentation, that Licensor may provide to Customer from time to time during the Term, which may contain, among other things, error corrections, enhancements, improvements, or other changes to the user interface, functionality, compatibility, capabilities, performance, efficiency, or quality of the Software.
(t) “Usage Data” means data created by Supplier or its Products utilizing information derived from Customer’s use of the Products, including, but not limited to, any end user profile, visit, session, impression, clickthrough or clickstream data, and any statistical or other analysis, information, or data based on or derived from any of the foregoing. The aforementioned data shall be deidentified to the extent that it contains attributes that can be used to identify Customer, its business, or any a natural person.
(u) “Usage Metric” means the standard of measurement and quantity for determining the permitted use and calculating the Fees due for the Software.
2. Usage Rights; License.
(a) Rights Granted & Permitted Use.
(i) Software. Subject to and conditioned on Customer’s and its Authorized Users’ compliance with the terms and conditions of the Agreement, including but not limited to payment of any Fees set forth on the applicable Order Form, Supplier hereby grants to Customer, for use in connection with its internal business purposes, a limited, non-exclusive, non-transferable (except in compliance with Section 12) license to use the compiled or object-code version (not source code) of the Software set forth in the applicable Order Form, during the Term (defined in Section 11 below), unless expressly identified as a perpetual license on the applicable Order Form, solely for use by Authorized Users in the Territory and in a manner that does not exceed the Usage Metrics stated in an Order Form. Customer may make no more than one (1) copy of the Software for back-up purposes. For the avoidance of doubt duplicates of data for back up purposes are not limited by this provision. All other duplication and reproduction of the Software is expressly prohibited without Supplier’s prior written authorization. All rights not expressly granted to Customer hereunder are reserved by Supplier. Customer acknowledges that the Software may require activation by way of an activation key on initial installation and from time to time based on certain events, including, without limitation, Updates and changes to hardware on which the Software is installed. Customer acknowledges that the activation keys and internal controls in the Software do not necessarily restrict usage and deployment of the Software to comply with the Usage Metrics set forth in an Order Form.
(ii) Third-Party Authorized Users.
(a) Affiliate Use. Customer shall not authorize its Affiliates to use the Software except as and to the extent specified in an Order Form. Any authorized use of the Software by Customer Affiliates is subject to the following: (i) Customer warrants that it has the authority to, and by executing an Order Form with permitted Customer Affiliate use does, bind such Affiliates and their Authorized Users to the terms of the Agreement, including, where reasonably appropriate, those terms that do not expressly identify Affiliates as obligors; (ii) Customer must be appropriately licensed for any and all increased usage of the Software or attributable to its Affiliates and their Authorized Users; (iii) Customer and its Affiliates shall remain jointly and severally liable to Supplier for Customer’s Affiliates’ and their Authorized Users’ use of the Software; (iv) a breach of the Agreement terms by an Affiliate or its Authorized Users shall be considered a breach by Customer hereunder; and (v) use by any Affiliate that is in market competition with Supplier is prohibited. The Affiliate use rights set forth herein may only be exercised pursuant to a valid Order Form executed by Customer for only as long as that Order Form is in effect. In instances where Supplier has permitted Customer Affiliate use of the Software, Customer must request additional prior written approval to expand any such Affiliate use beyond the originally defined Territory.
(b) Service Provider Use. Customer may authorize its third-party service providers and contractors (collectively “Service Providers”) to use the Software, but only to the extent necessary for Customer to make use of the Software as intended by and in accordance with the Agreement. Any authorized use of the Software by Service Providers is subject to the following: (i) these rights will continue only while Customer and Service Providers have in place a written agreement that gives Customer the authority to compel any such Service Providers’ compliance with terms that are not materially different than those portions of the Agreement that govern the use of the Software, including without limitation license grants and restrictions, and non-disclosure of Supplier Confidential Information; (ii) Customer must be appropriately licensed for any and all increased usage of the Software attributable to Service Providers; (iii) Customer shall remain jointly and severally liable to Supplier for its Service Providers’ use of the Software; (iv) a breach of the Agreement terms by a Service Provider shall be considered a breach by Customer hereunder; and (v) under no circumstances may Service Providers use the Software to operate or provide services to any other party, or in connection with Service Providers’ own business operations.
(b) Restrictions Customer shall not, and shall not permit any other person to, access or use the Software except as expressly permitted by the Agreement. For purposes of clarity and without limiting the generality of the foregoing, Customer shall not, except as the Agreement expressly permits: (a) subject to any non-waivable rights Customer may enjoy under applicable law, decompile, disassemble, reverse engineer, or otherwise attempt to derive the Software’s source code; (b) modify, enhance, change the data structures for or create derivative works from, the Software, (c) rent, lease, sell, sublicense or otherwise transfer the Software to third parties; (d) make the Software available in any form to any person other than Authorized Users who require such access; (e) input, upload, transmit, or otherwise provide to or through the Software, any information or materials that are unlawful or injurious, or contain, transmit, or activate any virus, worm, malware, ransomware, or other malicious computer code (“Harmful Code”); (f) access or use the Software in any manner or for any purpose that infringes, misappropriates, or otherwise violates any IP Rights or other right of any third party, or that violates any applicable law; (g) access or use the Software for purposes of competitive analysis of the Software; or (h) distribute (or facilitate the distribution of) Customer Data that contains, or links to, material that could be considered unlawful, harmful, threatening, defamatory, obscene, harassing, or is otherwise objectionable to Supplier; and (i) facilitate spam, excessive or unlawfully sourced data transfers, or engage in activity that results in spam warnings from industry spam monitors.
(c) Software Updates. For those Customers that are current on their Fees, as part of the Maintenance Services purchased by such Customers, Supplier may provide Updates to the Software and Documentation. Customer agrees to install all Updates to the Software made available by Supplier within ninety (90) days following such availability. If Customer fails to install any such Update, Supplier reserves the right to suspend all implementation, training, and Support Services until Customer installs such Update. Supplier is not liable to Customer for any damages that result from, or could have been avoided but for, Customer’s failure to install Updates. Updates are provided at no additional cost to only those Customers that are current on their Support Services Fees. Supplier may offer to Customer for license, either under or separately from the Agreement, programs which provide new functionality or materially expand the function of the Software (“New Products”). New Products are not Upgrades and may be subject to additional Fees. Supplier shall, in its sole discretion, resolve any ambiguity with regard to whether any given program is an Upgrade or a New Product.
(d) Changes. Supplier reserves the right, in its sole discretion, to make any changes to the Software it deems necessary or useful to: (a) maintain or enhance: (i) the quality or delivery of Supplier’s services to its customers; (ii) the competitive strength of or market for Supplier’s Products; or (iii) the cost efficiency or performance of the Software; or (b) to comply with applicable law.
(e) Evaluation Licenses. During the Term, Supplier may provide Software to Customer on a free trial or evaluation basis (an “Evaluation License”), as indicated either in (i) an Order Form, or (ii) some other communication to Customer which incorporates these GTCs by Reference, in which case the Customer’s use of the Evaluation License shall be deemed acceptance of these GTCs. Evaluation Licenses are subject to the terms and conditions of the Agreement, except, notwithstanding any other provision in the Agreement, all Evaluation Licenses are provided by supplier AS IS without ANY indemnification, support, or warranty of any kind, and without any liablity to customer WHATSOEVER OR ANY LIMITATIONS ON CUSTOMER’S LIABILITY TO SUPPLIER. At the end of the Evaluation License Term, the Evaluation License will convert to a prospective twelve (12) month Initial Term for the Software, subject to the same Usage Metrics allotted during the Evaluation License and at Supplier’s then-current list Fees for the Software, which shall be invoiced immediately, unless, prior to the end of the Evaluation Term, Customer either (i) enters into a different arrangement with Supplier, as memorialized in an Order Form, or (ii) notifies Supplier of its intent to opt out of any such Evaluation License conversion.
3. Hardware and Services.
(a) Hardware.
(i) Delivery of Hardware. Delivery of Hardware shall take place during Regular Business Hours. Supplier shall use reasonable efforts to deliver the Products in accordance with the timeframes set forth in an Order Form, but any such timeframes are approximate only. If no timeframes are specified in the Order Form, delivery shall be within a reasonable time of the effective date of the Order Form. Supplier is not in any circumstances liable for any delay in delivery of the Hardware, however caused. Hardware may be delivered by the Supplier in advance of a quoted delivery date on giving reasonable notice to the Customer. Notwithstanding anything in the Agreement (including any Order Form) to the contrary, Supplier may invoice Customer for any Hardware not yet delivered if such delivery has been delayed or rescheduled by Customer by more than 180 days from the date of the applicable Order Form.
(ii) Transfer of Risk and Ownership. Risk shall pass to the Customer at the point of delivery to the Customer. Ownership of the Hardware shall not pass to the Customer until the Supplier has received in full (in cash or cleared funds) all sums due to it in respect of the Hardware and all other sums which are or which become due to the Supplier from the Customer on any account. Until ownership of the Hardware has passed to the Customer, the Customer shall: (A) hold the Hardware on a fiduciary basis as the Supplier’s bailee; (B) store the Hardware (at no cost to the Supplier) in satisfactory conditions and separately from all the Customer’s other hardware or that of a third party, so that it remains readily identifiable as the Supplier’s property; (C) not destroy, deface or obscure any identifying mark or packaging on or relating to the Hardware; and (D) keep the Hardware insured on the Supplier’s behalf for its full price against all risks with a reputable insurer to the reasonable satisfaction of the Supplier, ensure that the Supplier’s interest in the Hardware is noted on the policy, and hold the proceeds of such insurance on trust for the Supplier and not mix them with any other money, nor pay the proceeds into an overdrawn bank account. The Customer’s right to possession of the Hardware before ownership has passed to it shall terminate immediately in the event of any breach of the Agreement by Customer or if the Customer encumbers in any way the Hardware. Until ownership of the Hardware is transferred to the Customer, the Customer grants the Supplier, its agents and employees an irrevocable licence at any time to enter any premises where the Hardware is or may be stored in order to inspect it, or where the Customer’s right to possession has terminated, to remove it. All costs incurred by the Supplier in repossessing the Hardware shall be borne by the Customer. On termination of the Agreement for any reason, the Supplier’s (but not the Customer’s) rights in this Section shall survive.
(b) Support Services and Maintenance Services.
(i) If Support Services and Maintenance Services are purchased by Customer, then Supplier, through its Personnel, will provide the Support Services and Maintenance Services as set forth in Schedule A attached hereto. The Support Services and Maintenance Services shall also be provided as specified in any additional applicable Documentation, subject to any other terms and conditions set forth in the applicable Order Form. Customer acknowledges and agrees that Support Services are intended to address specific problems experienced by Customer relating to the Software and/or Hardware, and are not intended to train Customer’s employees or to support third party products.
(ii) Supplier shall not be obligated to provide Support Services or Maintenance Services to the extent a particular request arises from any of the following conditions: (i) Customer’s failure to use the Software or Hardware in accordance with the terms and conditions of the Agreement, including but not limited to any applicable Documentation; (ii) Customer’s modification or alteration of the Software or Hardware, except where expressly permitted by Supplier; (iii) Customer’s use of any third party components to interface with the Software or Hardware, whether by Application Programming Interface (API) or otherwise, without the express prior written consent of Supplier; (iv) excluding any of Supplier’s obligations to maintain the Hardware included in the Maintenance Services, Customer’s failure to maintain any equipment on which the Software is operated in accordance with the Documentation; (v) Customer’s failure to implement all available Updates and any updates to third party programs that are necessary for the proper operation of the Software; (vi) Customer’s failure to provide reasonable access to its systems as Supplier deems necessary to provide the Support Services and Maintenance Services, including, but not limited to, by way of telecommunications, internet or other remote access to the server environment in which the Software resides, (vii) any negligence or misuse by the Customer or a third party, or (viii) unreasonable environmental causes, including but not limited to extreme temperature, dust, humidity, or exposure to water or physical or electrical stress. All time and materials expended by Supplier resulting from Customer’s breach of such conditions shall be billed to Customer at Supplier’s standard time and materials rates.
(iii) On at least one hundred twenty (120) days prior written notice to Customer, Supplier may declare any Software or Hardware, obsolete or “End of Life.” Upon such a declaration, Supplier may, in its sole discretion, either decline to offer Support Services and/or Maintenance Services for such obsolete Software or Hardware (as applicable) or continue offering End of Life Support Services and/or Maintenance Services on a limited basis. Supplier reserves the right to charge additional Fees for any End of Life Support Services and/or Maintenance Services and offer any length of term that it sees fit.
(c) Professional Services.
(i) Scope. Supplier, through its Personnel, will provide the Professional Services to Customer as specified in an Order Form, subject to the terms of the Agreement.
(ii) Project Change Requests. Either Party may request a modification to any material provision of the Order Form by submitting a Project Change Request (“PCR”). Upon receipt of a PCR, Supplier will determine whether such modifications are in its reasonable discretion commercially feasible and, if so, estimate its financial and schedule impacts, if any. The Parties will review these estimates to determine whether the PCR would be mutually acceptable. Supplier may not unreasonably refuse to accept a PCR initiated by Customer, if Customer agrees to bear the pricing and schedule impacts. If the Parties agree on the PCR, the Parties will execute the PCR. If the Parties are unable to agree within five (5) business days after the PCR is submitted, then the submitting Party may either withdraw the PCR or terminate the Order Form for convenience in accordance with Section 11(d). Additional services that are required as a result of Customer’s action, inaction or failure to meet its obligations, including delays or wait time caused by issues related to hardware or software not provided by Supplier, shall be billable to Customer and will be invoiced at Supplier’s then-current
(iii) Deliverables and Acceptance. As part of the Professional Services, some Order Forms may specify particular “Deliverables” which shall mean all documents, work product, and other materials, expressly identified as Deliverables in an Order Form, that are prepared by or on behalf of Supplier specifically for Customer. Supplier hereby grants to Customer a nonexclusive, irrevocable, transferrable, sublicensable, perpetual license to use any such Deliverable to the extent necessary for Customer to make use of the Deliverable for its own internal business purposes. For the sake of clarity, the aforementioned license does not permit the use of any Supplier Materials that constitute a given Deliverable independent of the Deliverable as a whole. If Customer reasonably believes that Supplier did not perform the Deliverables in material conformance with the Order Form, Customer will notify Supplier, in writing, within ten (10) business days of delivery of the Deliverable (the “Acceptance Period”). Customer’s notice must specifically identify and explain each alleged non-conformance. For those Deliverables that do not conform to the Order Form, Supplier will use commercially reasonable efforts to correct the non-conformity at no cost to Customer. If Supplier does not receive Customer’s acceptance or rejection within the Acceptance Period, the Deliverables will be deemed accepted by Customer.
(iv) Personnel. Supplier will determine the Personnel assigned to perform the Professional Services. Supplier shall remain fully responsible for the performance of all Personnel and for their compliance with all of the terms and conditions of the Agreement, regardless of whether the Personnel in question is an employee of Supplier or otherwise. Nothing contained in the Agreement shall create any contractual relationship between Customer and any Personnel. Booking of Professional Services shall be subject to the availability of Personnel. Should Customer require rescheduling of booked Professional Services, Supplier will make commercially reasonable efforts to accommodate Customer’s request, which may be subject to additional cost to Customer.
(v) Custom Development and Enhancement Requests. Any programming services for new software development or software modifications shall be subject to additional terms and conditions. Supplier has the right, and sole discretion, to reject any request for enhancement or modification to the Software by
(vi) Cancellation. If the Customer cancels any Professional Services, unless otherwise set forth in the applicable Order Form, the Customer shall be liable to pay cancellation fees to the Supplier as follows: the cost of any hotels, flights and any other expenses incurred where these cannot be cancelled plus (A) 50% of the contracted Fees if cancelled within 10 to 6 days of the delivery date; or (B) 75% of the contracted Fees if cancelled within 5 days or less of the delivery date.
(d) Hosting Services. Any hosting or cloud services are subject to additional terms and conditions attached to an Order Form for such hosting or cloud services.
(e) Dropbox Authorization. Customer hereby authorizes Supplier to purchase, on Customer’s behalf and in Customer’s name, any Dropbox, Inc. services, products and/or accounts set forth on an Order Form, including without limitation from a third party reseller. Customer acknowledges and agrees that, to the extent permitted by law, Supplier shall have no liability whatsoever in connection with such purchase, or any Dropbox, Inc. services, products and/or accounts.
4. Payment.
(a) Fees. Customer will pay all fees for Products as set out in an Order Form (the “Fees”) in accordance with the Agreement and any additional terms set out in, and in the currency specified in, an Order Form. Except as otherwise expressly permitted by the Agreement, payment obligations are non-cancellable and Fees paid are non-refundable. Unless otherwise expressly set forth on an Order Form, Fees may be adjusted no more the once per year during the Term and shall remain fixed for Software Maintenance Services and Software Support Services during the Initial Term, unless Customer (i) exceeds the quantities licensed in the Order Form, (ii) upgrades or requests additional Products, or (iii) otherwise agrees to Fee fluctuations in an Order Form. Quantities purchased cannot be decreased during any given Initial Term or Renewal Term. Supplier may adjust the Fees prior to the start of any Renewal Term, provided that Fee adjustments shall be no more frequent than once each year.
(b) Expenses. All travel and expenses necessitated by the provision of any Product by Supplier hereunder will be reimbursed by Customer to
(c) Invoicing and Payment. Fees will be invoiced as set forth in the Order Form. All invoices are due within thirty (30) days of receipt by Customer with no right to set-off, and overdue accounts will be subject to interest at a rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower. If Supplier offers to accept payment by BACS payment, as indicated in an invoice or Order Form then Customer hereby authorizes Supplier to use a third party to process payments in accordance with the schedule and/or frequency set forth in an invoice, Order Form, or SOW, and consents to the disclosure of Customer payment information to such third party.
(d) Taxes. Each Party will be responsible, as required under applicable law, for identifying and paying all taxes and other governmental fees and charges (and any penalties, interest, and other additions thereto) that are imposed on that Party upon or with respect to the transactions and payments under the Agreement. All Fees payable by Customer are exclusive of taxes or duties that Supplier is required to collect and pay on Customer’s behalf, including, without limitation, VAT, Service Tax, GST, excise taxes, sales and transactions, and gross receipts tax (“Indirect Taxes”), except where applicable law requires otherwise. Supplier may charge and Customer will pay applicable Indirect Taxes that Supplier is legally obligated or authorized to collect from Customer. Customer will provide such information to Supplier as reasonably required to determine whether Supplier is obligated to collect Indirect Taxes from Customer. Supplier will not collect, and Customer will not pay, any Indirect Tax for which Customer furnishes Supplier a properly completed exemption certificate or a direct payment permit certificate for which Supplier may claim an available exemption from such Indirect Tax, which must be provided to Supplier at least five (5) business days prior to the due date of the applicable Supplier invoice. All payments made by Customer to Supplier under the Agreement will be made free and clear of any deduction or withholding, as may be required by law. If any such deduction or withholding (including but not limited to cross-border withholding taxes) is required on any payment, Customer will pay such additional amounts as are necessary so that the net amount received by Supplier is equal to the amount then due and payable under the Order Form. Supplier will provide Customer with such tax forms as are reasonably requested in order to reduce or eliminate the amount of any withholding or deduction for taxes in respect of payments made under the Agreement. If Supplier pays any costs or expenses incurred in relation to any import duties, customs, formalities, permissions or other requirements, then Customer shall promptly reimburse Supplier for all such amounts in
(e) Disputes. Any invoice disputes must be initiated by Customer in good faith and in writing within thirty (30) days following the date of the applicable invoice. Failure to dispute an invoice within the time allotted shall be deemed acceptance. If Customer initiates a dispute with regard to a particular invoice, any undisputed amounts charged on such invoice will continue to be due and payable. Supplier and Customer agree to use reasonable efforts to address and attempt to resolve any invoice dispute within thirty (30) days after Supplier’s receipt of Customer’s notice to Supplier regarding such
5. Third Party Content.
(a) Third parties, or Supplier on behalf of third parties, may make available to Customer software, documents, data, content, specifications, products, equipment, components, websites, or professional services licensed by third parties that are (i) interoperable with or accessible through the Software, and (ii) not embedded in nor inseparable from the Software (“Third-Party Content”) for use in conjunction with or support of the Software. Except as otherwise specified in an Order Form, Supplier shall have no responsibility for the licensing, implementation, or operation of Third-Party Content.
(b) Third-Party Content does not include any third-party software, libraries, or code that (i) are embedded in or form an inseparable part of the Software, and (ii) have been licensed by Supplier for use in Software (“Embedded Third-Party Content”). Embedded Third-Party Content may be subject to additional terms and conditions which are required to be flowed down from Embedded Third-Party Content providers from time to time (“Flow Down Terms”) and which are incorporated herein by reference. Customer understands and acknowledges that the use of any Embedded Third-Party Content is subject to Customer’s acceptance of any such Flow Down Terms. To the extent that Embedded Third-Party Content is open source software, any such open source software is made available under the applicable open source licenses specified in the applicable PSTs.
6. Intellectual Property
(a) Ownership of Products and Supplier Materials. Subject to any rights expressly granted by the Agreement (including, for example, any sale of Hardware), as between Supplier and Customer, Supplier retains all right, title, and interest, including but not limited to IP Rights, in the Products and Supplier Materials, including all enhancements and modifications thereto. Customer acknowledges and agrees that unless otherwise expressly agreed it is only licensing the right to use the Products and Supplier Materials and that no sale or other transfer of any title or ownership or any proprietary interest of any kind to such Products and Supplier Materials is contemplated hereunder, other than the grant of the limited licenses as expressly set forth herein. Customer covenants, on behalf of itself and its successors and assigns, not to assert against Supplier, its Affiliates, or licensors, any rights, or any claims of any rights, in any Products and Supplier Materials.
(b) Ownership of Customer Data. Subject to any rights expressly granted by the Agreement, as between Supplier and Customer, Customer retains any and all right, title, and interest, including but not limited to IP Rights, in the Customer Data.
(c) Consent to Use Customer Data. Customer grants to Supplier a non-exclusive, world-wide, royalty-free, fully paid up, perpetual and irrevocable license to access and use Customer Data as necessary for Supplier, its Affiliates, and their respective Personnel, to (i) enforce the Agreement (ii) exercise their respective rights under the Agreement, and (iii) perform their respective obligations under the Agreement. Customer further grants Supplier, and its Personnel working in an official capacity on behalf of Supplier, a non-exclusive, world-wide, royalty-free, fully paid up, irrevocable license to use Customer Data to create Usage Data. Usage Data, once created, shall be Supplier Materials. In the event that Usage Data, or any portion thereof, is ever deemed Customer Data, Customer shall grant to Supplier a nonexclusive, irrevocable, transferrable, sublicensable, perpetual license to use Customer Data to the extent necessary for Supplier to make use of any such Usage Data in any manner it sees fit. Customer may grant to Supplier additional rights to use Customer Data as set forth in an Order Form. Supplier shall not use Customer Data except as permitted by this Section 6(c).
(d) Customer Feedback. Supplier shall own all right, title, and interest to any suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by Customer to Supplier relating to the improvement of the Products (“Customer Feedback”). Supplier shall have no obligation to Customer with regard to the Customer Feedback. Customer shall have no obligation to provide Customer
(e) Use of Branding. Unless indicated otherwise in the applicable Order Form, Customer provides Supplier with permission to use its trademark, logo and trade name (“Branding”) in Supplier’s promotional and marketing materials. Supplier is granted no other right to the Branding and acknowledges that it shall not have any proprietary interest in the same. Supplier is not obligated to use or to compensate Customer for its use of the Supplier shall be the exclusive owner of all right, title, and interest, including copyright in its promotional and marketing materials. The permission to use the Branding may be terminated at any time by Customer by providing thirty (30) days’ written notice to Supplier. Upon such termination, Supplier shall refrain from future use of the Branding; however, Supplier may continue to distribute and use the promotional and marketing materials where Customer’s Branding has been previously printed prior to the notice of termination and where such placements cannot reasonably be discontinued or altered.
7. Confidentiality; Data Privacy
(a) Customer Responsibilities. Customer agrees to comply with all applicable anti-spam and data privacy laws and regulations. Customer shall be responsible for securing all rights and permissions to use the Customer Data, or to instruct Supplier to use the Customer Data on Customer’s behalf, in conjunction with the Products, including all the necessary rights and permissions to license the Customer Data to Supplier as set forth in the Agreement. Furthermore, Customer shall be responsible for (i) the integrity of the Customer Data, (ii) the selection and implementation of controls to restrict access and use of the Software to only Authorized Users, and (iii) implementing all commercially reasonable measures to secure and protect the Customer Data from unauthorized access and loss, to the extent that it is possible for Customer to do so based on a given Product’s available features, functionality, configuration settings, or implementations methods. The responsibilities of Customer set forth in this Section 7(a) are not shared with Supplier unless, and only to the extent that, any such responsibilities are expressly borne by Supplier pursuant to the Agreement.
(b) Supplier Responsibilities.
(i) Compliance with Privacy Laws. Supplier will comply with all applicable anti-spam and privacy laws in its performance of the Agreement and will provide assistance as may be reasonably requested by Customer to meet its obligations under any such laws in connection with the Agreement; provided, however, such assistance may be subject to additional Fees for applicable professional services provided by Supplier if such assistance is not needed in relation to a breach of the Agreement by Supplier.
(ii) Data Security. The terms of the Data Processing Agreement set forth on Schedule B attached hereto (the “DPA”) shall apply to the extent that Supplier processes any Personal Data (as defined in the DPA). If Supplier does not process any Personal Data, the following shall apply: (A) Supplier shall take reasonable technical and organizational measures to protect Customer Data from unauthorized use and disclosure; and (B) in the event of any unauthorized access to, use, or disclosure of Customer Data from any system within Supplier’s control (a “Data Incident”), Supplier shall inform Customer within a reasonable time following discovery of such Data Incident, use commercially reasonable efforts to investigate and remediate the Data Incident, and provide Customer with information reasonably requested by Customer in Customer’s investigation of the Data Incident.
(c) Mutual Nondisclosure Obligations.
(i) By virtue of the Agreement, the parties may have access to the other Party’s “Confidential Information”, which shall mean any information disclosed under the Agreement that (a) if tangible, is clearly marked as “Confidential” or with a similar designation; (b) if intangible, is identified as “Confidential” by discloser at the time of disclosure and confirmed in writing to recipient as being Confidential Information; or (c) from the relevant circumstances should reasonably be known by recipient to be confidential (including, without limitation, pricing, non-public Personal Data, Products and Supplier Materials). Confidential Information does not include any portion of the information that recipient can prove (a) was rightfully known to recipient before receipt from discloser; (b) was generally known to the public on the Effective Date of the Agreement; (c) becomes generally known to the public after the Effective Date of the Agreement, through no fault of recipient; (d) was received by recipient from a third party without breach of any obligation owed to discloser; or (e) was independently developed by recipient without breach of the Agreement.
(ii) The Parties will hold each other’s Confidential Information in confidence and will treat it with the same degree of care with which it would treat its own Confidential Information of a like nature, and in no case less than a reasonable degree of care. With respect to all Confidential Information other than Products and Supplier Materials provided by Supplier, such obligation shall terminate three (3) years after termination of the With respect to the Products and Documentation provided by Supplier, such obligation is perpetual.
(iii) Except as otherwise expressly stated in the Agreement, Confidential Information may only be disclosed to the receiving Party’s and its Affiliates’ employees, subcontractors, consultants, agents, and other representatives who are required to access it to carry out the obligations or exercise the rights of the receiving Party and its Affiliates under the Agreement, provided that those to whom the receiving Party and its Affiliates disclose the Confidential Information are contractually obligated to protect such Confidential Information in a manner that is no less restrictive than the requirements set forth in the Agreement. Each Party shall be responsible for any acts or omissions of its or its Affiliates’ employees, subcontractors, consultants, agents, and other representatives which, if they were acts or omissions of that Party, would be deemed a breach of that Party’s obligations of this Section 7. Supplier may also disclose Customer’s Confidential Information to a Third-Party Content provider to the extent necessary to facilitate Customer’s relationship with that Third-Party Content provider.
(iv) It shall not be a breach of this Section 7(c) if Confidential Information is disclosed pursuant to subpoena or other compulsory judicial or administrative process, provided that the Party served with such process promptly notifies, to the extent legally permissible, the other Party and provides reasonable assistance so that the other Party may seek, at its own cost and expense, a protective order against
(v) The parties recognize and agree that monetary damages are an inadequate remedy for breach of the obligations set forth in this Section 7(c) and further recognize that any breach would result in irreparable harm to the non-breaching In the event of such a breach, the non-breaching Party may seek injunctive relief from a court of competent jurisdiction to pursue those remedies available to it.
(d) Sensitive Personal Information. “Sensitive Personal Information” means an individual’s financial information, sexual preferences, medical, or health information protected under any health data protection laws, biometric data (for purposes of uniquely identifying an individual), personal information of children protected under any child data protection laws and any additional types of information included within this term or any similar term (such as “sensitive personal data” or “special categories of personal information”) as used in applicable data protection or privacy laws. Customer shall not collect, process, or store any Sensitive Personal Information using the Software unless permitted by an Order Form, or otherwise without prior written consent of Supplier, provided that the execution of any agreement or addendum to an agreement which governs the use of any such Sensitive Personal Information (e.g. a Business Associate Addendum or Data Processing Agreement which expressly covers Sensitive Personal Information) shall be deemed consent.
(e) Return and Destruction of Confidential Information. Except to the extent that the continued use of a Party’s Confidential Information is necessary for the other Party to exercise rights that are intended to survive the Agreement as expressly granted hereunder, upon the termination or expiration of the Agreement: (i) all rights granted by the disclosing Party with respect to its Confidential Information will automatically terminate and the receiving Party shall immediately cease (and cause its and its Affiliates employees, subcontractors, consultants, agents, and other representatives to cease) any access to and use of the disclosing Party’s Confidential Information; and (ii) the receiving Party shall securely destroy the disclosing Party’s Confidential Information in a manner consistent with the sensitivity of the Confidential Information. Upon request of the disclosing Party, an officer of receiving Party shall certify to all such destruction in writing. Notwithstanding the foregoing, the receiving Party may retain a copy of Confidential Information only for archival purposes if required by law or in accordance with receiving Party’s bona fide records retention policies, provided that the receiving Party continues to abide by the restrictions set forth in this Section 7 for as long it retains such Confidential Information.
8. Indemnification
(a) By Supplier. Supplier will, at its expense, defend Customer against any claim, demand, suit, or proceeding made or brought against Customer, or any Affiliates authorized to use the Products pursuant to Section 2(a)(ii)(A) of these GTCs, by a third party alleging that Customer’s use of a Product within the scope of the Agreement infringes or misappropriates the IP Rights of such a third party (a “Claim Against Customer”), and will indemnify Customer from any damages, attorney fees and costs finally awarded against Customer as a result of, or for amounts paid by Customer under a settlement approved by Supplier in writing of, a Claim Against Customer; provided that Customer notifies Supplier promptly in writing of the Claim Against Customer, provides Supplier with the sole control and authority to defend or settle the Claim Against Customer, and gives Supplier the authority, information and assistance necessary to settle or defend the Claim Against Customer. If any of the Products are, or in Supplier’s opinion are likely to be, claimed to infringe, misappropriate, or otherwise violate any third-party IP Rights, Supplier may in its discretion and at no cost to Customer (i) modify or replace the Products, in whole or in part, to make the Products (as so modified or replaced) non-infringing, while providing materially similar features and functionality, (ii) obtain the right for Customer to continue to use the Products as contemplated by the Agreement, or (iii) by written notice to Customer, terminate the Agreement with respect to all or part of the Products, and require Customer to immediately cease any use of the Products, or any specified part or feature thereof, provided that Customer shall be entitled to a pro rata refund for any Products that are terminated pursuant hereto. Notwithstanding the foregoing, Supplier shall have no obligation to defend against or indemnify for any Claims Against Customer to the extent they arise from: (A) use of a version of the Software that was not, at the time that the Claim Against Customer arose, the current unaltered version of the Software made available by Supplier hereunder; (B) combination, operation, integration (other than performed by Supplier hereunder) or interfacing of the Software with Third-Party Content, if such Claim Against Customer would not have arisen but for such combination, operation, integration (other than performed by Supplier hereunder) or interfacing; (C) use of the Products in a manner other than as authorized by the Agreement; (D) Supplier’s use of Customer Data in conjunction with the Products; or (E) modifications to the Software by any person other than Supplier or its authorized agents or subcontractors.
(b) By Customer. Customer will, at its expense, defend Supplier against any claim, demand, suit, or proceeding made or brought against Supplier or any of its Affiliates or Personnel by a third party (i) arising from or related to Customer’s failure to use the Products in accordance with the terms of the Agreement or any applicable laws, or (ii) alleging that any Customer Data, use of Customer Data by Supplier within the scope of the Agreement, or Customer action or inaction described in the final sentence of Section 8(a), infringes or misappropriates the IP Rights of such a third party, or arising from Customer’s use of the Products in an unlawful manner or in violation of the Agreement (a “Claim Against Supplier”), and will indemnify Supplier from any damages, attorney fees and costs finally awarded against Supplier, or for amounts paid by Supplier under a settlement approved by Customer in writing, as a result of a Claim Against Supplier; provided that Supplier notifies Customer promptly in writing of the Claim Against Supplier, provides Customer with the sole control and authority to defend or settle the Claim Against Supplier, and gives Customer the authority, information and assistance necessary to settle or defend the Claim Against Supplier.
(c) THE FOREGOING STATES THE INDEMNIFYING PARTY’S SOLE AND EXCLUSIVE LIABILITY TO, AND THE INDEMNIFIED PARTY’S SOLE AND EXCLUSIVE REMEDY AGAINST, THE OTHER PARTY WITH RESPECT TO ANY THIRD-PARTY CLAIM OF INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS OR PROPRIETARY RIGHTS DESCRIBED IN SECTIONS 8(a) AND 8(b).
9. Warranty & Warranty Disclaimer
(a) Mutual Representations and Warranties. Each Party represents and warrants to the other Party that: (i) it is duly organized, validly existing, and in good standing as a corporation or other entity under the laws of the jurisdiction of its incorporation or other organization; (ii) it has the full right, power, and authority to enter into and perform its obligations and grant the rights, licenses, consents, and authorizations it grants or is required to grant under the Agreement; (iii) the execution of the Agreement by its representative whose signature is set forth at the end of the Agreement has been duly authorized by all necessary corporate or organizational action of such Party; and (iv) when executed and delivered by both parties, the Agreement will constitute the legal, valid, and binding obligation of such Party, enforceable against such Party in accordance with its terms.
(b) Additional Supplier Representations, Warranties, and Covenants.
(i) Software. Supplier warrants that the Software will perform in material conformance with the Documentation. As Customer’s sole remedy for any breach of this warranty, if Customer provides notice to Supplier of any reproducible incidence of non-conformance within thirty (30) days of discovering any such non-conformance, Supplier will use commercially reasonable efforts to correct such non-conformance, provided such non-conformance is not caused by: (A) negligence, gross negligence, or intentional misconduct on the part of Customer or any of its Authorized Users, (B) Customer’s failure to use of the Software in accordance with the terms of the Agreement, (C) Third Party Content or any other product or service not provided by Supplier its Affiliates, or its Personnel, or (D) Harmful Code, to the extent that such Harmful Code was not introduced as a result of Supplier’s negligence, gross negligence, or intentional misconduct.
(ii) Hardware. Customer acknowledges and agrees that Supplier expressly disclaims any and all express or implied warranties relating to any Hardware manufactured by a third-party manufacturer. Supplier shall use commercially reasonable efforts to pass through to Customer the benefit of any warranties by such third-party manufacturer. Customer expressly agrees that it shall have no claim or cause of action against Supplier in the event the third-party manufacturer is for any reason unwilling or unable to perform under the terms of any warranty. Supplier warrants that Hardware manufactured by Supplier shall perform in material conformance with the Documentation for a period of one (1) year following the date of delivery of such Hardware. As Customer’s sole remedy for any breach of this warranty, if Customer delivers the Hardware to Supplier in accordance with Supplier’s instructions, Supplier will use commercially reasonable efforts to correct such non-conformance, provided such non-conformance is not caused by negligence, gross negligence, or intentional misconduct on the part of Customer or any of its Authorized Users, or Customer’s failure to use the Hardware in accordance with the terms of the Agreement.
(iii) Services. Supplier warrants that the Services will be performed in a professional manner consistent with generally accepted industry standards for the Services. As Customer’s sole remedy for any breach of this warranty, if Customer provides notice to Supplier of any documented incidence of non-conformance within thirty (30) days of discovering any such non-conformance, Supplier will use commercially reasonable efforts to correct such non-conformance, provided such non-conformance is not caused by: (A) Customer’s failure to adhere to its obligations under the Agreement, including but not limited to any assumptions set forth in an Order Form, or (B) Third-Party Content or any other product or service not provided by Supplier, its Affiliates, or its Personnel.
(iv) Service Level Agreements. Service Level Agreements, to the extent that there are any, are those terms which are clearly identified as such in an Order Form, or the PSTs for a particular Product (“SLA”). Supplier’s failure to meet a particular SLA shall not be a breach of warranty under Section 9(b)(i), unless and only to the extent that the SLAs expressly state otherwise. Supplier’s sole and exclusive remedy for Supplier’s failure to meet a particular SLA will be as set forth in the SLAs.
(c) Additional Customer Representations, Warranties, and Covenants. Customer represents, warrants, and covenants to Supplier that Customer (i) has complied with all applicable laws and regulations, including but not limited to those applicable to the collection and use of Customer Data in connection with this Agreement, and (ii) owns or otherwise has and will have the necessary rights and consents in and relating to the Customer Data so that, as received by Supplier and processed in accordance with the Agreement, including any DPA, they do not and will not infringe, misappropriate, or otherwise violate any IP Rights, or any privacy or other rights of any third party or violate any applicable law or regulation. To the extent that any Customer Data was collected first by a third-party, such as a data broker, Customer further represents, warrants, and covenants to Supplier that it has a written agreement with any such third-party which requires that third-party to comply with all applicable laws and regulations, including but not limited to those applicable to the collection and use of the data obtained from that third-party.
(d) DISCLAIMERS. EXCEPT FOR THE WARRANTIES PROVIDED IN THIS SECTION 9 AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CUSTOMER ACKNOWLEDGES THAT THE PRODUCTS, AND THIRD-PARTY CONTENT ARE PROVIDED “AS IS” AND “WITH ALL FAULTS,” AND SUPPLIER DISCLAIMS ALL OTHER WARRANTIES, REPRESENTATIONS, GUARANTEES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTY AND CONDITION OF MERCHANTABLE QUALITY, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, OR THE USE OF REASONABLE SKILL AND CARE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, SUPPLIER DOES NOT WARRANT THAT THE PRODUCTS WILL MEET ALL OF CUSTOMER’S REQUIREMENTS, OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. SUPPLIER MAKES NO EXPRESS OR IMPLIED WARRANTIES, REPRESENTATIONS, GUARANTEES OR CONDITIONS WITH RESPECT TO ANY THIRD-PARTY CONTENT PROVIDED WITH OR AS PART OF THE PRODUCTS. SUPPLIER’S LIMITED WARRANTIES DO NOT APPLY TO ANY PRODUCTS WHICH HAVE BEEN MODIFIED OR ALTERED IN ANY MANNER BY ANYONE OTHER THAN SUPPLIER, ITS AFFILIATES, OR ITS PERSONNEL. Some jurisdictions may not allow the exclusion of certain or any express or implied warranties, representations, guarantees, or conditions, so the above disclaimers many not apply to Customer. Nothing in the Agreement excludes, restricts, or modifies any right or remedy, or any guarantee, representation, warranty, condition or other term, implied or imposed by any applicable law which cannot lawfully be excluded or limited. The Parties agree that it is Customer’s responsibility to determine if the Products are suitable for Customer’s requirements. No other terms, conditions, representations, warranties or guarantees, whether written or oral, express or implied, will form a part of the Agreement or have any legal effect whatsoever.
10. Limitation of Liability.
Supplier’s entire liability under the Agreement or in any way related to the Products will be limited to direct damages in an amount equal to the Fees paid by Customer to Supplier under the Agreement during the twelve (12) month period immediately preceding the first event giving rise to the claim. Supplier will not be liable for: (i) any special, indirect, incidental or consequential damages arising from or related to the Agreement or in any way related to the Products; or (ii) any loss of revenue, profits, goodwill or data (including due to a virus or otherwise), business interruption, failure to realize expected savings, corruption of data, or claims against Customer by any third party other than as set out in section 8 (in each case whether direct or indirect), even if Supplier is advised of the possibility of such damages in advance. These limitations will apply regardless of how the claim arises, including for breach of contract, tort, negligence or otherwise, and will apply to all Order Forms and any other document related to THE Agreement. The foregoing limitations of liability allocate the risks between Supplier and Customer and form a material basis of the bargain between the Parties. Supplier’s pricing reflects this allocation of risk and the limitation of liability specified herein.
11. Term and Termination.
(a) Term. The initial term of an Order Form, as applicable, will commence on the effective date set forth in the Order Form (the “Effective Date”) and will continue thereafter for the period as set out in the Order Form (“Initial Term”), unless terminated earlier by Supplier or Customer in accordance with the terms of the Agreement. If no effective date is specified in an Order Form, the effective date of such Order Form shall be the date of final signature. Unless otherwise specified in an Order Form, an Order Form will automatically renew at the then-current Usage Metrics for additional recurring periods equal to the lesser of (i) the length of the Initial Term, or (ii) one (1) year (each being a “Renewal Term” and, collectively, with the Initial Term, the “Term”), unless either Party provides the other Party with one hundred eighty (180) days written notice prior to the conclusion of an Initial Term or any Renewal Term, as applicable, that is one (1) year or greater, or with thirty (30) days written notice prior to the conclusion of an Initial Term or any Renewal Term, as applicable, that is less than one (1) year. All terms and conditions hereof shall remain in effect during any Renewal Term, except as otherwise stated in the Agreement or expressly agreed to by the Parties in writing. The term of these GTCs and the Agreement shall align with the Term of the Order Form which incorporates these GTCs.
(b) Suspension.
(i) Failure to Pay Fees. Upon fifteen (15) days prior written notice to Customer (including without limitation any notice of late or past due payment), Supplier may suspend (A) Customer’s right to use of any Software, including any Updates thereto, and/or (B) the provision of any Services, for as long as any undisputed Fees are delinquent and remain unpaid. An invoice which indicates a past due amount shall satisfy the notice requirements of this Section 11(b)(i).
(ii) Misuse. Upon fifteen (15) days prior written notice to Customer, Supplier may suspend Customer’s right to use any Product which is not being used in conformance with the terms of the Agreement for as long as any such nonconformity remains uncured. Notwithstanding the foregoing, if any such nonconformity is, in Supplier’s sole discretion, likely to cause material harm or risk of harm to Supplier, its Affiliates, its Personnel, or the Products, Supplier may suspend Customer’s right to use the Product immediately without notice to Customer.
(iii) Additional Terms. In the event of any suspension under this Section 11(b), (A) Supplier shall not be precluded from exercising any additional remedies that might be available to it under the terms of the Agreement or otherwise, (B) the Term will not be extended and no Fees will be refunded to account for any period of suspension, and (C) Customer forfeits all right to use the Products and any Supplier Materials, including without limitation Supplier’s Confidential Information, during the period of suspension, except to the extent that Supplier gives Customer its prior written consent to use any of the foregoing to cure the default that led to the suspension. Any written notice provided under this Section 11(b) shall also satisfy the written notice requirements of Section 11(c) below. Any choice by Supplier to forego suspension under this Section 11(b) shall not be construed as a waiver of any rights under the Agreement or otherwise.
(c) Termination by Supplier. Supplier has the right to terminate the Agreement or any portion thereof, if Customer is in default of any material term or condition of the Agreement, and fails to cure such default within thirty (30) days after receipt of written notice of such default. Without limitation, it will be deemed a Customer default under the Agreement if Customer fails to pay any amount when due hereunder. Supplier may terminate the Agreement immediately if: (i) Customer uses a Product in a way that violates any law or is causing, or is reasonably expected to cause, material harm to Supplier, its Affiliates, its Personnel, or the Products; or (ii) Customer becomes insolvent, a receiver, administrator, controller or a liquidator is appointed to Customer, Customer assigns any of its property for the benefit of creditors or any class of them or any proceedings have been commenced by or against Customer under any bankruptcy, insolvency or similar laws.
(d) Termination by Customer. Customer has the right to terminate the Agreement, or any portion thereof, if Supplier is in default of any material term or condition herein, and fails to cure such default within thirty (30) days after receipt of written notice of such default or if Supplier becomes insolvent or any proceedings are to be commenced by or against Supplier under any bankruptcy, insolvency or similar laws.
(e) Effect of Termination and Expiration. Upon termination or expiration of the Agreement, or any portion thereof, for any reason, any and all amounts owed to Supplier pursuant to the Agreement, or the portion of the Agreement which has terminated or expired, will be immediately due and payable, and all rights, or those rights attributable the portion of the Agreement which has terminated or expired, granted to Customer hereunder will be immediately revoked and terminated. The obligations of the Parties and the provisions of the Agreement which are expressly stated to survive, or may be reasonable expected to survive, shall survive the expiration or termination of the Agreement, including without limitation Sections 6, 7(c), 8, 10, 13 and 14 of the Agreement.
12. Assignment.
Neither Party may assign its rights or obligations hereunder without the prior written consent of the other Party, except Supplier may assign the Agreement to any of its Affiliates without consent of Customer, provided that the Agreement will bind and inure to the benefit of any Supplier successor or assignee. Notwithstanding the foregoing, if Customer is acquired by, sells substantially all of its assets to, or undergoes change of control in favor of, a direct competitor of the other Party, then Supplier may terminate the Agreement with immediate effect upon written notice.
13. Governing Law
(a) The law that will apply to any question of interpretation regarding the Agreement, any question of the existence of the Agreement, or a lawsuit arising out of or in connection with the Agreement, and which courts have jurisdiction over any such lawsuit, depend on the country of incorporation or organization, as applicable, of Customer, and will be determined as follows:
| Customer Country of Incorporation: | Governing Law: | Courts Having Jurisdiction: |
| The United States of America, Mexico or a Country in Central or South America or the Caribbean | The laws of the State of Maryland and the federal laws of the United States applicable in that state. | (a) The United States District Court for the District of Maryland (to the extent it has subject matter jurisdiction), or (b) the courts of the State of Maryland in Baltimore County) |
| Canada | The laws of the Province of Ontario and the laws of Canada applicable in that province. | Toronto, Ontario |
| The United Kingdom or Another Country in Europe, the Middle East or Africa | The laws of England and Wales. | England and Wales |
| Australia or a Country in Asia or the Pacific Region | The laws of the State of New South Wales and the laws of the Commonwealth of Australia applicable in that state. | Sydney, Australia |
(b) Each Party agrees to the applicable governing law above without regard to choice or conflicts of law rules, and, subject to the availability of injunctive relief pursuant to Section 5(c) (Confidentiality) and to Section 12 (Dispute Resolution), to the jurisdiction of the applicable courts above. The parties exclude the operation of the United Nations Convention on Contracts for the International Sale of Goods.
14. Disputes.
Upon any dispute, controversy or claim between the parties, each of the parties will designate a representative from senior management to attempt to resolve such dispute. The designated representatives will negotiate in good faith in an effort to resolve the dispute over a period of thirty (30) days. If the dispute is not resolved in this 30 day period, the parties will submit the dispute to binding arbitration in the appropriate jurisdiction listed in Section 13(a), by a single arbitrator independent of both parties who is skilled in the legal and business aspects of the software industry. The parties agree that the arbitrator’s fee shall be shared equally between the parties and that each Party shall be responsible for its costs, legal and otherwise, in relation to the arbitration, unless the arbitrator decides that the circumstances justify an award of costs. The arbitration shall be conducted in the English language and shall take place in accordance with arbitration rules and in the location set forth in the below chart, depending on the country of incorporation or organization, as applicable, of Customer. Nothing in this Section 14 shall limit the ability of a Party to seek injunctive relief.
| Customer Country of Incorporation: | Applicable Arbitration Rules: | Location of Arbitration: |
| The United States of America, Mexico or a Country in Central or South America or the Caribbean | Commercial Arbitration Rules of the American Arbitration Association | Baltimore County, Maryland |
| Canada | Canadian Arbitration Association | Toronto, Ontario |
| The United Kingdom or Another Country in Europe, the Middle East or Africa | London Court of International Arbitration | London, England |
| Australia or a Country in Asia or the Pacific Region | Australian Centre for Commercial Arbitration | Sydney, Australia |
15. General
(a) Export Compliance. The Products, and derivatives thereof, may be subject to export laws and regulations. Each Party represents that it is not named on any U.S. government denied-party list. Customer shall not permit access or use of the Products in a U.S.-embargoed country, EU- embargoed country, or United Nations-embargoed country or in violation of any other applicable embargo, export law or regulation.
(b) Anti-Corruption. Customer represents to Supplier that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Supplier’s employees or agents in connection with the Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly notify Supplier.
(c) Subcontractors. Supplier reserves the right to make use of subcontractors to provide or develop any of the Products and to use such means as Supplier, in its sole discretion, considers appropriate. Supplier’s use of subcontractors shall not relieve Supplier of its obligations under the Agreement.
(d) Non-Solicitation. During the Term of the Agreement and for a period of one (1) year following the termination of the Agreement, each Party hereto agrees not to solicit, recruit or employ any employee of the other Party without the prior written consent of an authorized representative of the other Party. For purposes of this section, the term “employee,” shall include any person with such status at any time during the six (6) months preceding any solicitation in question. For the avoidance of doubt, the foregoing restriction shall not apply to the following forms of solicitation (and resulting employment): (i) a Party using general bona fide solicitations directed at the public or industry participation in general in publications or internet resources not specifically targeted at employees of the other Party, or employing any person who responds to such solicitations; (ii) using search firms, or hiring any persons solicited by such search firms, so long as such firms are not advised by a Party to solicit employees of the other Party; or (iii) soliciting any person who has left the employment of the other Party prior to the date of the Agreement.
(e) Notices. All notices will be in writing, and will be deemed to be delivered upon (i) personal delivery; (ii) one business day after being delivered by reputable international shipping service to the address of the applicable Party set forth on the most recent Order Form, or if no such address exists, the last known address available to the Party providing notice; or (iii) when delivered by electronic mail (with confirmation of delivery) the Parties at the email addresses shown on the most recent Order Form, or if no such email address exists, the last known email address available to the Party providing notice, except for notices of termination or an indemnifiable claim (“Legal Notices”) which cannot be delivered electronically. Each Party may modify its recipient of notices by providing notice pursuant to this Section 15(e).
(f) Entire Agreement; Order of Precedence; Severability. The Agreement constitutes the entire agreement between the Parties with respect to the subject matter of the Agreement and supersedes all proposals, oral and written, and all previous negotiations and communications between the Parties and their representatives with respect to the subject matter of the Agreement, including any prior Supplier terms and conditions governing the supply of any Products by Supplier for any existing Order Form. Each Party acknowledges that, in entering into the Agreement, it does not rely on any statement, representation, assurance or warranty (whether it was made negligently or innocently) of any person (whether a Party to the Agreement or not) other than as expressly set out in the Agreement. The Agreement will prevail over terms and conditions of any Customer-issued purchase order, which will have no force and effect, even if Supplier accepts or does not otherwise reject the purchase order. In the event of conflict between these GTCs and an Order Form, the terms of the Order Form shall control, but only as to that Order Form. In the event of a conflict between the DPA and any other component of the Agreement, the DPA shall control. If any provision contained herein or part thereof is determined to be void or unenforceable in whole or in part by a court of competent jurisdiction, such invalid provision or part thereof shall be deemed not to affect or impair the validity or enforceability of any other provision or part thereof contained herein, all of which remaining provisions or parts thereof shall be and remain in full force and effect.
(g) Amendment. Customer acknowledges and agrees that Supplier may, in its sole discretion, modify these GTCs from time to time, and that any such modifications become effective thirty (30) days after the date that Supplier provides the updated GTCs to Customer, which may be done by providing Customer with a URL that hosts the updated GTCs. Customer is responsible for reviewing and becoming familiar with the updated GTCs. If, prior to the effective date of the updated GTCs, Customer notifies Supplier of its objection to a modification of the GTCs which would result in a material degradation of Customer’s rights or Supplier’s obligations to Customer under the GTCs, then Supplier shall either conduct good faith negotiations of only those modifications which would result in such a material degradation, or, upon thirty (30) days notice to Customer, terminate the Agreement. Notwithstanding anything in the Agreement to the contrary, the termination right set forth in this Section shall be in addition to any other termination right Supplier may otherwise have under the Agreement. If Supplier exercises its right to terminate pursuant to the terms of this Section, Customer shall be entitled to a Pro-Rata Refund of any Fees already paid by Customer for the affected Products, calculated from the effective date of any such termination. Customer’s failure to object prior to the effective date of the updated GTCs shall be deemed acceptance of the updated GTCs. Except for Supplier’s right to update these GTCs pursuant to this Section, and except as otherwise agreed to in an Order From, the Agreement may only be modified by written amendment signed by the Parties.
(h) Non-Waiver. Except as expressly stated in the Agreement, no term of the Agreement will be deemed waived, and no breach of a term excused, unless the waiver or excuse is provided in writing and signed by the Party issuing it.
(i) Force Majeure. Neither Party will be liable for any delay or failure to perform its obligations under the Agreement, except for Customer’s payment obligations, due to any cause beyond the Party’s reasonable control, which may include labor disputes or other industrial disturbances, systemic electrical, telecommunications or other utility failures, earthquakes, storms or other acts of nature, pandemic, embargoes, riots, acts or orders of government, acts of terrorism, or war (each a “Force Majeure Event”). The affected Party shall be excused from performance for as long as the Force Majeure Event continues, provided that the affected Party uses commercially reasonable efforts to mitigate the effect of the Force Majeure Event and resume performance.
(j) Audit. Supplier may audit Customer’s use of the Products (e.g., through use of software tools or otherwise) to assess whether Customer’s use of the Products is in accordance with the terms of the Agreement. Customer agrees to cooperate with Supplier’s audit and provide reasonable assistance and access to information. Any such audit shall not unreasonably interfere with Customer’s normal business operations. Customer agrees to pay, within thirty (30) days of written notification to Customer, any fees applicable to Customer’s use of the Products in excess of the applicable Usage Metrics. Supplier shall bear all costs of the Audit, except for any of Customer’s costs incurred in cooperating with the audit.
(k) Independent Contractors. The relationship of the Parties established by the Agreement is that of independent contractors. The Agreement does not establish an agency, joint venture or partnership relationship between Supplier and Customer. Supplier and its personnel, agents, subcontractors, and other entities which represent Supplier, are acting as independent contractors and not as employees or agents of Customer. Nothing in the Agreement will be construed to permit either Party to bind the other or to enter into obligations on behalf of the other Party.
Schedule A
Support Services and Maintenance Services
Subject to the terms and conditions of the GTC, the Supplier shall provide any Support Services and Maintenance Services included on an Order Form for the applicable Term in accordance with the terms of this Schedule.
1. SOFTWARE SUPPORT AND MAINTENANCE SERVICES
1.1 Software Support Services. The Supplier shall provide Personnel during Regular Business Hours during the Term to provide: telephone, email or internet based support service through which the Customer can report faults with the operation of the Supplier’s Software, and the Supplier can investigate and diagnose such reported issues.
1.2 Software Maintenance Services. The Supplier shall provide Personnel during Regular Business Hours during the Term to confirm, prioritise and use commercially reasonable efforts to correct reported errors, bugs and failures of the Supplier’s Software as necessary to comply in all material respects with the specification set forth in the Documentation. Such corrections may be planned and scheduled for delivery in future software updates and releases, as issued from time to time.
1.3 Upon an issue being reported to the Supplier, the Supplier shall assign an internal log number to the issue and shall where possible suggest an immediate remedy, failing which Supplier shall use reasonable endeavours to: (a) remedy the issue, if possible; or (b) implement a temporary solution for circumventing a fault (workaround) until a permanent remedy becomes possible.
1.4 Unless otherwise agreed in writing by the Supplier, all Software Support Services and Maintenance Services shall be performed remotely.
1.5 Enhancement requests will be considered but will not necessarily be included in future releases of the Software.
2. HARDWARE
2.1 Where the Customer has contracted for the provision of Hardware Maintenance Services as set forth on an Order Form, on the Customer informing the Supplier that the Hardware is malfunctioning or has failed or is otherwise not in good working order, the Supplier shall investigate the issue and where it is diagnosed as a fault requiring on-site engineering, will visit — or will liaise with the maintenance provider (if provided by a third party) to visit — the Support Service Location within Core Hours to complete the repair or remove the Hardware for repair off-site.
2.2 The Supplier shall use reasonable efforts to provide the Hardware Maintenance Services within the response times set out in the Order Form or other Documentation.
2.3 The Customer shall:
2.3.1 ensure that the Hardware is installed and kept at the support service location identified in the Order Form or other Documentation (“Support Service Location”), under suitable conditions, and permit only trained and competent personnel to use it and follow any operating instructions as the Supplier may give from time to time;
2.3.2 notify the Supplier promptly if the Hardware is discovered to be operating incorrectly;
2.3.3 at all reasonable times permit full and free access to the Support Service Location and the Hardware to the Supplier, its employees, contractors and agents, and provide them with adequate and safe working space, and any telecommunications facilities as are reasonably required to enable the Supplier to perform the Hardware Maintenance Services while at the Support Service Location;
2.3.4 provide the Supplier with any information that is reasonably requested in the performance of the Hardware Maintenance Services;
2.3.5 take any steps reasonably necessary to ensure the safety of the Supplier’s and its contractors personnel when attending the Support Service Location;
2.3.6 not allow any person other than the Supplier and its contractor to maintain, alter, modify or adjust the Hardware without the prior written approval of the Supplier;
2.3.7 not move the Hardware from the Support Service Location without the prior written approval of the Supplier (such approval not to be unreasonably withheld or delayed);
2.3.8 store any reserve equipment only in conditions approved by the Supplier, and make this equipment available for periodic maintenance, as with all other Hardware; and
2.3.9 only use supplies or materials supplied or approved by the Supplier (such approval not to be unreasonably withheld or delayed).
2.4 The Supplier may engage any approved sub-contractor to fulfil the Hardware Maintenance Services on the Supplier’s behalf. The Supplier shall have the sole discretion to approve a sub-contractor.
3. EXCLUSIONS
3.1 The Customer shall provide such information and assistance as the Supplier may reasonably request in order for the Supplier to provide the Support Services, including remote access, failing which the Supplier shall have no obligation to provide the Support Services.
SCHEDULE B
DATA PROCESSING AGREEMENT
Data Processing Agreement (DPA)
This Data Processing Agreement and its Attachments (“DPA”) between Catalyst Computer Systems Ltd., a company registered in England with number 02382593 whose registered office is Granite House, 58 Loughborough Road, Mountsorrell, Leicestershire, LE12 7AT (“Vendor”) and the entity identified as “Customer” in a written or electronic agreement for the provision of any Vendor products or services to Customer (the “Agreement”) shall apply to the extent that (i) Vendor Processes Personal Data on behalf of the Customer, and (ii) the Agreement expressly incorporates this DPA by reference.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon signature or its incorporation into the Agreement, which incorporation may be specified in the Agreement or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA shall follow the Term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
1. Definitions
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“Consumer,” “Business,” “Sell” and “Service Provider” shall have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA; in each case to the extent applicable and as amended, repealed, consolidated or replaced from time to time.
“Data Subject” means the individual to whom Personal Data relates.
“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom, including:
(i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”);
(ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector;
(iii) applicable national implementations of (i) and (ii); or GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and
(iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
“Instructions” means the written, documented instructions issued by Customer, whether acting as a Controller or a Processor acting on behalf of a Controller, to Vendor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Onward Transfer” means a transfer of Personal Data from a third-party, such as a Processor, to a fourth-party, such as a Sub-Processor.
“Permitted Affiliates” means any of Customer’s Affiliates that:
(i) Are permitted to use the Products pursuant to the Agreement, but have not signed their own separate agreement with Vendor and are not a “Customer” as defined under the Agreement;
(ii) Qualify as a Controller, or Processor on behalf of a Controller, of Personal Data Processed by Vendor; and
(iii) Are subject to European Data Protection Laws.
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Vendor and/or its Sub-Processors in connection with the provision of the Products. “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, the relevant portions of which are attached to this DPA as Attachment 3 and Attachment 4, as they may be amended, superseded, or replaced. For the Processing of Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses attached to this DPA as Attachment 5, as it may be amended, superseded, or replaced.
“Sub-Processor” means any third-party Processor engaged by Vendor to carry out specific Processing activities in accordance with the Instructions and subject to further limitations set forth in this DPA.
“Third Country” means, for the Processing of Personal Data that is subject to the GDPR, a country that is not a member of the European Union as well as a country or territory whose citizens do not enjoy the European Union right to free movement, as defined in Art. 2(5) of the Regulation (EU) 2016/399 (Schengen Borders Code), and, for the Processing of Personal Data that is subject to the UK GDPR, a country or territory outside the United Kingdom.
2. Customer Responsibilities
(a) Compliance with Laws. Within the scope of the Agreement and in its use of the services, Customer shall be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Vendor.
In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it shall be solely responsible for:
(i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data;
(ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);
(iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Vendor for Processing in accordance with the terms of the Agreement (including this DPA);
(iv) ensuring that its Instructions to Vendor regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and
(v) complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Products, including those relating to obtaining consents (where required) to send communications, the content of the communications, and its communication deployment practices.
Customer shall inform Vendor without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Protection Laws.
(b) Controller Instructions. The parties agree that the Agreement (including this DPA), together with Customer’s use of the Products in accordance with the Agreement, constitute Customer’s complete and final Instructions to Vendor in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between Customer and Vendor.
(c) Security. Customer is responsible for independently determining whether the data security provided for in the Products adequately meets its obligations under applicable Data Protection Laws. Customer is also responsible for its secure use of the Products, including protecting the security of Personal Data in transit to and from the Products (including to securely backup or encrypt any such Personal Data).
3. Vendor Obligations
(a) Compliance with Instructions. Vendor shall only Process Personal Data for the purposes described in this DPA, including Attachment 1, or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. Vendor is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to Vendor.
(b) Conflict of Laws. If Vendor becomes aware that it cannot Process Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, Vendor will:
(i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and
(ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which Vendor is able to comply. If this provision is invoked, Vendor will not be liable to Customer under the Agreement for any failure to provide the applicable Products until such time as Customer issues new lawful Instructions with regard to the Processing.
(c) Security. Vendor shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Attachment 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, Vendor may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
(d) Confidentiality. Vendor shall ensure that any personnel whom Vendor authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
(e) Personal Data Breaches. Vendor will notify Customer without undue delay after it becomes aware of any Personal Data Breach and shall provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Vendor will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.
(f) Deletion or Return of Personal Data. Vendor will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA on termination or expiration of the Products in accordance with the procedures and timeframes set out in the Agreement, save that this requirement shall not apply to the extent Vendor is required by applicable law to retain some or all of the Personal Data, or to Personal Data Vendor has archived on back-up systems, which data Vendor shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices.
4. Data Subject Requests
Vendor may provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Personal Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).
To the extent that Customer is unable to independently address a Data Subject Request through the Products, then upon Customer’s written request Vendor shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Customer shall reimburse Vendor for the commercially reasonable costs arising from this assistance.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Vendor, Vendor will, to the extent that Vendor can identify Customer as the Controller for the Personal Data in question through its standard due diligence processes, promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
5. Sub-Processors
Customer agrees that Vendor may engage Sub-Processors to Process Personal Data on Customer’s behalf. Vendor has currently appointed, as Sub-Processors, the entities on its list of Sub-Processors, which is located at https://www.catalyst-uk.com/subprocessors/ Any desired changes to the list of Sub-Processors must follow the amendment process set forth in Section 9(a) of this DPA.
Where Vendor engages Sub-Processors, Vendor will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Vendor will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Vendor to breach any of its obligations under this DPA.
6. Data Transfers
Customer acknowledges and agrees that Vendor may access and Process Personal Data on a global basis as necessary to provide the Products in accordance with the Agreement, and, in particular, that Personal Data will be transferred to and Processed by Vendor in the United States and in other jurisdictions where Vendor and its Sub-Processors have operations. Vendor shall ensure such transfers are made in compliance with the requirements of Data Protection Laws.
7. Additional Provisions for European Data
(a) Scope. This Section 7 (Additional Provisions for European Data) shall apply only with respect to European Data.
(b) Roles of the Parties. When Vendor is Processing European Data in accordance with Customer’s Instructions, the parties acknowledge and agree that Customer is the Controller, or a Processor acting on behalf of a Controller, of European Data, and Vendor is the Processor.
(c) Instructions. If Vendor believes that an Instruction of Customer infringes European Data Protection Laws (where applicable), it will inform Customer without delay.
(d) Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to Vendor, and Customer does not otherwise have access to the required information, Vendor will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
(e) Transfer Mechanisms for Data Transfers.
(i) Vendor will not perform an Onward Transfer of Personal Data except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.
(ii) Subject to Section 7(e)(v), the Standard Contractual Clauses will only apply to Customer Data that is transferred, either directly or via Onward Transfer, to any Third Country, (each a “Data Transfer”).
(iii) When Customer is acting as a Controller, the Controller-to-Processor Clauses set forth in Attachment 3 to this DPA will apply to a Data Transfer.
(iv) When Customer is acting as a Processor, the Processor-to-Processor Clauses set forth in Attachment 4 to this DPA will apply to a Data Transfer. Taking into account the nature of the Processing, Customer agrees that it is unlikely that Vendor will know the identity of Customer’s Controllers because Vendor has no direct relationship with Customer’s Controllers; therefore, Customer will fulfill Vendor’s obligations to Customer’s Controllers under the Processor-to-Processor Clauses.
(v) The Standard Contractual Clauses will not apply to a Data Transfer if Vendor has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful Data Transfers.
(vi) If and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.
(f) Demonstration of Compliance. Vendor shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer, in order to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit and inspection rights under this DPA by instructing Vendor to supply, on a confidential basis, (i) a summary copy of an independently validated report of its security programs (e.g. SOC 2, Type II Report), or its hosting provider’s security programs if Vendor does not host the Personal Data itself, or (ii) if Vendor does not have such a report, written responses to all reasonable requests for information made by Customer necessary to confirm Vendor’s compliance with this DPA. Customer shall not exercise this right to audit and inspect more than once per calendar year.
8. Additional Provisions for California Personal Information
(a) Scope. This Section 8 (Additional Provisions for California Personal Information) shall apply only with respect to California Personal Information.
(b) Roles of the Parties. When processing California Personal Information in accordance with Customer’s Instructions, the parties acknowledge and agree that Customer is a Business and Vendor is a Service Provider for the purposes of the CCPA.
(c) Responsibilities. The parties agree that Vendor will process California Personal Information as a Service Provider strictly for the purpose of providing the Products under the Agreement (the “Business Purpose”), or as otherwise permitted by the CCPA. The parties agree that Vendor shall not:
(i) Sell California Personal Information (as defined in the CCPA);
(ii) retain, use, or disclose California Personal Information for a commercial purpose other than for the Business Purpose or as otherwise permitted by the CCPA; or
(iii) retain, use, or disclose California Personal Information outside of the direct business relationship between Customer and Vendor.
(d) Certification. Vendor certifies that it understands and will comply with the restrictions set out in Section 8(c) (Responsibilities).
9. General Provisions
(a) Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 3(a) (Compliance with Instructions), or Section 3(c) (Security), Vendor reserves the right to make any updates and changes to this DPA or list of Sub-Processors, and that any such modifications become effective thirty (30) days after the date that Vendor either (1) notifies Customer that the updated DPA or list of Sub-Processors has been posted to a particular URL, or (2) distributes the updated DPA or list of Sub-Processors to any known point-of-contact for Customer. Customer is responsible for reviewing and becoming familiar with the updated DPA or list of Sub-Processors. If, prior to the effective date of the updated DPA, Customer notifies Vendor of its objection to any modification of the DPA or list of Sub-Processors, then Vendor shall either (i) negotiate with Customer in good faith to resolve any such objection, or (ii) upon thirty (30) days’ notice to Customer, terminate the DPA and any Products which are dependent upon its execution. If Vendor exercises its right to terminate pursuant to the terms of this Section, Customer shall be entitled to a pro-rata refund of any Fees already paid by Customer for the affected Products, calculated from the effective date of any such termination.
(b) Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
(c) Limitation of Liability. Each party’s liability, and where applicable, each of Customer’s Affiliates’ liability, arising out of or related to this DPA, including the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party’s liability be limited with respect to any individual Data Subject’s data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.
(d) Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
10. Parties to this DPA
(a) Permitted Affiliates. By executing the Agreement, Customer enters into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of itself and in the name and on behalf of its Permitted Affiliates. Each Permitted Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the purposes of this DPA only, the term “Customer” shall include Customer and such Permitted Affiliates.
(b) Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
(c) Remedies. Except where applicable Data Protection Laws require a Permitted Affiliate to exercise a right or seek any remedy under this DPA against Vendor directly by itself, the parties agree that: (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all communication with Vendor under the DPA and be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.
Attachment 1 – Details of Processing
This Attachment forms part of the DPA.
A. Nature and Purpose of Processing
Vendor will Process Personal Data as necessary to provide the Products pursuant to the Agreement, as further specified in an Order Form or SOW, and as further instructed by Customer in its use of the Products.
B. Duration of Processing
Subject to the “Deletion or Return of Personal Data” section of this DPA, Vendor will Process Personal Data for the duration of the Agreement only, unless otherwise agreed in writing.
C. Categories of Data subjects
Customer may utilize Personal Data in the course of using the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Customer’s Contacts and other end users including Customer’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.
D. Categories of Personal Data
Customer may utilize Personal Data in the course of using the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of Personal Data:
- Contact Information (e.g. name, email address, phone number, online user name(s), telephone number, and similar information).
- Any other Personal Data submitted by, sent to, or received by Customer, or Customer’s end users, including but not limited to via the Products.
E. Special categories of data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
F. Processing operations
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
a. Storage and other Processing necessary to provide, maintain and improve the Products provided to Customer; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Attachment 2 – Security Measures
This Attachment forms part of the DPA.
Vendor currently observes the Security Measures described in this Attachment 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
(i) Preventing Unauthorized Product Access
Access control to premises and facilities: Measures to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used. Physical access controls to enter premises include magnetic locks and badge readers. Physical access to interior is subdivided with restricted areas requiring addition badge access privileges. Building receptionists require guest sign-in, ID check, and printed visitor badges with visitor photograph and date of visit. Visitations are logged. Video surveillance in present at office spaces and coverage is present at interior and exterior, including face-level camera at headquarters receptionist entrance. As part of annual Security Awareness Training, staff are trained in concepts of physical security and understand procedures for contacting security personnel if needed.
Authorization: The authorization model in each of the Products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key.
(ii) Preventing Unauthorized Product Use
Vendor implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include security group assignment and traditional firewall rules.
Static code analysis: Security reviews of code stored in Vendor’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
(iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Vendor’s employees may have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
External access to Vendor assets is restricted, following the same least privilege model, and requires two-factor authorization and authentication. External access controls are configured and monitored by Vendor IT and Security personnel.
Background checks: All Vendor employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: Vendor makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Vendor products. Vendor’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Vendor stores user passwords following policies that follow industry standard practices for security. Vendor has implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: Vendor designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Vendor personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Vendor maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Vendor will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to Customer will be in accordance with the terms of the DPA or Agreement.
d) Availability Control
Measures to ensure that personal data are protected from accidental destruction or loss:
VENDOR maintains incident response, data backup designed to maintain business operations and redundancy of critical systems and data. VENDOR performs regular testing to ensure that availability supporting systems function properly.
e) Certifications
Upon request of Customer, Vendor will provide a copy of any available independently validated report of its security programs (i.e. SOC 2, Type II, ISO 27001, etc.).
Attachment 3 – Standard Contractual Clauses – Controller to Processor
This Attachment forms part of the DPA.
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) () for the transfer of data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Docking clause
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union () (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. () The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards ();
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Grand Duchy of Luxembourg.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Luxembourg City.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its account or as otherwise specified in the DPA or Agreement.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in Attachment 1 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: ‘Vendor’ as identified in the DPA.
Address: The address of Vendor specified in the Agreement.
Contact person’s name, position and contact details: The contact details for Vendor specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in Attachment 1 of the DPA.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Categories of data subjects are specified in Attachment 1 of the DPA.
Categories of personal data transferred
The personal data is described in Attachment 1 of the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The data exporter might include sensitive personal data in the personal data described in Attachment 1 of the DPA.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data is transferred in accordance with Customer’s instructions as described in Section 2(b) of the DPA.
Nature of the processing
The nature of the processing is described in Attachment 1 of the DPA.
Purpose(s) of the data transfer and further processing
To provide the Products
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Not applicable because the data exporter determines the duration of processing in accordance with the terms of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing are described in Attachment 1 of the DPA
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The technical and organizational measures (including any certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in Attachment 2 the DPA.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
The technical and organisational measures that the data importer will impose on sub-processors are described in the DPA.
ANNEX III
LIST OF SUB-PROCESSORS
The list of sub processors used by the data importer are listed in Section 5 of the DPA.
Attachment 4 – Standard Contractual Clauses – Processor to Processor
This Attachment forms part of the DPA.
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) () for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Docking clause
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter ().
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union () (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) GENERAL WRITTEN AUTHORISATION The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards ();
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
The data exporter shall forward the notification to the controller.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimization
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Grand Duchy of Luxembourg.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of the City of Luxembourg.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its account or as otherwise specified in the DPA or Agreement.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in Attachment 1 of the DPA.
Role (controller/processor): Processor
Data importer(s):
Name: ‘Vendor’ as identified in the DPA.
Address: The address of Vendor specified in the Agreement.
Contact person’s name, position and contact details: The contact details for Vendor specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in Attachment 1 of the DPA.
Role (controller/processor): Sub–Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Categories of data subjects are specified in Attachment 1 of the DPA.
Categories of personal data transferred
The personal data is described in Attachment 1 of the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The data exporter might include sensitive personal data in the personal data described in Attachment 1 of the DPA.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data is transferred in accordance with Customer’s instructions as described in Section 2(b) of the DPA.
Nature of the processing
The nature of the processing is described in Attachment 1 of the DPA.
Purpose(s) of the data transfer and further processing
To provide the Products
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Not applicable because the data exporter determines the duration of processing in accordance with the terms of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing are described in Attachment 1 of the DPA
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The technical and organizational measures (including any certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in Attachment 2 the DPA.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
The technical and organisational measures that the data importer will impose on sub-processors are described in the DPA.
ANNEX III
LIST OF SUB-PROCESSORS
The list of sub processors used by the data importer are listed in Section 5 of the DPA.
Attachment 5 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
PART 1: TABLES
Table 1: Parties
| Start date | Upon the effective date of the DPA | |
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
| Parties’ details | Full legal name: As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA
Trading name (if different): ____ Main address (if a company registered address): As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA Official registration number (if any) (company number or similar identifier): ____ |
Full legal name: As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA
Trading name (if different): ____ Main address (if a company registered address): As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA Official registration number (if any) (company number or similar identifier): ____ |
| Key Contact | As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA | As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA |
| Signature (if required for the purposes of Section 2) | NOT REQUIRED | NOT REQUIRED |
Table 2: Selected SCCs, Modules and Selected Clauses
| Addendum EU SCCs | x The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: June 4, 2021 Reference (if any): ____ Other identifier (if any): ____ Or __ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) |
Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
| 1 | ||||||
| 2 | ||||||
| 3 | ||||||
| 4 |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
| Annex 1A: List of Parties: As stated in Annex I(A) to Attachment 3 or Attachment 4 (as appropriate) of the DPA |
| Annex 1B: Description of Transfer: As stated in Annex I(B) to Attachment 3 or Attachment 4 (as appropriate) of the DPA |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As stated in Annex II to Attachment 3 or Attachment 4 (as appropriate) of the DPA |
| Annex III: List of Sub processors (Modules 2 and 3 only): As stated in Section 5 of the DPA |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19:
x Importer ___ Exporter ___ neither Party |
PART 2: MANDATORY CLAUSES
Entering into this Addendum
- Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
| Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
| Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
| Appendix Information | As set out in Table 3. |
| Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
| Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
| Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
| ICO | The Information Commissioner. |
| Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
| UK | The United Kingdom of Great Britain and Northern Ireland. |
| UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
| UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
- This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
- If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
- Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
- Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
- This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
- The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
- If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
- The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.