THIS MASTER SERVICES AGREEMENT (“AGREEMENT”) GOVERNS YOUR ACQUISITION AND USE OF OUR SOLUTIONS AND SERVICES.
BY ACCEPTING THIS AGREEMENT, BY CLICKING A BOX INDICATING YOUR ACCEPTANCE; BY EXECUTING AN ORDER WITH US OR OUR AUTHORISED PARTNER, BY USING SUCH SOLUTIONS OR SERVICES, YOU AGREE TO THE TERMS OF THIS AGREEMENT AND THE TERMS OF OUR END USER LICENCE AGREEMENT.
IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY.
IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SOLUTIONS OR SERVICES.
This Agreement was last updated on 9th November 2018. It is effective between You and Us as of the date of Your accepting this Agreement.
- Scope of this agreement
- Definitions and interpretation
- Facilities to be provided by the parties
- Supply of products
- Software license
- Hosting services
- Professional services
- Use of the deliverables
- Charges and payment
- Intellectual property rights
- Confidential information
- Data security and privacy
- Limited warranty
- Limitations and exclusions of liability
- Term and termination
- Compliance with laws
- Force majeure
- Relationships of the parties
- Third party rights
- Entire agreement
- Amendment and waiver
- Governing law and jurisdiction
Scope of this agreement
The following table describes the scope of what We might supply under this Agreement:
“Deliverables”, includes: "Solution” means any combination of: “Professional Services” means: “Products” means the component parts of Our software that are individually selectable. “Hosting” includes providing, configuring, operating and maintaining Our Platform. “Support and Maintenance” as described in Our website. Any requirement for services or assistance from Us other than Hosting, or Support and Maintenance. Set up, configuration, analyst services and training are examples of Professional Services.
Definitions and interpretation
In this Agreement: “Deliverables”, “Solution”, “Products”, “Hosting”, “Support and Maintenance” and “Professional Services” have the meanings derived from the table in clause 1.
“Charges” means any sums payable by You to Us for performance of an Order, being sums specified in the Order or, if an Order does not specifically state relevant Charges, sums calculated at Our standard rates then prevailing.
“Commercially Reasonable Efforts” means a course of conduct consistent with a reasonable effort to achieve the relevant outcome within a level of urgency, expenditure, resource constraint and risk profile that competent and commercial management would reasonably regard as proportionate to the circumstance.
“Confidential Information” means the existence of this Agreement, the terms and conditions hereof, the transactions contemplated hereby and other information, including, without limitation, customer, technical and financial information that has been or will be received in connection with this Agreement; provided that Confidential Information does not include: (i) Information that is already in the public domain through no act of the receiving party; (ii) Information already known to the receiving party, as of the date of the disclosure, unless the receiving party agreed to keep such information in confidence at the time of its original receipt; (iii) Information hereafter obtained by the receiving party, from a source not otherwise under an obligation of confidentiality with the disclosing party; and (iv) Information that is independently developed by the receiving party without reference to the information of the other party.
“Customer Facilities” means the hardware, software, and Internet connectivity that You use to access the Solution.
“Customer Group” means (i) You, (ii) any entity by whom You are wholly owned (directly or through one or more subsidiary entities) and (iii) all the entities that are wholly owned by any of those entities.
“Data Protection Law” means any federal or state statute or regulation governing the use or disclosure of any materials as well as legislation encompassing the processing of Personal Data including the Regulation (EU) 2016⁄679 (commonly known as the General Data Protection Regulation).
“Intellectual Property Rights” means inventions, patent applications, right to apply for patents, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, know-how and other trade secret rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world.
“Order” means a purchase order, online order or other ordering document provided by You and approved by Us, which specifies at a minimum (i) the Deliverables, (ii) the quantities, (iii) the prices, (iv) the payment terms, and (v) the requested delivery date.
“Our Platform” means the combination of hardware, operating software, storage devices and networking that is necessary to make the Products accessible by You using the Internet. Our Platform includes all such items up to the point where they connect to the Internet and therefore does not include the Internet, Customer Facilities or items provided by You.
“Perpetual License” means a license granted by Us to You to use specified Products to be installed on Customer Facilities for an unlimited period (unless terminated as expressly stated in this Agreement) subject to payment of once only license fees (“Perpetual License Fees”).
“Subscription” means the supply by Us to You of specified Products as part of a Solution for a specified minimum period (the “Subscription Period”) subject to payment of recurring Charges (“Subscription Fees”) as documented in an Order.
“Support and Maintenance Services” means Software support and maintenance services provided by Us to You.
The word “including” used in this Agreement or an Order means “including (but not limited to)” and references to “included” or “include” are to be similarly interpreted.
3.1 You will request, and we will agree to provide, Our Solutions and Professional Services pursuant to Orders. Each Order is a separate contract incorporating the terms of this Agreement.
3.2 Any references to Deliverables complying with this Agreement or an Order are to be interpreted as requiring compliance with both the terms of this Agreement and the relevant Order.
3.3 In the event of any conflict between the terms of an Order and the terms of this Agreement, the handwritten or customized terms of the Order shall prevail. The terms of this Agreement shall supersede and prevail over the pre-printed terms of any Order.
Facilities to be provided by the parties
4.1 We shall provide, configure and maintain Our Platform at Our own risk and cost.
4.2 You shall provide, configure and maintain the Customer Facilities at Your own risk and cost.
4.3 Products might be designed for use with the Customer Facilities meeting a minimum requirement or compatible only with a specific operating environment, browser or other software applications available from third parties. The full functionality of a Solution might be undermined by incompatible configuration of the Customer Facilities (including firewalls or other security measures beyond Our control).
4.4 We continuously update, modify and enhance our Solutions and, as a consequence, the minimum requirements and compatible environments are subject to change from time to time. Upon Your request, We will provide You with details of the minimum requirements and compatible environments then prevailing for Customer Facilities.
Supply of products
5.1 It is Your responsibility to verify that the Solution is suitable in all respects for Your business needs.
5.2 Products may be supplied by reference to the number of agents, duration of use, or any other parameters We use to define the License for use of the Products. For such Products:
5.2.1 You shall limit use of the Products in accordance with such parameters for which You have paid the applicable Charges; and
5.2.2 Products may include (and You authorise Our use of) mechanisms to monitor and enforce compliance with clause 5.2.1.
6.1 All of our Products are licensed pursuant to the terms of our End User License Agreement, the terms of which are incorporated herein.
6.2 For Products supplied in the form of software-as-a-service:
6.2.1 such Products are available only in the form of software-as-a-service unless the Order expressly states that they are also supplied for installation on the Customer Facilities; and
6.2.2 You do not need, and this Agreement does not include, any grant of a software license for Products used only as a service.
6.3 For Products supplied for installation on the Customer Facilities, We hereby grant You a license to store and use such Products for the period set forth in the Order subject to the following:
6.3.1 the license is personal and non-transferrable, subject to the rights of the Company Group in clause 9 below;
6.3.2 for Products supplied with a Perpetual License, the license will continue indefinitely, subject to clause 6.4;
6.3.3 for Products supplied with a Subscription, the license continues only for the Subscription Period, subject to clause 6.4;
6.4 We may terminate any license (even for Products supplied with a Perpetual License) if you: (i) fail to pay relevant Perpetual License Fees or other Charges associated with such Products (ii) breach the terms of our End User License Agreement; or (iii) breach any other provision of this Agreement which is not cured within 30 days of our notice to you of the breach.
7.1 When an Order includes Hosting, We shall deploy the relevant Products using Our Platform.
7.2 We shall use Commercially Reasonable Efforts to resource, configure, and manage Our Platform with a specification and capacity appropriate to Your ordinary use of the Solution being hosted.
7.3 We will use Commercially Reasonable Efforts to ensure that Our Platform is available at least 99% of the time during any 90 consecutive day period (the sample period).
7.3.1 Availability is determined as follows for any given sample period: 100% x (1 - (total of all Downtime measured in hours per sample period / total hours per sample period))
7.3.2 Downtime means a reported Critical Severity Incident and excludes Maintenance Downtime and External Downtime.
7.3.3 Maintenance Downtime: consists of three categories:
(a) Pre-Scheduled Maintenance. Our current pre-scheduled maintenance downtime for the Deliverables is once a week. Any maintenance activities beyond the regularly scheduled maintenance window will be coordinated with users through reasonable advance notice where possible.
(b) Regular Maintenance. Regular maintenance is routine, scheduled maintenance outside the pre-scheduled maintenance described above. We will provide reasonable advance notice to users prior to any regular maintenance.
(c) Emergency Maintenance. Emergency maintenance is defined as maintenance that must be performed immediately, regardless of time of day in order to avoid further damage or impairment to the Solution. We may not be able to provide advance notice for such emergency maintenance.
7.3.4 External Downtime. We will not be responsible for any downtime that is attributable to:
(a) An act or omission by a third party;
(b) Your acts or omissions, including any breaches of this Agreement;
(c) Your infringement of third party intellectual property rights;
(d) Your wilful misconduct or beaches of law;
(e) Service or resource reductions requested or approved by You;
(f) Any system problems attributable to Your equipment, material, data or software stack or networking; or
(g) Internet downtime, DNS failure, electric power or other utility failures
7.4 You grant Us (and Our applicable contractors) a worldwide, limited-term licence to host, copy, display and use Your data, each as reasonably necessary for Us to provide, and ensure proper operation of, the Solutions and Professional Services in accordance with this Agreement. Subject to the limited licences granted herein, We acquire no right, title or interest from You under this Agreement in or to any of Your data.
8.1 We shall only be required to provide such Professional Services that are documented in an Order.
8.2 Unless the Order specifically states that Charges for Professional Services are “fixed”, the Charges for Professional Services are calculated on a “time and materials” basis. You to pay Charges at the agreed rate based on the actual time taken by Us to perform the Professional Services even if the actual time transpires to be shorter or longer than anticipated.
Use of the deliverables
9.1 You are permitted to use the Deliverables for any member of the Customer Group but:
9.1.1 You are liable for all Charges (even if We agree to invoice a member of the Customer Group);
9.1.2 You will be responsible for the acts and omissions of all members of the Customer Group; and
9.1.3 You must ensure that any claims arising out of or connected with this Agreement or any Order (howsoever caused) are actioned only by You. However, You can claim for loss or damage incurred by any member of the Customer Group as if such loss or damage was incurred by You.
9.2 Except as permitted by clause 9.1, Deliverables are supplied to You for Your own internal use in the ordinary course of business and must not be re-sold or otherwise made available to any third party.
Charges and payment
10.1 Unless otherwise stated in an Order:
10.1.1 Recurring Charges will be invoiced annually in advance;
10.1.2 Perpetual License Fees will be invoiced upon signing the Order;
10.1.3 Charges for Professional Services will be invoiced monthly in arrears for any Professional Services provided during the month;
10.1.4 You must pay invoices within 30 days of the invoice date.
10.2 Our prices are described exclusive of any excise taxes, sales taxes or any other taxes that would apply to Products and Service purchased by You. You agree to pay, and We will add to the invoice for Our Charges, any taxes that We are required to collect by law.
10.3 If You dispute any part of an invoice, You shall notify Us promptly in writing of the basis for the dispute and shall pay any undisputed amount. The parties shall promptly negotiate in good faith to resolve the dispute. This clause does not prevent Us pursuing Our legal rights and remedies to enforce payment of Our invoices.
10.4 We may increase the Charges set out in an Order by notifying you in writing in advance of the increase; provided, however:
10.4.1 Subscription Fees and any recurring Charges associated with a Solution will not be increased during the prevailing Subscription Period; and
10.4.2 Charges for Professional Services set out in an Order will not be increased for the particular Professional Services specified in the Order (that is to say Professional Services quantified and requisitioned at the date of the Order).
Intellectual property rights
11.1 Unless expressly stated in an Order, no part of the Solution or Our Platform will constitute a “work made for hire,” and we shall be deemed the sole author and owner of the Solution and their attendant Intellectual Property Rights.
11.2 You shall retain ownership and be deemed to be the author or owner of Your domain names, and any graphics or data You provide that is used on the Platform and their attendant Intellectual Property Rights.
12.1 Any Confidential Information that You share with Us or that We share with You will be used by the receiving party solely for the purpose of providing the services under this Agreement.
12.2 Each party agrees that it shall treat all Confidential Information of the disclosing party with the same degree of care as the receiving party accords to its own confidential information, but in no case less than reasonable care.
12.3 Except as permitted in clause 12.4, neither party shall disclose the Confidential Information of the other party that it has received, or will receive in the future, to any third party without the disclosing party’s prior written consent.
12.4 Either party may disclose Confidential Information under order of a court of competent jurisdiction, provided that the receiving party promptly notifies the disclosing party of such an event so that the disclosing party may seek an appropriate protective order.
Data security and privacy
13.1 Solely to the extent we have access to, or acquire, any Customer Data (defined below) through your use of the Platform, then the following provisions will apply. “Customer Data” includes, but is not limited to (i) information which identifies or could reasonably be used to identify any natural person, including without limitation a person’s first and last name, home or other physical address, telephone number, fax number, email address, social security number, driver’s license, government issued identification card, UDID, IP address, etc., (ii) data collected directly from a user via an application’s user interface (name, address, date of birth), (iii) data that is gathered indirectly, such as mobile phone numbers, IMEI, or UDID, and (iv) data gathered about a user’s behavior, such as purchase and transactional information, location data, web browsing data or the applications used which is linked to a unique profile.
13.1.1 Unless we receive your prior written consent, we: (a) shall not access or use Customer Data other than as necessary to perform its obligations under this Agreement and for internal product research and development purposes; and (b) shall not give any third party access to Customer Data other than as expressly permitted pursuant to the terms of this Agreement.
13.1.2 We shall: (1) keep and maintain all Customer Data in confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure; (2) install and maintain administrative, physical and technical safeguards to protect Customer Data from unauthorized access, destruction, use, modification or disclosure that are no less rigorous than accepted industry practices (including, without limitation, relevant IT security auditing standards); and (3) access your computer systems, if access is provided, only for the limited purpose of, and only for that period of time necessary for, fulfilling our obligations under this Agreement.
13.1.3 We will promptly inform you whenever we know or reasonably believe a security breach has occurred that involves or potentially involves Customer Data and will investigate and remediate any such occurrence (including, without limitation, provision of notice to affected individuals and relevant public authorities as required by applicable law).
13.1.4 Upon expiration or termination of this Agreement, or at your request, we destroy all copies of Customer Data (in a manner appropriate to the nature of the information).
13.2 Solely to the extent we have access to, or acquire any Customer Data regulated by EU Data Protection Laws (as defined in Exhibit A hereto) through your use of the Platform, then the provisions in Exhibit A shall apply and are incorporated herein by reference.
14.1 We warrant to you that:
14.1.1 We own or have all necessary rights to provide the Solutions and Professional Services to You in accordance with the terms of this Agreement and any applicable Order;
14.1.2 Our Products when used for their intended purpose do not infringe the Intellectual Property Rights of third parties;
14.1.3 Our Products, if operated as directed, will substantially achieve the functionality described in the written specifications for each Product; and
14.1.4 We will provide all Professional Services in a workmanlike manner.
14.2 We do not warrant, however, that Your use of the Solution will be uninterrupted or, that the operation of the Solution or any Product will be error-free. Our sole liability for any breach of this warranty shall be to (i) replace the defective Product or Professional Service, (ii) advise You how to achieve substantially the same functionality through a difference procedure than set form in the product specification, or (iii) if the above remedies are impractical to refund the Charges paid for the Product or Professional Service.
14.3 If any modifications are made to the Products by You during the warranty period, or if you violate the terms of this Agreement, then this warranty shall immediately terminate. This warranty shall not apply if the Product is used on or in conjunction with hardware or software other than the minimum system requirements specified for the Product.
Limitations and exclusions of liability
15.1 EXCEPT FOR LIABILITY FOR INDEMNIFICATION, LIABILITY FOR BREACH OF CONFIDENTIALITY, OR LIABILITY FOR INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS, IN NO EVENT IS EITHER PARTY LIABLE FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR ENHANCED DAMAGES, LOST PROFITS OR REVENUES OR DIMINUTION IN VALUE, ARISING OUT OF OR RELATING TO ANY BREACH OF THIS AGREEMENT, REGARDLESS OF: (A) WHETHER THE DAMAGES WERE FORESEEABLE; (B) WHETHER OR NOT THE BREACHING PARTY WAS ADVISED OF THE POSSIBILITY OF THE DAMAGES AND (C) THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT OR OTHERWISE) ON WHICH THE CLAIM IS BASED, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE. Some jurisdictions do not permit the exclusion or limitation of liability for consequential or incidental damages, and, as such, some portion of the above limitation may not apply to You. In such jurisdictions, Our liability is limited to the greatest extent permitted by law.
15.2 EXCEPT FOR OBLIGATIONS TO MAKE PAYMENT UNDER THIS AGREEMENT, LIABILITY FOR INDEMNIFICATION, LIABILITY FOR BREACH OF CONFIDENTIALITY, OR LIABILITY FOR INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED THE TOTAL OF THE CHARGES PAID AND CHARGES ACCRUED BUT NOT YET PAID BY YOU UNDER THIS AGREEMENT IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM. THE FOREGOING LIMITATIONS APPLY EVEN IF THE NON-BREACHING PARTY’S REMEDIES UNDER THIS AGREEMENT FAIL OF THEIR ESSENTIAL PURPOSE.
15.3 Notwithstanding clause 15.1, clause 15.2 and any other provisions of this Agreement, neither party excludes or limits its liability for:
15.3.1 death or personal injury caused by its negligence or the negligence of its officers, employees, contractors or agents;
15.3.2 fraud or wilful misconduct; or
15.3.3 any liability that cannot lawfully be excluded.
Term and termination
16.1 Unless otherwise expressly stated in the relevant Order:
16.1.1 for each Product supplied with a Perpetual License, the license begins when the Product is first made available to You;
16.1.2 for each Solution supplied with a Subscription or with Support and Maintenance, the relevant period shall be specified in the applicable Order and will automatically renew for additional periods equal to the expiring term or one year (whichever is the shorter), unless either party gives the other notice of non-renewal at least 60 days before the end of the relevant term. The per-unit pricing during any renewal term will increase by up to 5% above the applicable pricing in the prior term, unless We provide You notice of different pricing at least 60 days prior to the applicable renewal terms. Except as expressly provided in the applicable Order, renewal of promotional or one-time priced subscriptions will be at Our applicable list price in effect at the time of the applicable renewal. Notwithstanding anything to the contrary, any renewal in which subscription volume for any Solution has decreased from the prior term will result in re-pricing at renewal without regards to the prior term’s per-unit pricing.
16.2 A party may terminate this Agreement for cause (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
16.3 In no event will termination of this Agreement relieve You of Your obligation to pay any fees payable to Us under an applicable Order, or affect any accrued rights or liabilities of either party.
16.4 Termination of this Agreement or any Order will not affect the continuance in force of any provision which is expressly or by implication intended to come into or continue in force on or after termination.
Compliance with laws
17.1 You agree to use the Solutions in compliance with all applicable laws.
17.2 You agree that You have not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Our employees or agents in connection with this Agreement.
17.3 The Solution and technology that We make available, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied-party list. You shall not permit access or use of any Solution or Content in a U.S. embargoed country or in violation of any U.S. export law or regulation.
17.4 If You reside within the EU: Article 22 - 10 of the EC Council Regulation No 428⁄2009 (and associated legal amendments) applies to our Software meaning it is subject to controls if exported by You from the Community. You acknowledge Your responsibilities under this Article.
18.1 Neither party shall be responsible for any resulting loss if the fulfilment of any of the terms or provisions of this Agreement is delayed or prevented by revolutions, insurrections, riots, wars, acts of enemies, national emergency, strikes, fire, explosion, flood, tropical storm, hurricane, or any other events or circumstances beyond the reasonable control of the party affected; provided that the nonperforming party uses Commercially Reasonable Efforts to avoid or remove causes of non-performance and continues performance under this Agreement with reasonable dispatch after the causes are removed.
18.2 Upon occurrence of a force majeure event, the non-performing party shall promptly notify the other party that a force majeure event has occurred and its anticipated effect on performance, including its expected duration. The non-performing party shall furnish the other party with periodic reports regarding the progress of the force majeure event.
Relationship of the parties
19.1 Our relationship shall be that of independent contractors. Neither party is an agent of the other and neither party shall have any right or authority to make any agreement in the name of the other party, or to make any representation, or to assume, create or incur any obligation or liability of any kind, express or implied, on behalf of the other party. Each Party will be responsible for any applicable payment and withholdings of any salary, benefits, incentives, and any other compensation or taxes relevant to its personnel. Nothing in this Agreement, and no course of dealing between the parties, shall be construed to create or imply an employment or agency relationship or a partnership or joint venture relationship between the parties or between one party and the other party’s employees or agents.
20.1 Neither party may assign this Agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed). Notwithstanding the foregoing, We may assign this Agreement to an affiliate or, in the case of a merger or acquisition, Our successor, without Your prior written consent. Any purported assignment in breach of this Agreement is null and void.
Third party rights
21.1 This Agreement is for the benefit of the parties and is enforceable by Us and by You and our respective successors in title and permitted assignees. A person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999, or otherwise, to enforce any term of this Agreement.
22.1 This Agreement, together with any related Orders, constitutes the entire agreement between the parties and supersedes any previous agreements, arrangements, or understandings between the parties relating to its subject matter.
22.2 In entering into this Agreement, neither party is relying on any representation, warranty or covenant that is not expressly contained herein.
Amendment and waiver
23.1 No amendment of this Agreement will be valid unless it is in writing and signed by or on behalf of each of the parties by a duly authorised representative of each of the parties.
23.2 The failure to exercise, or delay in exercising, a right or remedy under this Agreement will not constitute a waiver of the right or remedy, or a waiver of any other rights or remedies.
24.1 If any provision of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the remaining provisions will remain in force and effect.
24.2 The parties further agree amend or re-write any such invalid, unenforceable or illegal provisions as necessary to give effect the commercial intention of the parties to the maximum extent permitted by law.
Governing law and jurisdiction
25.1 This Agreement and any dispute or claim arising out of or in connection with it (including any non-contractual disputes or claims) shall be governed as follows:
If You are domiciled in: You are contracting with: Notices should be addressed to: The governing law is: The courts having exclusive jurisdiction are: The United States of America, Canada, Mexico or a Country in Central or South America or the Caribbean Jazz Networks Federal Inc (if you are a Government department or agency) Jazz Networks Federal Inc, 12110 Sunset Hills Road, Suite 600, Reston, VA 20190, USA, Attn: General Counsel Delaware, USA Delaware, USA The United States of America, Canada, Mexico or a Country in Central or South America or the Caribbean Jazz Networks Inc (if you are not a Government department or agency) Jazz Networks Inc, 110 E 42nd St, Suite 815, New York, NY 10017, USA, Attn: General Counsel Delaware, USA Delaware, USA UK or Rest of World Jazz Networks Limited Jazz Networks Limited, The Charter Building, Charter Place, Uxbridge UB8 1JG, United Kingdom, Attn: General Counsel England England
26.1 The rights and remedies under this Agreement are cumulative and are in addition to and not in substitution for any other rights and remedies available at law or in equity or otherwise, except to the extent expressly provided in clause 12 and 13 to the contrary.
26.2 Each party hereto acknowledges that a breach or threatened breach by such party of any of its obligations under clause 6 and clause 11 would give rise to irreparable harm to the other party for which monetary damages would not be an adequate remedy and hereby agrees that in the event of a breach or a threatened breach by such party of any such obligations, the other party shall, in addition to any and all other rights and remedies that may be available to it in respect of such breach, be entitled to equitable relief, including a temporary restraining order, an injunction, specific performance and any other relief that may be available from a court of competent jurisdiction, without any requirement to post bond.
27.1 This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. Delivery of a signed Agreement by reliable electronic means, including facsimile, email, or any electronic signature complying with the U.S. federal ESIGN Act of 2000 (including DocuSign) shall be an effective method of delivering the executed Agreement. For the avoidance of doubt, You agree to the terms of this Agreement and the terms of Our End User Licence Agreement if You click a box indicating Your Acceptance of this Agreement, execute an order with us or our Authorized Partner (via DocuSign); or use such Solutions or Services.
27.2 This Agreement may be stored by electronic means and either an original or an electronically stored copy of this Agreement can be used for all purposes, including in any proceeding to enforce the rights and/or obligations of the parties to this Agreement.
Data processing addendum
Version: 9th November 2018
Scope and order of precedence
Jazz Networks and Company have entered into an agreement for Jazz Networks Solutions & Services (as may be amended from time to time, the “Master Agreement”). This Data Processing Addendum (this “Addendum”) will apply to Jazz Network’s Processing of Company Personal Data—but, only to the extent that EU Data Protection laws apply to the Processing of Company Personal Data. This Addendum is hereby incorporated into and made a part of the Master Agreement. If there is any conflict between this Addendum and the Master Agreement, this Addendum shall control to the extent of such conflict. This Addendum will be effective until such time as Jazz Networks is no longer Processing Company Personal Data.
In this Addendum, the following capitalized bold terms will have the following meanings:
“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” and “Processing” each have the meaning set forth in the EU Data Protection Laws.
“Company” means the other party that has executed the Agreement with Jazz Networks.
“Company Personal Data” means Personal Data provided to Jazz Networks by Company for Processing by Jazz Networks in connection with the Services.
“EU Data Protection Laws” means (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“GDPR” means EU General Data Protection Regulation 2016⁄679.
“Jazz Networks” means Jazz Networks Limited.
“Jazz Networks Affiliates” mean the subsidiaries of Jazz Networks that may assist in the provision of Services.
“Model Clauses” means the standard contractual clauses approved by the EU Commission for the Transfer of Personal Data to Processors established in Third Countries under the EU Data Protection Laws, as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
“Third Party Sub-processor” means a third party subcontractor, other than an Jazz Networks Affiliate, engaged by Jazz Networks which, as part of the subcontractor’s role of providing Services, will Process Company Personal Data.
“Services” means the services to be provided by Jazz Networks for the benefit of Company that are specified in the Master Agreement
Categories of Personal Data & Data Subjects
In order to perform the Services, Company hereby authorizes and requests that Jazz Networks Process the following categories of Company Personal Data: Details about Processing, including the types of Personal Data Processed and the categories of Data Subjects under this Addendum are set out on Annex 1.
Company may provide instructions in writing to Jazz Networks in addition to those specified in the Master Agreement with regard to Processing of Company Personal Data. Jazz Networks will comply with all such instructions without additional charge to the extent necessary for Jazz Networks to comply with its obligations to Company in the Master Agreement. The parties will negotiate in good faith with respect to any other change in the Services and/or fees resulting from any additional instructions.
Roles and Restrictions on Processing of Company Personal Data
Company will at all times (i) remain the Controller of Company Personal Data pursuant to EU Data Protection Laws; (ii) determine the purposes and means of its Processing of Company Personal Data; and (iii) comply with the obligations applicable to it pursuant to EU Data Protection Laws regarding the Processing of Company Personal Data, including, without limitation, establishing a legal basis for Processing of Company Personal Data and with respect to the transfer and provision of Company Personal Data to Jazz Networks for Processing hereunder.
Jazz Networks is a Processor with respect to its Processing of Company Personal Data hereunder. Jazz Networks will Process Company Personal Data solely for the provision of the Services, and will not otherwise (i) Process Company Personal Data for purposes other than those set forth in the Master Agreement or as instructed by Company in accordance with Section 4, or (ii) disclose such Company Personal Data to third parties other than Jazz Networks Affiliates or Third Party Sub-processors as permitted or required by the Master Agreement, this Addendum, or EU Data Protection Laws. Jazz Networks will comply with the obligations applicable to it pursuant to EU Data Protection Laws regarding the Processing of Company Personal Data.
Rights of Data Subjects
Jazz Networks will follow Company’s detailed written instructions to meet its obligations pursuant to EU Data Protection Laws to respond to Data Subject requests to access, delete, release, correct, or block access to Company Personal Data held in Jazz Networks’s information technology environment. Company agrees to pay Jazz Networks’s reasonable out-of-pocket costs and expenses and standard hourly fees that may be associated with Jazz Networks’s performance of any such access, deletion, release, correction, or blocking of access to Company Personal Data on behalf of Company. Jazz Networks will pass on to the Company any requests of an individual Data Subject to access, delete, release, correct, or block Company Personal Data Processed by Jazz Networks in connection with the Services; provided, however, that Jazz Networks will not be responsible for responding directly to the request, unless otherwise required by EU Data Protection Laws.
Cross Border and Onward Data Transfers
Jazz Networks treats all Company Personal Data in a manner consistent with the requirements of the Master Agreement and this Addendum in all locations globally. Transfers of Company Personal Data originating from the EEA or Switzerland to Jazz Networks Affiliates or Third Party Sub-processors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national data protection authority, are subject to (i) the terms of the Model Clauses attached as Annex 2; or (ii) other appropriate transfer mechanisms pursuant to EU Data Protection Laws. The terms of this Addendum shall be read in conjunction with the Model Clauses or other appropriate transfer mechanisms.
Transfers of Company Personal Data originating from other locations globally to Jazz Networks Affiliates or Third Party Sub-processors are subject to (i) for Jazz Networks Affiliates, the terms of an intra-company data processing and transfer agreement entered into between Jazz Networks and the Jazz Networks Affiliates, incorporating data security requirements consistent with those set forth in this Addendum; and (ii) for Third Party Sub-processors, the terms of the relevant third party sub-processor agreement between Jazz Networks and the Third Party Sub-processor, incorporating data security requirements consistent with those set forth in this Addendum.
Affiliates and Third Party Sub-processors
Some or all of Jazz Networks’ obligations under the Agreement may be performed by Jazz Networks Affiliates and Third Party Sub-processors. Jazz Networks maintains a list of Jazz Networks Affiliates and Third Party Sub-processors that may Process Company Personal Data. Jazz Networks will provide a copy of that list to Company upon request.
The Jazz Networks Affiliates and Third Party Sub-processors will be required to abide by substantially the same obligations as Jazz Networks under this Addendum as applicable to their Processing of Company Personal Data. Company may request that Jazz Networks audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Company in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to ensure compliance with such obligations.
Jazz Networks remains responsible at all times for compliance with the terms of this Addendum by Jazz Networks Affiliates and Third Party Sub-processors.
Company consents to Jazz Networks’ use of Jazz Networks Affiliates and Third Party Sub-processors in the performance of the Services in accordance with the terms of Sections 7 and 8 above.
Technical and Organizational Measures
Jazz Networks has implemented and will maintain appropriate technical and organizational security measures for the Processing of Company Personal Data, including the measures specified in this Section 9 to the extent applicable to Jazz Networks’ Processing of Company Personal Data. These measures are intended to protect Company Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure, or access, and against all other unlawful forms of Processing. Additional measures, and information concerning such measures, including the specific security measures and practices for the particular Services ordered by Company, may be specified in the Master Agreement.
- Physical Access Control. Jazz Networks employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Company Personal Data is Processed, such as the use of security personnel, secured buildings, and data center premises.
- System Access Control. The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels. For Services hosted at Jazz Networks: (i) log-ins to Services Environments by Jazz Networks employees and Third Party Sub-processors are logged; (ii) logical access to the data centers is restricted and protected by firewall/VLAN; and (iii) intrusion detection systems, centralized logging and alerting, and firewalls are used.
- Data Access Control. Company Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced.
- Input Control. Company Personal Data source is under the control of the Company, and Personal Data integration into the system, is managed by secured file transfer (i.e., via web services or entered into the application) from the Company to the extent possible.
- Data Backup. For Services hosted at Jazz Networks: back-ups are taken on a regular basis; back¬ups are secured using a combination of technical and physical controls, depending on the particular Service.
- Data Segregation. Company Personal Data from different Jazz Networks customers’ environments is logically segregated on Jazz Networks’ systems to the extent possible.
- Confidentiality. All Jazz Networks employees and Third Party Sub-processors that may have access to Company Personal Data are subject to appropriate confidentiality arrangements.
Company has the right to inspect Jazz Networks’ respective systems and facilities up to one (1) time every twelve (12) months to ensure compliance with this Addendum only to the extent required by EU Data Protection Laws. Before the commencement of any such audit, Company and Jazz Networks shall mutually agree in good faith upon the scope, and duration of the audit. The audit must be conducted during regular business hours at the applicable facility, subject to Jazz Networks’ policies, and may not unreasonably interfere with Jazz Networks’ business activities. Company is entitled to conduct the audit either by an authorized representative, including its data protection officer, where relevant, or through third parties that Jazz Networks authorizes. Any authorized representatives of Company (including third parties) must comply with the confidentiality requirements under this Addendum and the Master Agreement; the results of such audit will be deemed the confidential information of Jazz Networks. Company shall notify Jazz Networks with information regarding any non-compliance discovered during the course of an audit. Any audits are at the Company’s expense. Any request for Jazz Networks to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required for the provision of the Services. Jazz Networks will seek the Company’s written approval and agreement to pay any related fees before performing such audit assistance.
Incident Management and Breach Notification
Jazz Networks evaluates and responds to incidents that create suspicion of or indicate a Personal Data Breach. Jazz Networks operations staff is instructed on responding to Personal Data Breach as required pursuant to EU Data Protection Laws. Jazz Networks will notify Company as soon as reasonably practicable, and in any event within any notice period required pursuant to Data Protection Laws, if Jazz Networks has determined that Personal Data Breach has occurred that involves Company Persona Data. Jazz Networks will promptly investigate the Personal Data Breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by applicable law, Jazz Networks will provide Company with a description of the Personal Data Breach, the type of Personal Data that was the subject of the Personal Data Breach, and other information Company may reasonably request concerning the affected Data Subjects. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant data protection authorities.
Return and Deletion of Personal Data upon End of Services
Following termination of the Services, Jazz Networks will return or otherwise make available for retrieval to Company all Company Personal Data then available in Jazz Networks’ information technology environment that holds Company Personal Data. Following return of such Company Personal Data, or as otherwise specified in the Master Agreement, Jazz Networks will promptly delete or otherwise render inaccessible all copies of Company Personal Data then available in Jazz Networks’ information technology environment that holds Company Personal Data, except as may be required by applicable law.
Legally Required Disclosures
Except as otherwise required by applicable law, Jazz Networks will promptly notify Company of any subpoena, judicial, administrative, or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives and which relates to the Processing of Company Personal Data. At Company’s request, Jazz Networks will provide Company with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Company to respond to the Demand in a timely manner. Company acknowledges that Jazz Networks has no responsibility to interact directly with the entity making the Demand.
Jazz Networks may (i) compile statistical and other information related to the performance, operation, and use of the Services, and (ii) use data from the Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively “Service Analyses”). Jazz Networks may make Service Analyses publicly available. However, Service Analyses will not incorporate Company Personal Data in a form that could identify or serve to identify Company or any Data Subject. Jazz Networks retains all intellectual property rights in and to such Service Analyses.
Details of processing
Personal Data: Personal Data to be Processed includes:
- User’s Active Directory data (only if integrated): name, surname, phone number if provided, company email address
- Technical details of corporate machine: Device/s associated with user, IP address
- Data gathered about a user’s behaviour by the Jazz agents: Location, web browsing, applications used, Wi-Fi networks used
All above data is tied to a device and can only be attributed to a user as long as the device belongs to the user or associated with the user
Date Subjects: Categories of Data Subjects include:
Company’s employees using company provided devices and IT services
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: ……………………………………………………………
Tel.: …………………………………; fax: …………………………………; e-mail: …………………………………
Other information needed to identify the organisation:
(the data exporter)
Name of the data importing organisation: ……………………………………………………………
Tel.: …………………………………; fax: …………………………………; e-mail: …………………………………
Other information needed to identify the organisation:
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data1;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
Obligations of the data importer2
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter, to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request, a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses3. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
(stamp of organisation)
On behalf of the data importer:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
(stamp of organisation)
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
The data importer is (please specify briefly activities relevant to the transfer): ………………………………………………………………………………………………………………………………………………
The personal data transferred concern the following categories of data subjects (please specify):
Categories of data
The personal data transferred concern the following categories of data (please specify):
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
Authorised Signature ………………………………
Authorised Signature ………………………………
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer (COMPANY) will maintain technical and organizational security measures for protection of the security, confidentiality and integrity of Personal Data Processed in the context of the provision of the Services as described in Section 9 of Addendum (Data Security and Privacy) which is hereby incorporated by reference in its entirety.
- Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone. [return]
- Recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements. Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally [return]
- This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision. [return]