Terms and conditions
SAAS Services and support
Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide Customer the Services (as such term is defined in Section 1.3), [including an application programming interface (the “Elba API”)]. Company reserves the right to update or modify the Services at any time, including to add or remove features with or without prior notice. As part of the registration process, Customer will identify an administrative user name and password for Customer’s Company account (the “Administrative Account”). Customer may register additional user accounts, provided that such accounts shall be associated with a specific individual, and accounts and passwords may not be shared or disclosed to other individuals within or outside of Customer’s organization. Customer will be responsible for any actions taken by parties with access to such usernames and passwords. Customer will inform Company immediately if it discovers that any such account and/or password has been disclosed or made available to a third party. Company reserves the right to refuse registration of, or cancel passwords it deems inappropriate.Subject to the terms hereof, Company will provide Customer with reasonable technical support services in accordance with the Company’s standard practice.
1.3 The Services (the “Service(s)”) include the following:
- Access to Elba platform for the admin with associated features
- Access to Elba platform for the employee with associated features
- DEFINITIONS
“Affiliate” means any entity (under article L.233-3 of the French code de commerce), directly or indirectly, controlling, controlled by, or under common control with, ELBA.
“Authorized Users” means: (i) Licensee’s employees; and (ii) contractors authorized by Licensee to access the Subscription Software who, prior to obtaining access to the Subscription Software, have executed a non-disclosure agreement that protects ELBA’s Confidential Information to the same extent as this Agreement, and shall pay to ELBA the corresponding Subscription Fees. In each case, Authorized Users will be registered in ELBA database with a unique User ID and a unique password.
“Confidential Information” means non-public information that is identified as or would be reasonably understood to be confidential and/or proprietary. Confidential Information of ELBA includes, without limitation, the Documentation, and the Subscription Software, including any software code and all algorithms, methods, techniques, and processes revealed or utilized therein. Confidential Information of Licensee includes Licensee Data. Confidential Information does not include information that: (i) is or becomes known to the public without fault or breach of the Recipient; (ii) the Discloser regularly discloses to third parties without restriction on disclosure; (iii) the Recipient obtains from a third party without restriction on disclosure and without breach of a non-disclosure obligation known to Recipient; or (iv) is independently developed by the Recipient without use of Confidential Information.
“Discloser” means the party providing Confidential Information to the Recipient.
“Documentation” means the then-current ELBA-provided documentation relating to the features, functions, and use of the Subscription Software and any updates to this documentation at ELBA's sole discretion.
“Documented Defect” means a material deviation between the then-current, general release version of the Subscription Software and its Documentation.
“Effective Date” means the date identified on the introduction and signature page of this Agreement.
“Initial Subscription Term” means the initial subscription period set forth on the applicable Order Form.
“Intellectual Property Rights” means all rights in patents, copyrights, trademarks, and service marks.
“Licensee Data” means information provided, entered, or uploaded for use by or with the Subscription Software by the Licensee or its Authorized Users. Licensee Data may be Personal Data and/or Sensitive Data.
« Sensitive Data » refers to Personal Data which are considered sensitive under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).
« Personal Data » means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“License Restriction” means any limitation on the use of the Subscription Software identified in an Order Form (e.g., number of Authorized Users, locations, connections).
“Order Form” means each order form, or every similar document signed between the parties incorporating the terms of this Agreement which shall contain, without limitation, a list of the Subscription Software and associated quantity and License Restriction, a description of the Subscription Services, Subscription Fees, and payment terms.
“Recipient” means the party receiving Confidential Information of the Discloser.
“Renewal Term” means any renewal or extension of Licensee’s license to use the Subscription Software following the expiration of the Initial Subscription Term.
“Service Level Description” means the Service Level Description document applicable to the Subscription Services and attached as an exhibit to an Order Form.
“Subscription Fees” means the fees for the Subscription Services set forth on the applicable Order Form.
“Subscription Services” means the Subscription Software-related application hosting services and Support that ELBA provides to the Licensee under this Agreement.
“Subscription Software” means collectively or individually the computer software programs identified in the applicable Order Form for which ELBA is providing the Subscription Services.
“Subscription Term” means the Initial Subscription Term or any Renewal Term, as applicable.
“Third Party Licensor” means a third party whose software products (“Third Party Products”) have been made available to ELBA for distribution and licensing under the terms of its agreement with ELBA (a “Third Party Agreement”).
“Updates” means generally available updates, enhancements, or modifications to the then-current, general release version of the Subscription Software that are not separately priced or licensed as new products.
“UserID” means a unique user identification credential used in combination with a unique password to access the Subscription Services.
- SCOPE
The Agreement constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior oral or written communications between the Parties, including any general terms and conditions of purchase of the Licensee. Any modification of the Agreement, including its Appendixes, requires a written and prior approval by both Parties, unless expressly stipulated in the Agreement.
The Agreement includes and incorporates the following documents by increasing order of precedence:
o the present document and any amendment and/or addendums made thereto.
o the Appendices attached to the present Agreement, including:
- Appendix 1: Order Form
- Appendix 2: Service Level Agreement
- Appendix 3: Data Protection Addendum
- Appendix 4: Security Measures
In case of a conflict or inconsistency between any parts of this Agreement, the document higher in the order of precedence as set out above will prevail.
- LICENCE
Subject to the terms and conditions of this Agreement and the applicable Order Form, ELBA hereby grants to Licensee a non-exclusive, non-transferable, limited license (without the right to sublease or sublicense) to access and use the Subscription Software and the Subscription Services, during the Subscription Term, in an operating environment hosted by ELBA, for Licensee’s own internal use. Any rights not expressly granted in this Agreement are expressly reserved.
Documentation. ELBA grants license to Licensee to use the Documentation and allow the Licensee to make a reasonable number of copies of the Documentation for the Subscription Software and for its internal use in accordance with the terms of this Agreement.
License Restriction. Licensee’s use of the Subscription Software and Subscription Services is subject to any License Restriction specified in the applicable Order Form.
Additional Restrictions on Use of the Subscription Software and Subscription Services. In no event shall Licensee access the Subscription Software on any environment outside the hosted environment selected by ELBA as part of the Subscription Services. In no event shall Licensee or its Authorized Users possess or control the Subscription Software or any related software code. Licensee is prohibited from causing or permitting the reverse engineering, disassembly, or de-compilation of the Subscription Software. Licensee acknowledges and agrees that France export control laws and other applicable export and import laws govern its use of the Subscription Software and Licensee will neither export or re-export, directly or indirectly, the Subscription Software, nor any direct product thereof in violation of such laws or use the Subscription Software for any purpose prohibited by such laws.
Intellectual Property Rights notice. Unless otherwise provided within the Order Form, the Licensee is prohibited from removing or altering any of the Intellectual Property Rights notice(s) embedded in the Subscription Software or that ELBA otherwise provides with the Subscription Services. Licensee must reproduce the unaltered Intellectual Property Rights notice(s) in any full or partial copies that Licensee makes of the Documentation.
Ownership. Use of the Subscription Software and Subscription Services does not grant any ownership rights in or to the Subscription Software, the Subscription Services, or the Documentation. Licensee Data shall be the sole property of the Licensee; however, ELBA may aggregate anonymous statistical data regarding use and functioning of its system by its various licensees, and all such data (none of which shall be considered Licensee Data), will be the sole property of ELBA.
- SUBSCRIPTION SERVICES
Hosted Environment. In return for the payment of the Subscription fees, ELBA will provide the application hosting environment, including the hardware, equipment, and systems software configuration on which ELBA supports use of the Subscription Software and Subscription Services, on servers located at a facility freely selected by ELBA to meet the Service Level described in Appendix 2.
Support. In return for the payment of the Subscription fees, ELBA shall (a) provide Licensee with access (via the internet, telephone or other means established by ELBA as described in Appendix 2) to ELBA’s support helpline, (b) install, when and if generally available, Updates; and (c) use reasonable efforts to correct or circumvent any material deviation between the then-current, general release version of the Subscription Software and its Documentation (the foregoing referred to collectively as “Support”). Support is included in the Subscription Fee.
User Accounts. Licensee is responsible for maintaining its own Authorized User, UserIDs and passwords which can be managed through the Subscription Software interface. Licensee is responsible for maintaining the confidentiality of Licensee’s UserIDs and passwords and shall cause its Authorized Users to maintain the confidentiality of their UserIDs and Passwords. Licensee is responsible for all uses of and activities undertaken with UserIDs registered on Licensee’s account. Licensee agrees to immediately notify ELBA of any unauthorized use of Licensee’s UserIDs of which Licensee becomes aware.
Connectivity. ELBA will be responsible for maintaining connectivity from its network to the Internet which can service the relevant Internet traffic to and from the hosted environment. Licensee is responsible for providing connectivity to the Internet for itself and its Authorized Users. Licensee shall also be responsible for ensuring that latency and available bandwidth from the user’s desktop to ELBA’s hosted routers is adequate to meet Licensee’s desired level of performance. If Licensee requires a VPN or private network connection to the Subscription Services, Licensee is responsible for all costs associated with any specialized network connectivity required by Licensee.
Restrictions. ELBA shall have no obligation to correct a problem caused by Licensee’s negligence, Licensee’s equipment or infrastructure malfunction or other causes beyond the direct control of ELBA.
- DATA PROCESSING
Personal data. The rights and obligations of the Parties regarding the protection of Personal Data are set out in the DPA attached hereto in Appendix 3 in accordance with the applicable Law.
- PAYMENT AND TAXES
Payment. Licensee shall pay ELBA the Subscription Fees set forth on the Order Form. Subscription Fees are payable in advance and ELBA will invoice Licensee for Subscription Fees prior to the commencement of the portion of the Subscription Term to which such fees apply. After the Initial Subscription Term, the Subscription Fees shall be subject to annual adjustment. Except as otherwise set forth in this Agreement, Subscription Fees are non-refundable. Licensee will pay each ELBA invoice in accordance with the payment terms set forth on the Order Form. Notwithstanding anything to the contrary in this Agreement, ELBA reserves the right to suspend access to the Subscription Services in the event of any past due Subscription Fees. Unpaid amounts are subject to a finance charge of 3% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Subscription Service.
Taxes. Licensee is responsible for paying all taxes relating to this Agreement (except for taxes based on ELBA’s net income or capital stock). Applicable tax amounts (if any) are not included in the Subscription Fees set forth on any Order Form. ELBA will invoice Licensee for applicable tax amounts and such invoices are payable in accordance with the Order Form.
- WARRANTIES
Right to Grant License. ELBA warrants that it owns all right, title, and interest in and to the Subscription Software or has obtained rights in such Subscription Software sufficient to grant the licenses granted to Licensee under this Agreement. Licensee’s exclusive remedy, and ELBA’s exclusive obligation, for a breach of this warranty is set forth in Section 7 of the present Agreement (Indemnity).
Malicious Code. ELBA represents that it has used commercially reasonable best efforts utilizing generally accepted industry tools and practices to provide Subscription Software that does not contain any malicious code or other programming devices that are intended to access, modify, delete, damage, deactivate or disable the Subscription Services (“Malicious Code”). As Licensee’s sole remedy for breach of this representation, ELBA shall act immediately to investigate, identify, and remove such Malicious Code from the Subscription Software.
Disclaimer of Warranties. The limited warranties are made to Licensee exclusively and are in lieu of all other warranties. ELBA MAKES NO OTHER WARRANTIES WHATSOEVER, EXPRESS, OR IMPLIED, WITH REGARD TO THE SUBSCRIPTION SOFTWARE AND SUBSCRIPTION SERVICES PROVIDED UNDER THIS AGREEMENT AND/OR ANY ORDER FORM, IN WHOLE OR IN PART. ELBA EXPLICITLY DISCLAIMS ALL WARRANTIES OF MERCHANTABILITY AND OF FITNESS FOR A PARTICULAR PURPOSE. ELBA EXPRESSLY DOES NOT WARRANT THAT THE SUBSCRIPTION SOFTWARE OR SUBSCRIPTION SERVICES, IN WHOLE OR IN PART, WILL BE ERROR FREE, OPERATE WITHOUT INTERRUPTION OR MEET LICENSEE’S REQUIREMENTS.
Abrogation of Limited Warranty. ELBA will have no obligation under this Section to the extent that any alleged breach of warranty is caused by any modification of the Subscription Software not performed by or on behalf of ELBA. To the extent that an alleged breach of warranty concerns a Third-Party Product that is subject to a more limited warranty under a Third-Party Agreement, ELBA’s obligations hereunder will be further limited accordingly.
- CONFIDENTIAL INFORMATION
Confidentiality. The Confidential Information disclosed under this Agreement may be used, disclosed, or reproduced only to the extent necessary to further and fulfill the purposes of this Agreement. The Recipient will not knowingly disclose to any third party or make any use of the Discloser’s Confidential Information. The Recipient will use at least the same standard of care to maintain the confidentiality of the Discloser’s Confidential Information that it uses to maintain the confidentiality of its own Confidential Information, but in no event less than reasonable care.
The non-disclosure and non-use obligations of this Agreement will remain in full force with respect to each item of Confidential Information for a period of five (5) years after Recipient’s receipt of that item; provided, however, that Licensee’s obligations to maintain the Subscription Software, including algorithms, methods, techniques, and processes revealed or utilized therein and Documentation as confidential shall be limited for the duration of copyright. Each of Licensee and ELBA shall be responsible for the breach of the confidentiality terms contained in this Section by any of its directors, officers, employees, Authorized Users, agents, accountants, and advisors.
Notwithstanding the foregoing, this Section is not intended to prevent (a) a Recipient from using Residual Knowledge, subject to any Intellectual Property Rights of the Discloser, or (b) ELBA from using aggregated data regarding the use of the Subscription Services to provide reports or analytics to Licensee or to improve the performance of ELBA’s products, provided such data does not contain any Personal Data or Sensitive Data regarding Licensee, its employees, customers or Authorized Users. If the Recipient should receive any legal request or process in any form seeking disclosure of Discloser’s Confidential Information, or if the Recipient should be advised by counsel of any obligation to disclose such Confidential Information, the Recipient shall (if allowed by law) provide the Discloser with prompt notice of such request or advice so that the Discloser may seek a protective order or pursue other appropriate assurance of the confidential treatment of the Confidential Information. Regardless of whether a protective order or other assurance is obtained, the Recipient shall furnish only that portion of the Discloser’s Confidential Information which is legally required to be furnished and to use reasonable efforts to assure that the information is maintained in confidence by the party to whom it is furnished.
- INDEMNITY
ELBA will defend, indemnify, and hold Licensee harmless from and against any loss, cost and expense to the extent arising from a third-party claim against Licensee that the Subscription Software infringes any Intellectual Property Rights of others.
ELBA’s obligations under this indemnification are expressly conditioned on the following: (i) Licensee must promptly notify ELBA of any such claim; (ii) Licensee must, in writing, grant ELBA sole control of the defense of any such claim and of all negotiations for its settlement or compromise so long as such settlement or compromise does not result in payment of money by Licensee or an admission of guilt by Licensee ; (iii) Licensee must reasonably cooperate in good faith with ELBA to facilitate the settlement or defense of the claim. ELBA will not have any liability hereunder to the extent the claim arises from (a) any modification of the Subscription Software by, on behalf of, or at the request of Licensee; or (b) the use or combination of the Subscription Software with any computer, computer platform, operating system and/or data base management system other than provided by ELBA.
If any Subscription Software is, or in ELBA’s opinion is likely to become, the subject of an Intellectual Property Rights infringement claim, then ELBA, at its sole option and expense, will either: (A) obtain for Licensee the right to continue using the Subscription Software under the terms of this Agreement; (B) replace the Subscription Software with products that are substantially equivalent in function, or modify the Subscription Software so that it becomes non-infringing and substantially equivalent in function; or (C) refund to Licensee the un-used portion of the Subscription Services fee, if any, paid to ELBA for the Subscription Software giving rise to the infringement claim, and discontinue Licensee’s use of such Subscription Software. THE FOREGOING SETS FORTH ELBA’S EXCLUSIVE OBLIGATION AND LIABILITY WITH RESPECT TO INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.
- TERM AND TERMINATION.
Term. With respect to the Subscription Software, the Initial Subscription Term shall be as set forth on the applicable Order Form. After the Initial Subscription Term, the Subscription Term shall automatically renew for period equal to the Initial Subscription Term (Renewal Terms), unless either party provides written notice of non-renewal to the other party at least thirty (30) days prior to expiration of the Initial Subscription Term or then current Renewal Term, as the case may be. Except as set forth in the present section, the Subscription Term cannot be terminated prior to its expiration date.
Right of Termination. If either party is in serious or repeated breach of any material obligation in this Agreement or an Order Form (including, without limitation, any obligation to pay Subscription Fees), and fails to remedy such breach (if such breach can be remedied) within thirty (30) days of receipt of written notice of such breach, the other party may terminate this Agreement (including all Order Forms hereunder) by notifying the other party its intention to terminate the Agreement by formal letter within thirty (30) days.
Effect of Termination. Upon termination of this Agreement by either party, Licensee’s license to access and use the Subscription Software and Subscription Services shall immediately terminate as of the effective date of such termination. Termination of this Agreement will not release either party from making payments which may be owing to the other party under the terms of this Agreement through the effective date of such termination. Termination of this Agreement will be without prejudice to the terminating party’s other rights and remedies pursuant to this Agreement, unless otherwise expressly stated herein.
Return of Licensee Data. Upon termination or expiration of this Agreement, ELBA shall promptly make all Licensee Data available to Licensee as a native database export provided through ELBA’s server. If Licensee requires the return of Licensee Data in an alternate format or requires any other termination assistance services, ELBA and Licensee shall mutually agree upon the scope of such termination assistance services and the fees and expenses payable for such termination assistance services.
Survival of Obligations. All obligations relating to non-use and non-disclosure of Confidential Information, Intellectual Property, limitation of liability, and such other terms which by their nature survive termination, will survive termination or expiration of this Agreement.
- MISCELLANEOUS
Notice All notices and other communications required or permitted under this Agreement must be in writing and will be deemed given when: delivered personally; sent by registered or certified email with return receipt requested; transmitted by facsimile confirmed by first class mail; or sent by overnight courier. Notices must be sent to a party at its address shown on the signature page of this Agreement, or to such other place as the party may subsequently designate for its receipt of notices in accordance with this Section.
Force Majeure. Except with respect to the payment of fees hereunder, neither party will be liable to the other for any failure or delay in performance under this Agreement due to circumstances beyond its reasonable control, including, without limitation, Acts of God, war, terrorist acts, accident, labor disruption, acts, omissions and defaults of third parties and official, governmental and judicial action not the fault of the party failing or delaying in performance, or the threat of any of the foregoing.
Assignment. Licensee may not assign or transfer any of its rights or obligations under this Agreement without the prior written consent of ELBA, whether by operation of law or otherwise, including in connection with a change in control, merger, acquisition, consolidation, asset sale or other reorganization, and any attempt at such assignment or transfer will be void.
No Waiver. A party’s failure to enforce its rights with respect to any single or continuing breach of this Agreement will not act as a waiver of the right of that party to later enforce any such rights or to enforce any other or any subsequent breach.
Choice of Law; Severability. This Agreement shall be governed by and interpreted in accordance with the laws of France, without application of any conflict of law’s provisions thereof, and all claims relating to or arising out of this Agreement, or the breach thereof, whether sounding in contract, tort or otherwise, shall likewise be governed by the laws of France, without application of any conflict of law’s provisions thereof.
This Agreement is originally written in the English language and the English language version shall control over any translations. If any provision of this Agreement is illegal or unenforceable, it will be deemed stricken from the Agreement and the remaining provisions of the Agreement will remain in full force and effect.
Failing amicable settlement, the litigation shall be submitted to the Paris Commercial Court, France. This clause providing for an exclusive jurisdiction shall be given the broadest effect and shall apply in any case, including in case of litigation or in case of emergency or protective proceedings, by summons or summary petition, and notwithstanding the existence of other defendants or guarantees.
- LIMITATIONS OF LIABILITY.
LIMITED LIABILITY OF ELBA. EXCEPT WITH RESPECT TO INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS AND PERSONAL INJURY, THE TOTAL LIABILITY OF ELBA, ITS AFFILIATES IN CONNECTION WITH OR RELATED TO THIS AGREEMENT (WHATEVER THE BASIS FOR THE CAUSE OF ACTION) WILL NOT EXCEED THE ANNUAL SUBSCRIPTION FEES PAID BY THE LICENSEE TO ELBA FOR THE LAST TWELVE (12) MONTHS.
EXCLUSION OF DAMAGES. IN NO EVENT WILL ELBA, ITS AFFILIATES BE LIABLE FOR ANY SPECIAL, PUNITIVE, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOST PROFITS, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY, OR OTHERWISE, AND REGARDLESS OF WHETHER ELBA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE.
Compliance with Laws. Licensee will comply with all laws, rules, and regulations applicable to the use of the Subscription Software and the Subscription Services including, without limitation, by not submitting any Licensee Data that is illegal, defamatory, or that infringes any third-party proprietary rights.
Entire Agreement. This Agreement contains the entire understanding of the parties with respect to its subject matter and supersedes and extinguishes all prior oral and written communications between the parties about its subject matter. Any purchase order or similar document, which may be issued by Licensee in connection with this Agreement, does not modify, supplement, or add terms to this Agreement.
No modification of this Agreement will be effective unless it is in writing, is signed by each party, and expressly provides that it amends this Agreement. This Agreement and any signed agreement or instrument entered into in connection herewith or contemplated hereby, and any amendments hereto or thereto, to the extent signed and delivered by means of digital imaging, electronic mail or a facsimile machine, shall be treated in all manner and respects as an original agreement or instrument and shall be considered to have the same binding legal effect as if it were the original signed version thereof delivered in person. This Agreement and all Order Forms may be signed in counterparts.
APPENDIX 3: DATA PROCESSING ADDENDUM
The present DPA is entered into between the Controller and the Processor and is incorporated into and governed by the terms of the Agreement.
- Definitions
Any capitalized term not defined in this DPA shall have the meaning given to it in the Agreement.
“Affiliate”
means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;
“Agreement”
means the agreement between the Controller and the Processor for the provision of the Services;
“CCPA”
means the California Consumer Privacy Act of 2018, along with its regulations and as amended from time to time;
“Controller”
means the Licensee and its Affiliates;
“Data Protection Law”
means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom any amendments, replacements or renewals thereof, applicable to the processing of Personal Data, the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the CCPA and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time.
“Data Subject”
shall have the same meaning as in Data Protection Law or means a “Consumer” as that term is defined in the CCPA;
“DPA”
means this data processing agreement together with its Exhibits.
“EEA”
means the European Economic Area;
“EU GDPR”
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, (General Data Protection Regulation);
“Personal Data”
shall have the same meaning as in Data Protection Law;
“Processor”
means ELBA, including as applicable any “Service Provider” as that term is defined by the CCPA;
“Restricted Transfer”
means:
(i) where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and
(ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
“Services”
means all services and software applications and deliverables provided to the Controller by the Processor under and as described in the Agreement;
“SCCs”
means:
(i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN/, (“EU SCCs”); and
(ii) where the UK GDPR applies standard data protection clauses adopted pursuant to Article 46(2)(d) of the UK GDPR (“UK SCCs”); and
“Sub-Processor”
means any third party (including Processor Affiliates) engaged directly or indirectly by the Processor to process Personal Data under this DPA in the provision of the Services to the Controller;
“Supervisory Authority”
means a governmental or government chartered regulatory body having binding legal authority over a party;
“UK GDPR”
means the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- Purpose
- The Processor has agreed to provide the Services to the Controller in accordance with the terms of the Agreement. In providing the Services, the Processor shall process data provided by the Controller on behalf of the Controller. Such data may include Personal Data. The Processor will process and protect Personal Data in accordance with the terms of this DPA.
- Scope
- In providing the Services to the Controller pursuant to the terms of the Agreement, the Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with the terms of the Agreement, this DPA and the Controller’s instructions documented in the Agreement and this DPA, as may be updated from time to time subject to signature of a rider.
- The Controller and Processor shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to Personal Data does not process them except on the written instructions from the Controller unless he or she is required to do so by any Data Protection Law or by a Supervisory Authority.
- Processor Obligations
- The Processor may collect, process, or use Personal Data only within the scope of this DPA.
- The Processor confirms that it shall process Personal Data on behalf of the Controller in accordance with the documented instructions of the Controller.
- The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach Data Protection Law.
- The Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms of this DPA.
- The Processor shall implement appropriate technical and organizational procedures to protect Personal Data, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- The Controller acknowledges and agrees that, while providing the Services to the Controller, it may be necessary for the Processor to access the Personal Data to respond to any technical problems or Controller queries and to ensure the proper working of the Services. All such access by the Processor will be limited to those purposes.
- The Processor may not: (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for commercial purposes other than providing the Services under the terms of the Agreement; or (iii) retain, use, or disclose Personal Data outside of the Agreement.
- Controller Obligations
- The Controller represents and warrants that: (i) it shall comply with this DPA and its obligations under Data Protection Law; (ii) it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA; and (iii) all Affiliates of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA.
- The Controller shall implement appropriate technical and organizational measures to protect Personal Data, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
- The Controller acknowledges and agrees that some instructions from the Controller, including the Processor assisting with audits, inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case the Processor shall notify the Controller of its fees for providing such assistance in advance and the Processor shall be entitled to charge the Controller for its reasonable costs and expenses in providing any such assistance.
- Sub-Processors
- The Controller acknowledges and agrees that the Processor may engage Sub-Processors in connection with the provision of the Services.
- All Sub-Processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor set out in this DPA.
- The Controller authorizes the Processor to use the Sub-Processors included in the list of Sub-processors to process the Personal Data. During the term of this DPA, the Processor shall provide the Controller with 30 days prior notification, via email, of any changes to the list of Sub-Processors before authorizing any new or replacement Sub-Processor to process Personal Data in connection with provision of the Services.
- The Controller may object to the use of a new or replacement of a contractually allowed Sub-Processor, by notifying the Processor promptly in writing within fifteen (15) days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor, the Supplier must give a good reason for that change and to show to the Controller by providing suitable evidence, e.g. a documented information security assessment, within (15) days after receipt of the Controller’s objection, that the change would not affect compliance with applicable Data Protection Law. The Controller may terminate the Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub-Processor or the Agreement in its entirety if the service will not fulfil the Processor’s obligations under the Agreement without the services of the replacement Sub-Processor.
- All Sub-Processors who process Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-Processor carrying out any processing activities in respect of the Personal Data: (i) appoint each Sub-Processor under a written contract containing materially the same obligations to those of the Processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub-Processor complies with all such obligations.
- The Controller agrees that the Processor and its Sub-Processors may make Restricted Transfers of Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement. The Processor confirms that such Sub-Processors: (i) are located in a third country or territory recognised by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable SCCs with the Processor; or (iii) have other legally recognised appropriate safeguards in place.
- Restricted Transfers
- The parties agree that, when the transfer of Personal Data occurs between the Controller and the Processor or from the Processor to a Sub-Processor which is a Restricted Transfer, it shall be subject to the applicable SCCs.
- In the event that any provision of this DPA contradicts directly or indirectly any SCCs, the provisions of the applicable SCCs shall prevail over the terms of the DPA.
- Data Subject Access Requests
- The Controller may require correction, deletion, blocking and/or making available the Personal Data during the term of the Agreement. The Controller acknowledges and agrees that the Processor will process the request to the extent it is lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible.
- In the event that the Processor receives a request from a Data Subject in relation to Personal Data, the Processor will refer the Data Subject to the Controller unless otherwise prohibited by law. The Controller shall reimburse the Processor for all costs incurred resulting from providing reasonable assistance in dealing with a Data Subject request. If the Processor is legally required to respond to the Data Subject, the Controller will fully cooperate with the Processor as applicable.
- Audit
- The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance of the Services performed under the Agreement with its processing obligations and allow for and contribute to audits and inspections.
- Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Controller, the Controller may conduct a more extensive audit which will be: (i) at the Controller’s expense; (ii) limited in scope to matters specific to the Controller and agreed in advance; (iii) carried out during the Processor’s usual business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with the Processor’s day-to-day business (v) limited to one (1) audit per calendar year, except for the audits carried out on the instructions of a Supervisory Authority.
- This clause shall not modify or limit the rights of audit of the Controller, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.
- Personal Data Breach
- The Processor shall notify the Controller without undue delay after becoming aware of (and in any event within 72 hours of discovering) any accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to any Personal Data (“Personal Data Breach”).
- The Processor shall take all commercially and technically reasonable measures to secure the Personal Data, to limit the effects of any Personal Data Breach, and to assist the Controller in meeting the Controller’s obligations under applicable law.
- Compliance, Cooperation and Response
- The Processor will notify the Controller promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts the Controller, unless such notification is not permitted under Applicable law or a relevant court or Supervisory Authority order.
- The Processor may make copies of and/or retain Personal Data in compliance with any legal or regulatory requirement including, but not limited to, retention requirements.
- The Processor shall reasonably assist the Controller in meeting the Controller’s obligation to carry out data protection impact assessments (DPIAs), taking into account the nature of the processing and the information available to the Processor and upon request of the Controller provide copies of the Processor’s data transfer impact assessments (DTIAs) and subject to reasonable additional costs.
- The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with a Supervisory Authority in the performance of their respective obligations under this DPA and Data Protection Law.
- Liability
- The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA.
- The parties agree that the Controller shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Controller itself.
- The Controller shall not be entitled to recover more than once in respect of the same loss.
- The general liability limitations provided in the Agreement shall remain in force.
- Term and Termination
- The Processor will only process Personal Data for the term of the DPA. The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.
- Deletion and Return of Personal Data
- The Processor shall at the choice of the Controller, upon receipt of a written request received within 30 days of the end of the provision of the Services, delete and/or return Personal Data to the Controller. The Processor shall in any event delete all copies of Personal Data in its systems within 90 days of the effective date of termination of the Agreement unless applicable law or regulations require storage of the Personal Data after termination for a longer period.
- General
- This DPA sets out the entire understanding of the parties with regards to the subject matter herein.
- Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.