Exhibit 1

OpenMethods

Terms of Service

 

These Terms of Service (this “Agreement”) is a binding contract and governs the use of and access to the Services by You (the “Subscriber” identified on the Zendesk SOW to which this Agreement is attached), agents and end-user in connection with a Subscription to the Services.

Upon execution of the Zendesk SOW to which this Agreement is attached, You agree to be bound by this Agreement as of the date of such access or use of the Service (the “Effective Date”). If You are entering into this Agreement on behalf of a company, organization or another legal entity (an “Entity”), You are agreeing to this Agreement for that Entity and representing to OpenMethods that You have the authority to bind such Entity and its Affiliates to this Agreement, in which case the terms “Subscriber,” “You,” “Your” or “Customer” herein refers to such Entity and its Affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not use or authorize any use of the Services.  Subscriber and OpenMethods shall each be referred to as a “Party” and collectively referred to as the “Parties” for purposes of this Agreement.

In the event of any inconsistency or conflict between the terms of this Agreement and the terms of any Zendesk SOW, the terms of the Zendesk SOW shall control.

OpenMethods and You agree as follows:

SERVICES.

1.  Use of the Services.  OpenMethods grants Customer a right to access the Services.

1.1.       Subscription. Upon OpenMethods acceptance of a Zendesk SOW and subject to the terms of this Agreement, OpenMethods grants Customer a non-exclusive, non-assignable, royalty-free, worldwide limited Subscription to use the Services solely for the business operations of Customer.  OpenMethods will provide this Services through the web from its cloud-based software-as-a-service (“SaaS”) environment or from the cloud-based SaaS environment of its authorized third-party partners (“Partners”).

1.2. This Agreement contemplates one or more Zendesk SOWs for the Services, and each Zendesk SOW will describe the Services ordered and associated fees in more detail.

1.3. Subscriptions expire at the end of the applicable Order Term (defined below) set forth in the Zendesk SOW, unless renewed.

1.4. Customer’s employees, agents, and contractors (each an “Authorized End User”) and Customer’s end users (each an “End User”) may use the Services.  Each Authorized End User must be registered with a unique username and password; no two Authorized End Users may register or use the Services as the same registered Authorized End User, nor may Authorized End Users share the same username and password. Customer is responsible for each Authorized End User’s and End User’s compliance with the Agreement.

1.5. Customer may order Services for use by its Affiliates and in such case, the Subscription granted to Customer under this Agreement will apply to such Affiliates, provided that only Customer will have the right to enforce this Agreement against OpenMethods.  Customer shall remain responsible for all obligations under this Agreement and for its Affiliates’ compliance with this Agreement and any applicable Zendesk SOW(s).

1.6. OpenMethods reserves all rights not expressly granted in this Agreement.  No rights will be granted or implied by waiver or estoppel.

1.7.  Services Support Obligations.

Support. OpenMethods will, at no additional charge, provide Subscriber standard customer support for the Services as detailed on the applicable Site and Documentation. If purchased by Subscriber, OpenMethods will provide upgraded support or support that includes service level agreements.

1.8. OpenMethods represents and warrants that the Services will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes downtime per month) during the Order Term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and OpenMethods will provide at least seven (7) day advanced written (email acceptable) notice to Customer of such unavailability.

1.9. OpenMethods will provide Customer with at least six (6) months advance notice of any feature end of life or deprecation.

 

2.  Customer Responsibilities. 

2.1. Login Management.  Absent a written Subscription from OpenMethods expressly stating otherwise, You agree and acknowledge that You may not use the Services, including but not limited to the API, to circumvent the requirement for an individual Agent Login for each individual who (a) leverages the Services to interact with End-Users; (b) use data related to interactions with End-Users in the Services; or (c) use data related to interactions originating from a Non-OpenMethods Service that provides functionality similar to functionality provided by the Services and which would, pursuant to this Agreement, require an individual Agent Login, if utilizing the Services for such interaction. Further, Customer shall not use the API or any Services in such a way to circumvent applicable Service Plan restrictions or Agent licensing restrictions that are enforced in the Service user interface. OpenMethods reserves the right to charge You, and You hereby agree to pay, for any use overages of the Service in violation of the Zendesk SOW.

2.2. Compliance As between You and OpenMethods, You are responsible for compliance with the provisions of this Agreement by Agents and End-Users and for any and all activities that occur under Your Account, which OpenMethods may verify from time to time. Without limiting the foregoing, You will ensure that Your use of the Services is compliant with all applicable laws and regulations as well as any and all privacy notices, agreements or other obligations You may maintain or enter into with Agents or End-Users.

2.3. Content and Conduct  In Your use of the Services You agree not to (a) modify, adapt, or hack the Services or otherwise attempt to gain unauthorized access to the Services or related systems or networks; (b) attempt to bypass or break any security or rate limiting mechanism of any of the Services or use the Services in any manner that interferes with or disrupts the integrity, security or performance of the Services and its components; (c) attempt to decipher, decompile, reverse engineer or otherwise discover the source code of any software making up the Services; or (d) to the extent You are subject to the US Health Insurance Portability and Accountability Act of 1996, and its implementing regulations (HIPAA), use the Services to store or transmit any “protected health information” as defined by HIPAA, unless expressly agreed to otherwise in writing by OpenMethods.

2.4. System Requirements A high-speed Internet connection is required for proper use of the Services. You are responsible for procuring and maintaining the network connections that connect Your network to the Services including, but not limited to, browser software that supports protocols used by OpenMethods and set forth in the Documentation, including the Transport Layer Security (TLS) protocol or other protocols accepted by OpenMethods, and to follow procedures for accessing services that support such protocols.  OpenMethods is not responsible for notifying You, Agents or End-Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Service Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by OpenMethods. OpenMethods assumes no responsibility for the reliability or performance of any connections as described in this Section.

2.5. Internal Business Purposes Only Unless otherwise authorized by OpenMethods in this Agreement or expressly agreed to otherwise in writing by OpenMethods, You may not use the Services in any manner where You act as a service bureau or to provide any outsourced business process services on behalf of more than one (1) third party (other than Affiliates) through a single Account. This provision is not intended to prevent or restrict the use of the Services to provide business support to multiple End-Users; however, You agree not to license, sublicense, sell, outsource, rent, lease, transfer, assign, distribute, time-share or otherwise commercially exploit or resell the Services to any third party, other than authorized Agents and End-Users in furtherance of Your internal business purposes as expressly permitted by this Agreement. Without limiting the foregoing, Your right to access and use the OpenMethods API is also subject to the restrictions and policies implemented by OpenMethods from time to time with respect to API as set forth in the Documentation or otherwise communicated to You in accordance with this Agreement.

2.6. No Competitive Access You may not (i) reverse engineer the Services, (ii) remove or modify any proprietary marking or restrictive legends in the Services, or (iii) access the Services to build a competitive product or service, or copy any feature, function, UI or graphics of the Services. You may not access the Services if You are a competitor of OpenMethods.

3.  Customer Data and Privacy.

3.1. Customer must provide all data (“Customer Data”) for use of the Services, and OpenMethods is not obliged to modify or add to the Customer Data.  Customer is solely responsible for the lawfulness of the Customer Data.  OpenMethods will not store or archive any Customer Data from the Services, therefore it is the responsibility of the Customer to store and archive its Customer Data.

3.2. The Customer Data belongs to Customer, and OpenMethods makes no claim to any right of ownership in it.

3.3. Sub-processors. OpenMethods will utilize sub-processors who will have access to or process Customer Data to assist in providing the Services to You. You hereby confirm and provide general authorization for OpenMethods’ use of the Sub-processors listed within our Sub-processor Policy at: https://www.openmethods.com/privacy. OpenMethods shall be responsible for the acts and omissions of members of OpenMethods personnel and sub-processors to the same extent that we would be responsible if OpenMethods was performing the services of each OpenMethods personnel or sub-processor directly under the terms of this Agreement. You may sign up to receive notifications of any changes to our Sub-processor Policy within the policy webpage.

3.4. Third-Party Service Providers. OpenMethods may use third-party service providers that are utilized by OpenMethods to assist in providing the Services to You, but do not have access to Service Data. Any third-party service providers utilized by OpenMethods will be subject to confidentiality obligations which are substantially similar to the confidentiality terms herein.

3.5. Safeguards. OpenMethods will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Services in accordance with our privacy policy at: https://www.openmethods.com/privacy and the information security requirements set forth in Exhibit A, attached hereto.

3.6. Agent Contact Information. OpenMethods shall be a Data Processor of Agent Contact Information, and shall Process such Agent Contact Information in accordance with Our Privacy Notice at: https://www.openmethods.com/privacy. You are responsible for informing Your Agents of their rights set forth in Our Privacy Notice. You represent and warrant that You have obtained all relevant consents, permissions and rights and provided all relevant notices necessary under Applicable Data Protection Laws for OpenMethods to lawfully Process Agent Contact Information.

3.7. Data Processing Agreement. The Data Processing Agreement set forth in Exhibit B, attached hereto, and/or any other OpenMethods provided privacy terms located at: https://www.OpenMethods.com/privacy shall be incorporated by reference herein into this Agreement.

4.  Services Warranties.  OpenMethods warrants that: (i) the Services will function substantially as described in the Documentation; and (ii) OpenMethods owns or otherwise has the right to provide the Services to Customer under this Agreement.  The remedies set out in this Section 4 are Customer’s exclusive remedies for breach of either warranty.

4.1. If the Services do not function substantially in accordance with the Documentation, OpenMethods must, at its option, either (i) modify the Services to conform to its Documentation; or (ii) provide a workaround solution that will reasonably meet Customer’s requirements.  If neither of these options is commercially feasible, either party may terminate the relevant Zendesk SOW under this Agreement.

4.2. If the normal operation, possession or use of the Services by Customer is found to infringe any third party U.S. intellectual property right or OpenMethods believes that this is likely, OpenMethods must, at its option, either (i) obtain a license or Subscription from such third party for the benefit of Customer; (ii) modify the Services so that it no longer infringes; or (iii) if neither of these options is commercially feasible, terminate the relevant Zendesk SOW under this Agreement.

4.3. However, OpenMethods has no warranty obligations for:

4.3.1. the extent that Services have been modified by Customer or any third party;

4.3.2. problems in the Services caused by any third party software or hardware, by accidental damage or by other matters beyond OpenMethods’ reasonable control.

4.4. On a regular basis, OpenMethods will run internal and external network vulnerability scans.  Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.

 

PROFESSIONAL SERVICES.

5.  Professional Services. 

5.1 SOW.  The deliverables, fees, personnel, scope, and other terms of each Professional Services engagement will be set forth in the Zendesk SOW.  Professional Service engagements are billed at time and materials or fixed fee in accordance with the Zendesk SOW.

5.2 Warranties. OpenMethods warrants that (i) the Professional Services will substantially conform to the SOW; and (ii) the Professional Services will be performed with reasonable skill, care and diligence. The remedies set out in this Section 5 are Customer’s exclusive remedies for breach of either warranty.

5.2.1 If the Professional Services do not conform to the SOW or are not performed with reasonable skill, care and diligence, OpenMethods shall re-perform the Professional Services to the extent necessary to correct the defective performance.

5.3 Customer’s Responsibilities.  Customer must provide OpenMethods with all information, access, and full good faith cooperation reasonably necessary to enable OpenMethods to deliver the Professional Services and must do anything that is identified in the SOW as Customer’s responsibility.  If Customer fails to do this, OpenMethods will be relieved of its obligations to the extent that the obligations are dependent upon Customer’s performance.

 

INTELLECTUAL PROPERTY OWNERSHIP.

6.  Intellectual Property Ownership.  OpenMethods solely owns, or has licensed the rights to, all intellectual property rights in the Services and anything delivered as part of Professional Services. OpenMethods owns all rights to any feedback, improvements, enhancements, or modifications to the Services.

GENERAL

7.  Payments. 

7.1 Invoices. Zendesk shall process billing of fees for Customer’s purchase of OpenMethods Services under this Agreement. Customer must pay the fees listed in the relevant Zendesk SOW, and all billing information will be set forth on the Zendesk SOW. 

8.  Term, Termination and Suspension.

8.1 This Agreement continues for the duration of the Zendesk SOW, until terminated by a party, as described below (“Term”).  The term for each order (“Order Term”) will be set forth in the Zendesk SOW. Upon the end date of the Order Term, Customer’s rights to access or use the Services shall terminate.

8.2 Either party may terminate this Agreement immediately if Customer breaches any material term of this Agreement and the breach is not cured within 30 days of written notice. 

8.3 Sections 2, 6, 7, 8, 9, 10, 11, 12, and 15.3 continue after this Agreement ends.

8.4 If OpenMethods terminates this Agreement because of non-payment by Customer, all unpaid fees for the remainder of the Order Term are immediately due for payment.

9.  Warranty Disclaimer.  EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES AND PROFESSIONAL SERVICES ARE PROVIDED WITH NO OTHER WARRANTIES OF ANY KIND, AND OPENMETHODS DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OPENMETHODS DOES NOT WARRANT THAT THE USE OF THE SERVICES OR PROFESSIONAL SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE.

10. Limitation of Liability.  NEITHER PARTY SHALL BE LIABLE UNDER THIS AGREEMENT TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST OR CORRUPTED DATA, LOST PROFITS, LOST BUSINESS OR LOST OPPORTUNITY), OR ANY OTHER SIMILAR DAMAGES UNDER ANY THEORY OF LIABILITY (WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY), EVEN IF THE OTHER PARTY HAS BEEN INFORMED OF THIS POSSIBILITY. EACH PARTY’S TOTAL AGGREGATE LIABILITY FOR ANY DIRECT LOSS, COST, CLAIM OR DAMAGES OF ANY KIND RELATED TO THE RELEVANT ZENDESK SOW SHALL NOT EXCEED THE AMOUNT OF THE FEES PAID OR PAYABLE BY CUSTOMER UNDER SUCH RELEVANT ZENDESK SOW DURING THE TWELVE (12) MONTHS BEFORE THE EVENT GIVING RISE TO SUCH LOSS, COST, CLAIM OR DAMAGES.  HOWEVER, THERE IS NO LIMITATION OF LIABILITY FOR CUSTOMER’S INFRINGEMENT OF COMPANY’S INTELLECTUAL PROPERTY RIGHTS, FOR AMOUNTS OWED BY CUSTOMER TO OPENMETHODS UNDER THIS AGREEMENT, OR IN CONNECTION WITH A PARTY’S INDEMNIFICATION OBLIGATIONS.  THIS LIMITATION ON LIABILITY WAS AND IS AN EXPRESS PART OF THE BARGAIN BETWEEN COMPANY AND CUSTOMER AND WAS A CONTROLLING FACTOR IN THE SETTING OF THE FEES PAYABLE TO OPENMETHODS.

 

11. Confidentiality.

11.1 This Agreement and the Services, Documentation, and Work Product contain valuable trade secrets that are the sole property of OpenMethods, and Customer agrees to use reasonable care to prevent other parties from learning of these trade secrets.  Customer must take reasonable care to prevent unauthorized access to or duplication of the Services, Documentation, and Work Product, but in no event less care than Customer uses to protect its own confidential information and trade secrets.

11.2 The Customer Data and other materials marked as “Confidential” by Customer or which should reasonably be recognized as confidential information, and disclosed to OpenMethods may include valuable trade secrets that are the sole property of Customer.  OpenMethods must take reasonable care to prevent other parties from learning of these trade secrets, but in no event less care than OpenMethods uses to protect its own confidential information and trade secrets.

11.3 Sections 12.1 and 12.2 do not apply to any information that (i) is now, or subsequently becomes, through no act or failure to act on the part of receiving party (the “Receiver”), generally known or available; (ii) is known by the Receiver at the time of receiving such information, as evidenced by the Receiver’s records; (iii) is subsequently provided to the Receiver by a third party, as a matter of right and without restriction on disclosure; or (iv) is required to be disclosed by law, provided that the party to whom the information belongs is given prior written notice of any such proposed disclosure.

11.4 Upon termination for any reason, upon request by the disclosing party, the receiving party will promptly return all Confidential Information of the disclosing party, provided however neither party shall be obligated to return Confidential Information received by the disclosing party that is stored in receiving party’s routine back-up system and in such case receiving party’s confidentiality obligations with respect to such Confidential Information shall survive indefinitely.

 

12. Indemnification by OpenMethods. 

12.1 OpenMethods must indemnify and hold harmless Customer, its affiliates, and its and their directors, officers, and employees from any damages finally awarded or agreed to in settlement against Customer (including, without limitation, reasonable costs and legal fees incurred by Customer) arising out of any third party suit, third party claim or other third party legal action alleging that the use of the Services, Documentation or Work Product by Customer infringes any copyright, trade secret or United States patent, (“Legal Action”).  OpenMethods must also assume the defense of the Legal Action.

12.2 However, OpenMethods shall have no indemnification obligations for any Legal Action arising out of:  (i) a combination of the Services, or Work Product with software or products not supplied by OpenMethods; (ii) any repair, adjustment, modification or alteration to the Services by Customer or any third party; or (iii) any refusal by Customer to install and use a non-infringing version of the Services, or Work Product offered by OpenMethods.  Section 4.2(ii) and this Section 12 state the entire liability of OpenMethods with respect to any intellectual property infringement by the Services or Work Product.

12.3 Customer must give written notice to OpenMethods of any Legal Action no later than 30 days after first receiving notice of a Legal Action, and must give copies to OpenMethods of all communications, notices and/or other actions relating to the Legal Action.  Customer must give OpenMethods the sole control of the defense of any Legal Action, must act in accordance with the reasonable instructions of OpenMethods and must give OpenMethods such assistance as OpenMethods reasonably requests to defend or settle such claim. OpenMethods must conduct its defense at all times in a manner that is not adverse to Customer’s interests. Customer may employ its own counsel to assist it with respect to any such claim.  Customer must bear all costs of engaging its own counsel, unless engagement of counsel is necessary because of a conflict of interest with OpenMethods or its counsel, or because OpenMethods fails to assume control of the defense.  Customer must not settle or compromise any Legal Action without OpenMethods express written consent. OpenMethods shall be relieved of its indemnification obligation under Section 12 if Customer materially fails to comply with Section 12.2.

 

13. Indemnification by Customer. 

13.1 Customer must indemnify and hold harmless OpenMethods, its affiliates, and its and their directors, officers, and employees from any damages finally awarded or agreed to in settlement against OpenMethods (including, without limitation, reasonable costs and legal fees incurred by Customer) arising out of any third party suit, third party claim or other third party legal action (including but not limited to any governmental investigations, complaints and actions) in connection with the Customer’s use of the Services or Work Product (collectively the “Legal Claim”).  Customer must also assume the defense of the Legal Claim.

13.2 OpenMethods must give written notice to Customer of any Legal Claim no later than 30 days after first receiving notice of a Legal Claim, and must give copies to Customer of all communications, notices and/or other actions relating to the Legal Claim.  OpenMethods must give Customer the sole control of the defense of any Legal Claim, must act in accordance with the reasonable instructions of Customer and must give Customer such assistance as Customer reasonably requests to defend or settle such claim. Customer must conduct its defense at all times in a manner that is not adverse to OpenMethods interests. OpenMethods may employ its own counsel to assist it with respect to any such claim.  OpenMethods must bear all costs of engaging its own counsel, unless engagement of counsel is necessary because of a conflict of interest with Customer or its counsel, or because Customer fails to assume control of the defense.  OpenMethods must not settle or compromise any Legal Claim without Customer’s express written consent. Customer shall be relieved of its indemnification obligation under Section 13 if OpenMethods materially fails to comply with Section 13.2.

 

14. Publicity.  OpenMethods may list Customer as a customer and use Customer’s logo on OpenMethods website, on publicly available customer lists, and in media releases.

 

15. Miscellaneous.

15.1 This Agreement together with the Zendesk SOW represent the entire agreement of the parties, and supersede any prior or current understandings, whether written or oral. 

15.2 This Agreement may not be changed or any part waived except in writing by the parties.

15.3 This Agreement will be governed by the laws of California. The parties consent to the exercise of exclusive jurisdiction by the state or federal courts in the State of California for any claim relating to this Agreement.

15.4 Customer must not assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written consent of OpenMethods.  OpenMethods may not withhold such consent in the case of an assignment by Customer of its rights and obligations to an entity that has acquired all, or substantially all of Customer’s assets, or to an assignment that is part of a genuine corporate restructure.  Any assignment in breach of this Section is void.

15.5 Any notice given pursuant to this Agreement shall be in writing and shall be given by personal service or by United States certified mail, return receipt requested, postage prepaid or by recognized overnight courier to the address appearing in the beginning of this Agreement or as changed through written notice to the other party. 

15.6 Customer must not export or re-export, directly or indirectly, any Services, Documentation, Work Product, or confidential information to any countries outside the United States except as permitted under the U.S. Commerce Department’s Export Administration Regulations.

15.7 The Services, Work Product, and Documentation provided to the U.S. Government are "Commercial Items", as that term is defined at 48 C.F.R. 2.101, consisting of "Commercial Computer Software" and "Commercial Computer Software Documentation", within the meaning of 48 C.F.R. 12.212 or 48 C.F.R.227.7202, as applicable. Consistent with 48 C.F.R. 12.212 or 48 C.F.R. 227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein, as provided in FAR 12.212, and DFARS 227.7202-1(a), 227.7202-3(a), 227.7202-4, as applicable.

15.8 OpenMethods shall, at its own expense, procure and maintain in full force and effect during the term of this Agreement, policies of insurance, of the types and in the minimum amounts as follows, with responsible insurance carriers duly qualified in those states (locations) where the Services are to be performed, covering the operations of OpenMethods, pursuant to this Agreement: commercial general liability ($2,000,000 per occurrence, $5,000,000 aggregate); professional liability ($1,000,000 per occurrence, $2,000,000 aggregate); workers’ compensation (statutory limits) and employers’ liability ($500,000 per accident); errors and omission liability (and, cyber liability coverage ($2,000,000 aggregate).  Such policies shall require that Customer be given no less than thirty (30) calendar days prior written notice of any cancellation thereof or material change therein.  OpenMethods shall provide Customer upon request with certificates of insurance evidencing all of the above coverage.

 

DEFINITIONS.

16. Glossary.

“Customer Data” means agent usernames and agent extensions stored in the Services database.

“Documentation” means user documentation provided by OpenMethods for use with the Services, as periodically updated.

“Services” means the hosted software whose functionality is described in the Zendesk SOW and in Documentation, any modifications to the hosted software made by OpenMethods, and any feedback, improvements, or enhancements made or suggested for the hosted software, but does not include the Professional Services.

“Professional Services” means the training, consulting, development, and other professional services identified on a SOW, but do not include the Services.

“Zendesk” means Zendesk, Inc., a Delaware corporation, and any of its applicable affiliates, which will serve as the billing agent for Subscriber’s subscription(s) to the OpenMethods Service ordered by Subscriber from OpenMethods under this Agreement pursuant to a Zendesk SOW executed between Customer and Zendesk.

“Zendesk SOW” means the statement of work or similar ordering document issued by Zendesk to Subscriber that sets forth, without limitation, Customer’s Subscription plan, Subscription fees, billing, and Subscription term under this Agreement.

 

Exhibit A

OpenMethods Information Security Measures

 

1. Information Security Measures

OpenMethods warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by Subscriber (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, OpenMethods will act in good faith and diligence, using reasonable care and skill.

 

2. Definitions

“Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.

“Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by OpenMethods regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.

“Incident” means any impairment to the security of Data including any (i) act that violates any law or any OpenMethods security policy, (ii) unplanned service disruption that prevents the normal operation of the Services, or (iii) Breach.

3. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.
   • OpenMethods will utilize industry standard encryption algorithms and key strengths to encrypt the following:
   • Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks.
   • Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
   • Except where prohibited by law, OpenMethods will promptly remove Data upon (a) completion of Services; or (b) request by Subscriber (or Zendesk, where applicable) to be removed from OpenMethods’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. OpenMethods will provide Subscriber (and Zendesk, where applicable) with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

4. Measures: Malicious Code Protection.
   • All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. OpenMethods will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or OpenMethods’s computing environment.
   • OpenMethods will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
   • OpenMethods will quarantine or remove files that have been identified as infected and will log the event.

5. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:
   • OpenMethods ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
   • security and encryption of all personal computers or other mobile devices that may access Data;
   • limited access to employees and contractors except for authorized visitors;
   • identification of the persons having access authority;
   • restriction on keys;
   • visitors books (including timekeeping); and
   • security alarm system or other appropriate security measures.
   • OpenMethods will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such authorized agent’s need to access the system(s) or application(s).

6. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

OpenMethods shall inform Subscriber upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

7. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by OpenMethods.

All network controls shall include the following measures:

• On a regular basis, OpenMethods will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• OpenMethods will deploy reasonably appropriate firewall technology in operation of its networks.
• At a minimum, OpenMethods will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• OpenMethods will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• OpenMethods shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized.
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger.

8. Measures: OpenMethods will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, OpenMethods will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify Subscriber within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii) respond promptly to any reasonable request from Subscriber for detailed information pertaining to the Incident. OpenMethods notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

9. Measures: Business Continuity & Disaster Recovery. OpenMethods has provided Subscriber commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”). The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery. OpenMethods shall maintain such Continuity Plan throughout the term of all subscriptions; provided that OpenMethods shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on OpenMethods ability to maintain availability of the Service.

At Subscriber’s request OpenMethods shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to Subscriber’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time. Subscriber shall provide OpenMethods with documentation of such baselines, which shall be part of Subscriber’s confidential information under this Agreement. OpenMethods shall develop a written information security plan for Subscriber containing, at a minimum, the topics called for in this agreement.

 

Exhibit B

OpenMethods Data Processing Addendum

 

This Data Processing Addendum (“DPA”) is entered into between OpenMethods, Inc. (“OpenMethods” or “data importer”) and the entity identified as the Subscriber on the Zendesk SOW (“Customer” or “data exporter”) and is appended to the OpenMethods Terms of Service (the “Agreement”). The parties agree that this DPA shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.

This DPA sets forth the terms and conditions under which OpenMethods may receive and process Customer Personal Data from Customer and incorporates the Standard Contractual Clauses. If Customer makes any deletions or revisions to this DPA, those deletions or revisions are hereby rejected and invalid, unless agreed by OpenMethods. Customer’s signatory represents and warrants that he or she has the authority to bind the Customer to this DPA. This DPA will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of this DPA.

Data Processing Terms

1. Definitions

“Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU/UK Data Protection Law.

“Customer Personal Data” means any Customer Content that is Personal Data and protected by Applicable Privacy Law(s).

“EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Data Protection Act (“Swiss DPA”), and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time;

“OpenMethods Subsidiary” “OpenMethods Subsidiary” means any entity that is directly or indirectly controlled by, controlling or under common control with OpenMethods.

“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable).

“Standard Contractual Clauses” means: (i) where the EU GDPR or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (specifically, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) (“UK SCCs”), as applicable in accordance with Section 8 (Data Transfers).

“Security Incident” means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Customer Personal Data. A “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Subprocessor” means any third party (including any OpenMethods Subsidiary) engaged by OpenMethods to process any Customer Personal Data (excluding OpenMethods employees or contractors).

The terms “Controller”, “data subject”, “Personal Data”, “Processor,” and “processing,” have the meanings given to them in Applicable Privacy Law(s). If and to the extent that Applicable Privacy Law(s) do not define such terms, then the definitions given in EU/UK Data Protection Law will apply.

2. Role and Scope of Processing

2.1 The parties acknowledge that with regard to the processing of Customer Personal Data, Customer shall be the Controller and OpenMethods shall process Customer Personal Data as a Processor on behalf of Customer.

2.2 OpenMethods will process Customer Personal Data only in accordance with Customer’s documented instructions and will not process Customer Personal Data for its own purposes, except as set out in this DPA or where required by applicable law(s). The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to OpenMethods regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. Additional instructions outside the scope of such Processing instructions (if any) require prior written agreement between the parties.

2.3 Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Customer Personal Data it Processes under or in connection with the Services or this DPA. Without prejudice to the foregoing, Customer is responsible for determining whether the Services are appropriate for the storage and processing of Customer Personal Data under Applicable Privacy Law(s) and for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired Customer Personal Data. Customer further agrees that it has provided notice and obtained all consents, permissions and rights necessary for OpenMethods and its Sub-processors to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA).

2.4 OpenMethods shall promptly notify Customer if it makes a determination that Customer’s instructions infringe Applicable Privacy Law(s) (but without obligation to actively monitor Customer’s compliance with Applicable Privacy Law(s)) and in such event, OpenMethods shall not be obligated to undertake such Processing until such time as the Customer has updated its processing instructions and OpenMethods has determined that the incidence of non-compliance has been resolved.

2.5 Details of Data Processing:

(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.

(b) Duration: As between Customer and OpenMethods, the duration of the processing is the term of the Agreement plus any period after the termination or expiry of the Agreement during which OpenMethods will process Customer Personal Data in accordance with the Agreement.

(c) Purpose: OpenMethods will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.

(d) Nature of the processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.

(e) Types of Customer Personal Data. Customer Personal Data uploaded to the Services under Customer’s OpenMethods account.

(f) Categories of data subjects: The data subjects could include Customer’s employees, consultants, agents and third parties authorized to use the Services as “Users” under Customer’s OpenMethods account and any other data subjects whose personal data is submitted to OpenMethods by Customer through the Services.

3. Subprocessing

3.1 Customer grants OpenMethods a general authorization to subcontract the processing of Customer Personal Data to a Subprocessor, including those Subprocessors listed at https://OpenMethods.com/static/legal/OpenMethods-Current-Subprocessors-List.pdf (or such other successor URL) (“Subprocessor List“).

3.2 If OpenMethods engages a new or replacement Subproccessor, OpenMethods will:

(a) update the Subprocessor List;

(b) impose substantially the same data protection terms on any Subprocessor it engages as contained in this DPA (including data transfer provisions, where applicable); and

(c) remain liable to Customer for any breach of this DPA caused by an act, error or omission of such Subprocessor.

3.3 If Customer elects to be notified in writing 10 days prior to OpenMethods engaging a new or replacement Subproccessor, Customer must subscribe to such notifications via the customer notification portal;

3.4 Customer may object to OpenMethods’ appointment of any new or replacement Subprocessor promptly in writing within thirty (30) days after receipt of notice in accordance with (3.2 (a)) and on reasonable grounds related to Subprocessor’s ability to comply with Applicable Privacy Law(s). In such case, the parties shall discuss Customer ́s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, OpenMethods shall have the right, at its sole discretion, to either not appoint the disputed Subprocessor, or permit Customer to suspend or terminate the applicable Order and/or the Agreement. These procedures are Customer’s exclusive remedy and OpenMethods’ entire liability for resolving Customer’s objections to OpenMethods’ appointment of Subprocessor’s under this DPA.

4. Cooperation

4.1 OpenMethods shall reasonably cooperate with Customer to enable Customer to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Customer Personal Data, including requests from data subjects seeking to exercise their rights under Applicable Privacy Law(s). In the event that any such request, complaint or communication is made directly to OpenMethods, OpenMethods shall, once it has identified the request is from or related to a data subject for whom the Customer is responsible, pass this onto Customer and shall not respond to such communication without Customer’s express authorization (unless required to do so in order to comply with applicable law(s)).

4.2 To the extent OpenMethods is required under Applicable Privacy Law(s), OpenMethods will assist Customer to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to data subjects.

4.3 Taking into account the nature of the processing, Customer agrees that it is unlikely that OpenMethods would become aware that Customer Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if OpenMethods becomes aware that Customer Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. OpenMethods will reasonably cooperate with Customer to erase or rectify inaccurate or outdated Customer Personal Data transferred under the Standard Contractual Clauses.

5. Data Access & Security Measures

5.1 OpenMethods will ensure that any personnel tasked with the processing of Customer Personal Data are subject to an appropriate duty of confidentiality (whether a contractual or statutory duty) and that they process Customer Personal Data only for the purpose of delivering the Services.

5.2 OpenMethods will implement and maintain reasonable and appropriate technical and organizational security measures with the aim of protecting Customer Personal Data from Security Incidents in accordance with the measures listed in Schedule 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that OpenMethods may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.

6. Security Incidents

In the event of a Security Incident, OpenMethods shall inform Customer without undue delay and will provide written details of the Security Incident to Customer, including the type of data affected and the identity of affected person(s), once such information becomes known or available to OpenMethods. OpenMethods shall, to the extent possible, provide timely information and cooperation to Customer to allow Customer to fulfil its data breach reporting obligations under Applicable Privacy Law(s) and shall take reasonable steps to remedy or mitigate the effects of the Security Incident. The obligations herein shall not apply to Security Incidents that are caused by the Customer or its users.

7. Security Reports & Inspections

7.1 Upon request, OpenMethods shall provide copies of any certifications, audit report summaries and/or other relevant documentation it holds, where reasonably required by Customer to verify OpenMethods’ compliance with this DPA.

7.2 While it is the parties’ intention ordinarily to rely on OpenMethods’ obligations set forth in Section 7.1 to verify OpenMethods’ compliance with this DPA, following a confirmed Security Incident or where a data protection authority requires it, Customer may provide OpenMethods with thirty (30) days’ prior written notice requesting that a third-party conduct an audit of OpenMethods’ operations and facilities (“Audit”); provided that (i) any Audit shall be conducted at Customer’s expense; (ii) the parties shall mutually agree upon the scope, timing and duration of the Audit; (iii) the Audit shall not unreasonably impact OpenMethods’ regular operations.

7.3 Any written responses or Audit described in this Section 7 shall be subject to the confidentiality provisions of the Agreement. The parties agree that the audits described in Clause 8.9 of EU SCCs shall be carried out in accordance with this Section 7 (Security Reports & Instructions).

8. Data Transfers

8.1 Customer Personal Data that OpenMethods processes under the Agreement may be processed in any country in which OpenMethods, its OpenMethods Subsidiaries and Sub-processors maintain facilities to perform the Services, as further detailed in the Subprocessor List. OpenMethods shall not process or transfer Customer Personal Data (nor permit such data to be processed or transferred) outside of EEA, Switzerland or UK, unless it first takes such measures as are necessary to ensure the transfer is in compliance with this EU/UK Data Protection Law.

8.2 The parties agree that, when the transfer of Customer Personal Data from Customer to OpenMethods is a Restricted Transfer, it shall be governed by

(a) for transfers of Customer Personal Data subject to GDPR or the Swiss DPA, the EU SCCs, which the parties hereby enter into and incorporate into this DPA, or

(b) for transfers of Customer Personal Data subject to UK GDPR, the UK SCCs, which the parties hereby enter into and incorporate into this DPA.

8.3 For the purposes of the Standard Contractual Clauses, the relevant annexes, appendices or tables shall be deemed populated with the relevant information set out in Annex I. In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

8.4 If OpenMethods adopts an alternative lawful data export mechanism for the transfer of personal data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with EU/UK Data Protection Law and extends to the territories to which the relevant Customer Personal Data is transferred).

9. Deletion & Return

9.1 Upon Customer’s request, or upon termination or expiry of this DPA, OpenMethods shall destroy or return to Customer all Customer Personal Data in its possession in accordance with OpenMethods’ then-current data deletion timelines and policies, which may be requested by Customer at any time. This requirement shall not apply to the extent that OpenMethods is required by any applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data archived on back-up systems, which data OpenMethods shall isolate and protect from any further processing except to the extent required by such law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16.(d) of EU SCCs shall be provided by OpenMethods to Customer only upon Customer’s written request.

10. California Consumer Privacy Act (CCPA)

10.1 To the extent that Customer has users of the Services who are residents of the state of California in the United States and the CCPA applies, the terms set forth in this Section 10 shall apply to this DPA.

10.2 The following amendments shall be made to the definitions set forth in Section 1 of this DPA:

(a) “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq..

(b) “Business” has the meaning given to it in the CCPA.

(c) “Service Provider” has the meaning given to in the CCPA.

10.3 For purposes of Customer Personal Data constituting “personal information” under the CCPA, Customer is a Business and OpenMethods is a Service Provider. Customer’s transfer of Customer Personal Data to OpenMethods is not a sale, and OpenMethods provides no monetary or other valuable consideration to Customer in exchange for Personal Data.

10.4 OpenMethods agrees to comply with all applicable requirements of the CCPA, and if and to the extent agreed between Customer and OpenMethods in writing as set forth in this DPA.

10.5 As applicable to the Services, OpenMethods shall reasonably assist Customer in responding (at Customer’s expense) to any request from a data subject (including “verifiable consumer requests”, as such term is defined in the CCPA), relating to the processing of Customer Personal Data under the Agreement.

11. General

11.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement, this DPA controls and takes precedence. With effect from the effective date, this DPA is part of, and incorporated into the Agreement.

11.2 In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.

11.3 Any claim or remedy Customer may have against OpenMethods, its employees, agents and Subprocessors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with the Agreement and this DPA together.

11.4 This DPA may not be modified except by a subsequent written instrument signed by both parties.

11.5 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Privacy Law(s) or the Standard Contractual Clauses.

11.6 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

 

ANNEX I

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s):

Name: The entity identified as the “Customer” in this DPA.

Address: The address for the Customer associated with its OpenMethods account or otherwise specified in the DPA or the Agreement.

Contact person’s name, position and contact details: The contact details associated with the Customer’s account, or otherwise specified in this DPA or the Agreement.

Activities relevant to the data transferred under these Clauses: The activities specified in Annex 1(B) below.

Role (controller/processor): Controller

Data importer(s):

Name: OpenMethods, Inc. (“OpenMethods”)

Address: 1100 Main St., Suite 400, Kansas City, MO 64105

Contact person’s name, position and contact details: Shannon Lekas, privacy@OpenMethods.com (Data & Compliance)

Activities relevant to the data transferred under these Clauses: The activities specified in Annex 1(B) below.

Role (controller/processor): Processor

 

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred: Customer employees, consultants, agents and authorized third parties to use the Services as “users” under Customer’s OpenMethods account and any other data subjects whose personal data is submitted to OpenMethods by Customer through the Services.

Categories of data subjects whose personal data is transferred: Name, email address and any other personal data submitted by Customer through the Services, including as Customer Content

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None; not permitted under the OpenMethods prohibited use policy.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Customer Personal Data may be transferred on a continuous or one-off basis depending on the Customer’s use of the Services and the Customer’s processing instructions.

Purpose(s) of the data transfer and further processing: For OpenMethods to provide, maintain and improve the Services provided to data exporter pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: OpenMethods will retain Customer Personal Data for up to 180 days after termination or expiry of the Agreement. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

Duration: The term of the Agreement plus any period after the termination or expiry of the Agreement during which OpenMethods will process Customer Personal Data in accordance with the Agreement.

Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.

Nature of the processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13: The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE TWO: Transfer controller to processor

OpenMethods uses the following technical and organizational measures to protect personal information:

• Measures of pseudonymization and encryption of personal data
• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
• Measures for user identification and authorization Measures for the protection of data during transmission
• Measures for the protection of data during storage
• Measures for ensuring physical security of locations at which personal data are processed
• Measures for ensuring events logging
• Measures for ensuring system configuration, including default configuration
• Measures for internal IT and IT security governance and management
• Measures for certification/assurance of processes and products
• Measures for ensuring data minimization
• Measures for ensuring data quality
• Measures for ensuring limited data retention
• Measures for ensuring accountability
• Measures for allowing data portability and ensuring erasure

The technical and organizational measures that the data importer will impose on sub-processors are described in the DPA

ANNEX III

Standard Contractual Clauses

A) Subject to Section 8.2 of this DPA, where the transfer of Customer Personal Data to OpenMethods is a Restricted Transfer and GDPR or the Swiss DPA require that appropriate safeguards are put in place, the transfer shall be governed by the EU SCCs as follows:

i. (i) Module Two (Transfer Controller to Processor) will apply;

ii. (ii) in Clause 7 (Docking Clause), the optional docking clause will apply;

iii. (iii) in Clause 9 (Use of Subprocessors), Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 3.2 of this DPA;

iv. (iv) in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;

v. (v) in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Dutch law;

vi. (vi) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands; and

B) where the transfer of Customer Personal Data to OpenMethods is a Restricted Transfer and UK GDPR requires that appropriate safeguards are put in place, the UK SCCs will apply in accordance with paragraph (a) above.

Exhibit 2 - OpenMethods Deliverables

EXHIBIT C 

CUSTOMER PROJECT NAME

STATEMENT OF WORK (SOW)

SOW NUMBER: 08102024-000

VERSION: 1.0

INTRODUCTION

OpenMethods is pleased to provide this Statement of Work to the Subscriber identified on the Zendesk Statement of Work, or similar agreement, to which this Statement of Work is attached (the “Client”) as a description of, and agreement to, the services to be provided to enable the Experience Cloud solution for use in Client’s environment as defined in this Statement of Work and/or the associated OpenMethods Sales Order if applicable. 

This Statement of Work is entered into under, and incorporating by this reference, the OpenMethods Terms of Service, and all Exhibits, Schedules, Addenda, attachments, Statements of Work (including, without limitation, this Statement of Work) and Amendments thereto (“Agreement”).  Any capitalized terms used in this Statement of Work which are not otherwise defined herein are as defined in the Agreement.

SUMMARY

This Statement of Work (SOW) outlines the requirements, scope and activities to configure Experience Cloud for use in Client’s environment. As part of this project OpenMethods will:

• Provision licensed solution.
• Create, Test and Deploy Experience Designer PopFlows.
• Support Client in user acceptance testing and go-live activities.
• Deliver solution-related training.

Environment Overview

Definitions

The following terms are used to describe OpenMethods’ solutions or their several primary components:

1. Experience Cloud – the primary, web-based portal used to administer the OpenMethods solution and its various components.
2. Experience Designer – a user interface within Experience Cloud that allows administrators to design, test and publish PopFlows that orchestrate agent activities, associated to an interaction, in the CRM.

Activities

The provisioning of the OpenMethods solution will be limited to the objectives listed below. It is the responsibility of the identified owner of each objective to complete each step (further outlined in Appendix A). 

• Provision (OpenMethods): OpenMethods will provision Experience Cloud to support Client’s environment and business requirements as defined in this Statement of Work.
• Resource and Role Assignment (OpenMethods): OpenMethods will work with Client on the basic onboarding and configuration requirements of the OpenMethods solution and provide information related to those requirements.
• Prepare (Client): Client will configure and provide access (user account) to their environment when necessary to satisfy the requirements of this statement of work. This includes installing the Experience Cloud application – which is available to you immediately in the ZenDesk App Marketplace.
• Create PopFlows (OpenMethods): OpenMethods will be responsible for the creation of PopFlows as documented in the “PopFlow Design and Creation” section of this Statement of Work.
• Validation Test (OpenMethods): Once the solution is enabled and PopFlows have been created, OpenMethods will ensure the solution is functioning per specification.
• User Acceptance Test (Client): Client will conduct UAT and report any issues discovered. Reported issues will be ranked according to criticality and resolved prior to Go-Live, or post Go-Live, depending upon the criticality of the issue. Client is responsible for creating any test scripts or procedures required for their UAT process.
• Training (OpenMethods): OpenMethods will be responsible for training Client on the use, configuration, and administration of the OpenMethods solution. This training will consist of the following: 
  • PopFlow User Training – focused on teaching an agent how to properly interact with and use any associated PopFlows. As such, the session is provided as “train-the-trainer” training so that Client’s training organization can educate their agents as project timelines allow. This training session typically requires 2 hours to complete.
  • Experience Cloud Administration Training – this training is focused on the administration, care and feeding of the OpenMethods solution from a technical perspective. This training session typically requires 2 hours to complete.
  • Experience Designer Training – this training is focused on the use of the Experience Designer. It is intended for any users who will be responsible for the creation, maintenance, testing and roll-out of PopFlows. This training is typically split into multiple sessions for a total training time of <16 hours>.
• Go-Live (Client/OpenMethods): OpenMethods will assist Client with enabling the solution. OpenMethods Project Management Office (PMO) will remain engaged for 10 days post go-live in preparation for transition to Customer Care and Success.
• Care and Success (OpenMethods): OpenMethods will conduct a formal meeting to introduce appropriate Client staff to the OpenMethods Customer Care and Success teams and ensure that they are familiar with the process and requirements related to obtaining support on a go-forward basis.

PopFlow Design and Creation

Automations facilitated by the OpenMethods solution requires an agent-specific triggering event to begin automation (ex. agent clicking a button, agent answering a phone/e-mail/chat, agent entering or changing field data within CRM etc). Client will provide and configure any required triggering mechanisms, to trigger automations, per OpenMethods “OpenConnect API” documentation or as defined during project kick-off. Client will provide API (Application Programming Interface) documentation, connectivity and access required for all in-scope services or applications described in this Statement of Work. Capabilities of the OpenMethods solution may be constrained by the functionality exposed by provided third-party APIs.

The following PopFlows will be created and deployed as a part of this project. Additional use cases and/or PopFlow design, creation or implementation work will be considered out of the scope of this project and will be covered under a separate Statement of Work.

Project Constraints and Assumptions 

1. Client is responsible for all site readiness requirements and seeing that they are met according to the “OpenMethods Client Readiness” package.
2. Client is responsible for providing an available resource with Administrator-level access to the necessary CRM instances.
3. Client is responsible for providing “Test” accounts to be used for performing validation testing. Any credentials must be provided through secure methods (e.g., Zoom Chat, Slack with Deletion, E-Mail not allowed).
4. Client is responsible for providing secure connectivity to the OpenMethods services. 
5. Client agrees to fulfill the stakeholder roles, as defined in “Appendix A”, and understands that they are required for a successful implementation. 
6. Client acknowledges that some or all of the required solution may be delivered as custom configuration (noted herein as “Custom Services”) to meet specific requirements outlined in this Statement of Work and that:  

a.  any Custom Services created as part of this project is provided on an "as-is" basis. OpenMethods will warranty the implementation to be free from material defect for a period of 60 days, after which makes no guarantees or warranties regarding the long-term functionality, compatibility, or performance of said Services Asset. 

b.  although designed using published APIs and Interfaces into integrated services, the Custom Services may require modifications or updates to remain compatible with future updates or changes to the software provided by OpenMethods, or to integrated third party APIs or services. OpenMethods will not be responsible for supporting or maintaining custom configuration that becomes outdated or incompatible due to such updates. OpenMethods shall provide ongoing support to Customer for the deliverables on a best endeavors basis only and shall not be obliged to remedy any deficiencies reported to them after the expiration of the Warranty Period. Any requests for modifications, updates, or support for outdated custom configuration will be subject to a separate Statement of Work and may incur additional charges.     

7. de will be subject to a separate Statement of Work and may incur additional charges.

Professional Services Fees

The Professional Service fees quoted in this Statement of Work are valid for 90 days from initial SOW delivery to Client and are due within 30 days of execution of this Statement of Work. This Onboarding Service Pack expires 6 months from the Subscription Start Date.

Client authorizes OpenMethods to deliver Professional Services, and to invoice Client through Zendesk, for those Professional Services, as established in this Statement of Work. This OpenMethods Statement of Work shall become effective as of the date that Client and Zendesk execute the Zendesk SOW (or similar ordering document) to which this OpenMethods Statement of Work is attached.

 

APPENDIX A – STAKEHOLDER REQUIREMENTS 

 

Exhibit 1 

MASTER SERVICES AGREEMENT 

In consideration of the mutual promises, agreements and contracts herein, the parties agree that the business relationship shall be governed by the following:

1. The object of this contract is the provision of services by the company BCR TELECOMUNICAÇÕES LTDA ("Contractor") in SOFTWARE AS A SERVICE PLATFORM FOR CX, in the parameters and modality chosen and present in the Contract Specification Term. 
2. The following products and services are offered by the Contractor, jointly or separately, as contracted: 

• • Conciex Talk: CCaaS solution, with reports, admin panel and a user-friendly agent interface, focused to improve experiences and reduce costs and integrates with different CRMs on the market. 

• • Conciex Messaging: application that operates as a communication platform that helps users send individual or bulk messages from different channels (whatsapp, SMS, and email) through integrations with market CRMs

3. The applicable Contractor services that Client orders from Contractor under this Agreement will be set forth on the Zendesk Resell Agreement (as defined below). 
4. Zendesk, Inc., a Delaware corporation, and any of its applicable affiliates (“Zendesk”) will serve as the billing agent for Client’s subscription(s) to the Contractor services ordered by Client from Contractor under this Agreement pursuant to the Zendesk Resell Agreement. “Zendesk Resell Agreement” means the service order, agreement, or similar ordering document issued by Zendesk to Client, to which this Agreement is attached or incorporated, that sets forth, without limitation, Client’s subscription plan, subscription term, fees, and billing for the Contractor services under this Agreement. The parties agree that Zendesk is permitted to receive pricing and contractual information related to the Contractor services that Client orders under this Agreement pursuant to a Zendesk Resell Agreement as necessary for Zendesk to act as the billing agent.

1.                 The specific Terms and Conditions, signed by the parties at closing, are hereby incorporated into this Agreement by reference and shall be deemed to be incorporated into all Statements of Work. 
2.                 Both must be read, applied and understood together, however, in case of divergence between this ("MSA") and the aforementioned ("Specific Term and Conditions"), the latter will prevail. 
3.                 This term will also apply to possible amendments that may be signed between the parties.

3.1        The term of Client’s subscription to the Contractor services will be set forth on the Zendesk Resell Agreement to which this Agreement is attached. 

3.2        This Agreement may be terminated immediately in the following cases: 

3.3.1 Non-compliance or irregular compliance with the contractual clauses, by either party, provided that it is not remedied within 10 (ten) days after written notification; 

3.3.2 In the event of insolvency, bankruptcy, dissolution or request for judicial or extrajudicial reorganization, of any of the parties;

3.3.3 Occurrence of fortuitous event or force majeure, which makes it impossible or difficult to provide the service;

3.3.4 In the event of commercialization or assignment of the contracted services to third parties by the Contracting Party without the prior consent of the Contractor, non-compliance with legal provisions or use of the services in a fraudulent or illegal manner.

4.1                       Client will pay all fees for the Contractor services to Zendesk specified in the Zendesk Resell Agreement. Any modifications to the Contractor services that Client purchases from Contractor through Zendesk will be subject to a change order or amendment.

4.2                 After the Contracting Party has been notified, if the default remains for more than 15 (fifteen) days, the services will be immediately suspended, without prejudice to the payments due, and the contract may be terminated, at the discretion of the Contractor, after 30 (thirty) days of total interruption without due payment, and no type of indemnity or compensation is due, under any circumstances. 

4.3              For the initialization of any services and configurations, an amount may be charged if SETUP is stipulated in the term, and the start is conditioned to payment, which must occur, even if cancellation occurs during the procedure, as it corresponds to the time dedicated. 

5.1 The Contractor is aware that the provision of services may require the Contractor to have basic infrastructure, such as internet access and internal space, in these cases, the Contractor will not be responsible for impacts arising from services provided by third parties. 

5.2 The contract may be considered terminated by operation of law if the technical or operational unfeasibility is found at the time of installation/start of the services, without the parties being entitled to any compensation.

6.1   The Contractor will comply with the Support Responsibilities and Procedures attached as Exhibit A.

6.2 Contractor represents and warrants that the Contractor services will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes downtime per month) during the Term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and Contractor will provide at least seven (7) days’ advance written (email acceptable) notice to Client of such unavailability (“Scheduled Downtime”).

6.3 Contractor will provide Client with at least six (6) months advance notice of any feature end of life or deprecation.

7.1 The parties agree that for the purposes of providing services, the terms herein treated shall be read and interpreted in accordance with the General Data Protection Law (Law 13.709/2018).

7.2 The parties undertake, by themselves and their employees, through this contract, to comply, throughout the provision of the service, with the laws and legal determinations in force regarding the Protection of Personal Data, especially Law 13.709/2018.

7.3 The Contractor undertakes to follow the best security standards used to ensure the safety of its customers, so that all information provided by the Contractor will be protected by specialized companies and all information collected through the Platform will be stored in secure environments with restricted access.

7.4 You represent and warrant that you will only provide true, complete and up-to-date information to us. The Contractor will not be responsible for the information provided by the Contractor, including not being obliged to inspect or control the veracity of the information provided during any stage of the use of the Platform. The Contracting Party is responsible, civilly and criminally, for the veracity of the information provided.

7.5 The Contractor reserves the right to suspend or terminate the provision of services in cases where the information provided by the Contractor is false or is considered illegal by any judicial or administrative authority.

7.6 The Contractor may, at any time, if the Contractor is previously notified, immediately suspend the services provided, in the event of court orders or resulting from legislation that prohibit or prevent the provision of services.

7.7 We will only disclose the information provided by you to third parties if required to do so by a judicial authority. The Contractor will provide all information requested by the government, by public agencies or by the direct or indirect administration, if it is duly justified and compatible with the law in force, upon judicial authorization and will immediately notify the Contractor, who will adopt the legal measures it deems pertinent and appropriate.

7.8 The Contracting Party has the right to obtain, at any time, upon formal request 15 (fifteen) days in advance, information regarding its data processed by BCR.CX, or to suspend the authorization for data processing, as ensured by the General Data Protection Law (Law 13.709/2018).

7.9 The parties undertake to report, within 24 hours, any breach of security within the scope of their activities and responsibilities

7.10 Contractor will comply with the Information Security Measures attached as Exhibit B.

8.1 The Contractor declares that this contract, as well as all services provided, are in accordance with ESG criteria, respecting and implementing the best environmental, social and governance practices.

8.2 In its activities, the Contractor respects and implements measures to combat the practice of money laundering and corruption in all its forms, including extortion and bribery, respecting all applicable legislation, especially the law of "laundering" or concealment of assets, rights and values (Law 9,613/98) and the anti-corruption law (Law 12,846/2013).

8.3 The Contractor adopts and supports social commitments to combat illegal practices, discriminatory and inhumane conduct in labor relations.

8.4 The Contractor strives to provide its services in a sustainable manner and attentive to the environmental factor, mitigating environmental risks and applying environmental preservation policies in its activities, avoiding harmful practices, and complying with current Environmental Legislation, including, but not limited to, the National Environmental Policy Law (Law 6.938/1981) and the Environmental Crimes Law (Law 9.605/1998)

8.5 Observe and ensure that its agents and employees comply with the policies, norms and standards established by the other Party, when they remain on its premises, obliging, by itself, by its employees and any subcontractors, to comply with the standards relevant to safety, environment, hygiene and occupational medicine, and the work of minors.

9.1                  The parties declare, in the act of contracting, a valid and effective manifestation of agreement to this term.

9.2 The parties elect the jurisdiction of São Paulo - SP, domicile of the Contractor, to settle any issues arising from this instrument.

 

Exhibit A – Support Responsibilities and Procedures

1. Definitions

In this Exhibit A:

(a) “Level 1 Support” means the first level of support given to Client by Contractor to collect customer input, verify symptoms, and escalate, if required, to Level 2 Support.

(b) “Level 2 Support” means the second level of support given by Contractor to the Client that addresses Contractor services operational and infrastructure issues and resolutions.

(c) “Level 3 Support” means the third level of support given by Contractor that covers the resolution of application code bugs or infrastructure code.

(d) “Contractor Support Hours” for non-Critical and non-Major Business Impact issues means between 09:00 and 24:00 BRT on a business day (Monday - Friday, every week of the year). Support hours and response obligations for Critical and Major Business Impact issues are as described below.

2. Contractor Support Obligations

Contractor shall provide Client with all support in relation to issues identified by the Client and reported to Contractor. These support services will be provided by means of the Zendesk help desk ticket system.

Contractor shall respond to requests for support:

(a) with respect to Critical Business Impact issues, within thirty (30) minutes twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. Contractor shall provide Client (and Zendesk, if such Critical Business Impact issues relate to Client support requests forwarded to Contractor by Zendesk) updates on Critical Business Impact issues every thirty (30) minutes until the issue is resolved. Critical Business Impact shall be defined as an issue that disrupts material functionality within the production environment in the Contractor services or compromises the security/integrity of data in the Contractor services. Critical Business Impact issues will remain so long as the disruption is ongoing, the need for resolution is acutely time-sensitive, with no reasonable workaround available;

(b) with respect to Major Business Impact issues within one (1) hour, twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. Contractor shall provide Client (and Zendesk, if such Critical Business Impact issues relate to Client support requests forwarded to Contractor by Zendesk) updates on Major Business Impact issues every hour (1) until the issue is resolved. Major Business Impact shall be defined as an issue that degrades a material functionality or significantly disrupts or degrades Client’s normal business operation, is in an Client’s production environment and is highly time-sensitive, and/or a significant unplanned effort is required to work around the issue to maintain normal business operations; 

(c) for other issues and enquiries, within six (6) Contractor Support Hours;

(d) to resolve issues raised to it within a commercially reasonable timeframe; and

(e) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved.

 

Exhibit B – Information Security Measures

Contractor warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by the Client (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, Contractor will act in good faith and diligence, using reasonable care and skill. 

A. Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Contractor regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any Contractor security policy, (ii) unplanned service disruption that prevents the normal operation of the Contractor services, or (iii) Breach.

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• Contractor will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, Contractor will promptly remove Data upon (a) completion of the Contractor services; or (b) request by the Client to be removed from Contractor’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. Contractor will provide the Client with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3. Measures: Malicious Code Protection. 

• • All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. Contractor will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or Contractor’s computing environment.
  • Contractor will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
  • Contractor will quarantine or remove files that have been identified as infected and will log the event.

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

• • Contractor ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
  • security and encryption of all personal computers or other mobile devices that may access Data;
  • limited access to employees and contractors except for authorized visitors; 
  • identification of the persons having access authority;
  • restriction on keys;
  • visitors books (including timekeeping); and
  • security alarm system or other appropriate security measures.

Contractor will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such authorized agent’s need to access the system(s) or application(s).

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

Contractor shall inform the Client upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by Contractor.

All network controls shall include the following measures:

• On a regular basis, Contractor will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• Contractor will deploy reasonably appropriate firewall technology in operation of its networks. 
• At a minimum, Contractor will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• Contractor will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• Contractor shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized. 
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

7. Measures: Contractor will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, Contractor will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify the Client within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii) respond promptly to any reasonable request from the Client for detailed information pertaining to the Incident. Contractor’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

8. Measures: Business Continuity & Disaster Recovery. Contractor will implement a commercially reasonable and industry standard business continuity plan to maintain availability of the Contractor services (the “Continuity Plan”). The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery. Contractor shall maintain such Continuity Plan throughout the term of all subscriptions; provided that Contractor shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on Contractor ability to maintain availability of the Contractor services.

1. At the Client’s request, Contractor shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to the Client’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time. The Client shall provide Contractor with documentation of such baselines, which shall be part of the Client’s confidential information under the Agreement. Contractor shall develop a written information security plan for the Client containing, at a minimum, the topics called for in this Agreement.

Exhibit 1 

Aircall End Customer Agreement

This Aircall End Customer Agreement (“ECA”) governs the relationship between the Customer ("you" or “Customer”) and Aircall ("we" or "Aircall") in the context of the services provided under the broader contractual arrangement between Zendesk and the Customer (the “Zendesk Agreement”). 

This ECA is effective as of the date the Customer first agrees to or otherwise accepts the terms herein, or otherwise first uses or accesses the Services (the “Effective Date”). This ECA is a binding agreement between Customer and Aircall, and not with Zendesk. In the event of a conflict between the Zendesk Agreement and this ECA, with respect to the Aircall Services that are Non-Zendesk Services under the Zendesk Agreement, this ECA will prevail. 

This ECA incorporates by reference Aircall’s Terms and Conditions (“T&Cs”), available at https://legal.aircall.io/ as amended from time to time, except as expressly modified or supplemented herein. In the event of any conflict or inconsistency between the terms of the ECA and the T&Cs, the T&Cs shall control. Exhibit A set forth the applicable set of T&Cs applicable depending on Customer’s geographic location.

By using Aircall's Services, you agree to the terms set forth in this ECA and the applicable T&Cs. The ECA and the T&Cs are together referred to as the “Agreement”. 

1. Definitions

Capitalized terms used but not defined in this Agreement shall have the meanings assigned to them in the T&Cs.

2. Contractual Documents - Order of Precedence

The Agreement between the Customer and Aircall with respect to the Aircall services is comprised of the relevant Aircall T&Cs (as detailed in Exhibit A below) including any applicable Addendum to the T&Cs, this ECA, including the ECA Exhibits, the Aircall Data Processing Agreement (as defined below) and, where applicable, any Order Form or Purchase (as these terms are defined in Section 1 of the T&Cs). 

In the event of any conflict or inconsistency among the documents comprising this Agreement, the following order of precedence shall apply (from highest to lowest): (i) the Aircall Data Processing Agreement; (ii) this End Customer Agreement, solely with respect to: (a) terms related to fees, billing, and payment as handled by Zendesk as described in Section 5.1 below, (b) specific commitments expressly set forth herein, in Exhibit B and Section 11.5; (iii) the Aircall T&Cs; (iv) where applicable, any Order Forms and/or Purchase documents.

Except as explicitly described above, the Aircall T&Cs as amended from time to time shall prevail over this End Customer Agreement.

3. Scope of Services

Aircall Services may include the provision of phone numbers, inbound and outbound telephony, call management, AI functionalities, and other related features, as updated from time to time (together the “Services”). Customer acknowledges and agrees that the provision of phone services and phone numbers is a regulated activity provided directly and solely by the relevant Aircall Contracting Entity as described in Exhibit A. 

These Services are subject to the terms outlined in Aircall T&Cs, available at https://legal.aircall.io/. The terms and rules governing the access and use of the Services are governed by Sections 3 to 4 of the T&Cs. 

4. Service Levels

Service levels and uptime commitments are outlined in Exhibit C.

5. Fees and Billing

   1. Fees, Invoicing, and Payment

1. Fixed Fees (Billed by Zendesk).

Customer will pay to Zendesk all recurring subscription fees for the Services as set forth in the applicable Zendesk SOW or invoice. The terms regarding invoicing and payment for subscription fees are governed by the Zendesk Agreement.

2. Usage Fees and Additional Fees (Billed by Aircall).

For the purpose of this Section: 

1. “Additional Fees” means the charges, fees, or costs incurred by Customer from time to time in connection with the Services, other than Usage Fees, including fees for Purchases made through Aircall Dashboard (including but not limited to Additional User and Additional Numbers as defined in the T&Cs).

2. “Usage Fees” means per-minute calling charges or other consumption-based fees associated with Customer’s actual usage of the Services, as further described in Section 7 of the T&Cs. 

Unless otherwise provided for in a SOW, Aircall will directly invoice Customer for any Usage Fees and/or Additional Fees incurred under this Agreement in relation to Customer use of the Services and/or any Purchase made by Customer, as indicated by Aircall from time to time, including through the Aircall Dashboards or via separate notice. Invoicing may occur monthly in arrears or in another frequency specified by Aircall from time to time.

2. Taxes.

Applicable Fees are exclusive of taxes and surcharges required under Applicable Laws, including VAT, costs/disbursements, charges, regulatory assessments, or any other duties, levies, registration fees or taxes which shall be charged additionally. Where applicable, the invoiced amount and/or amounts charged to Customer may hence fluctuate from month to month and Customer agrees to pay any and all fees and/or taxes due.

6. Intellectual Property and License

As further described in Section 5 of the T&Cs, Customer acknowledges and agrees that Aircall or, where relevant, its Affiliates own all rights, titles and interests in and to all Intellectual Property rights in the Aircall Solution and in the Site as well as any content thereof or therein. All rights not expressly granted to Customer are reserved by Aircall and its licensors. The Services may contain open source software or code and Customer acknowledges that misuse of the Services may infringe upon Third-Party’s IP rights.

Subject to Customer’s continued and full compliance with all of the terms and conditions in this Agreement (including the relevant Aircall T&Cs), Aircall grants to Customer and its Users, as applicable, during the Term, a revocable, nontransferable (except as otherwise provided for in Section 3.2 of the T&Cs), nonexclusive, limited license and right to access and use the Site, the Number License, the User License, the Aircall Dashboard and those certain Services duly purchased or ordered by Customer under its Plan (including any duly purchased or ordered Aircall Numbers) solely for its internal business purposes and only as permitted by this Agreement.

7. Customer Obligations and Use Restrictions

   1. Compliance with Laws. Customer agrees to use the Services in compliance with all applicable laws, regulations including those governing telecommunications, privacy, and data protection.

   2. Permissible Use Policy. Customer is responsible for its and its Users’ compliance with the Permissible Use Policy (“PUP”) detailed in Section 6 of the T&Cs (accessible here: https://legal.aircall.io/). 

   3. Prohibited Activities. Customer shall not (i) use the Services for any illegal or fraudulent purpose and/or in breach of the PUP, (ii) resell the Services unless otherwise permitted by Aircall, or (iii) bypass or breach any security device or protection used in connection with the Services.

   4. Account Setup. Customer is responsible for maintaining the confidentiality of its Customer Account (as this term is defined in Section 1 of the T&Cs) - including its and any User’s credentials and for all activities that occur under the Accounts.

   5. Regulatory Cooperation. Where necessary to comply with applicable regulations, Customer shall provide any requested information or documentation to Aircall in a timely manner (e.g., proof of identity, location), and shall cooperate with any lawful governmental or regulatory inquiry related to its use of the Services.

8. Confidentiality

   1. As further detailed in Section 6 of the T&Cs, both parties agree to maintain the confidentiality of any non-public information disclosed under this Agreement.

   2. Customer must not disclose Aircall's confidential information to any third party without prior written consent, except as required by law.

9. Data Protection and Privacy

   1. Privacy. Aircall takes the privacy of its customers seriously and will use the personally identifiable information provided by Customer in accordance with:

1. 1. • The terms and conditions contained in the Data Processing Agreement https://aircall.io/dpa/ , where such information constitute Personal Data (as defined in the Data Processing Agreement) and where Aircall processes such information on behalf of the Customer; and

      • The conditions described in the Aircall Privacy Policy available at: https://aircall.io/privacy/ , where Aircall processes such information for the purposes and by the means determined jointly or independently by Aircall (as a data controller).

2. Data Processing Agreement. By entering into this Agreement, the Parties also enter into the Data Processing Agreement, which forms an inseparable part hereof.

3. Information Security. Aircall endeavors to use commercially reasonable technical and operational safeguards designed to protect Customer Data and Customer’s Confidential Information from unauthorized use or disclosure in accordance with the terms of Exhibit B. Where Customer Data constitutes Personal Data and its Processing by Aircall is subject to the Data Processing Agreement, Aircall shall protect such Personal Data by implementing technical and operational measures described in the Data Processing Agreement.

10. Warranties, Disclaimers, Indemnification, and Liability

    1. Warranties: In accordance with Section 10 of the T&Cs, Aircall will provide the services in a professional and workmanlike manner. However, Aircall does not guarantee uninterrupted or error-free operation of the Services.

    2. Disclaimers: In accordance with Section 10.3 of the T&Cs, to the fullest extent permitted by law, Aircall disclaims all implied warranties, including merchantability and fitness for a particular purpose.

    3. Indemnification: In accordance with Section 11 of the T&Cs, Customer agrees to indemnify and hold Aircall harmless from any claims, damages, or liabilities arising from your use of the services or breach of this Agreement.

    4. Liability: TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, IN NO EVENT SHALL THE CUMULATIVE LIABILITY OF AIRCALL OR ITS AFFILIATES EXCEED THE TOTAL AMOUNTS PAID OR PAYABLE BY CUSTOMER FOR THE SERVICES DURING THE TWELVE (12) MONTHS PRIOR TO THE CLAIM GIVING RISE TO SUCH DAMAGES OR ONE HUNDRED EUROS (100€) IF FOR A FREE TRIAL. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, IN NO EVENT SHALL AIRCALL OR ITS AFFILIATES BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, REPUTATIONAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND SUCH AS LOSS OF DATA OR PROFIT, OR BUSINESS INTERRUPTION, LOSS OF BUSINESS OPPORTUNITY, HARM TO THE IMAGE OR REPUTATION, WHETHER IN ANY OF THE FOREGOING, ARISING UNDER CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY) OR ANY OTHER THEORY OF LIABILITY EVEN IF AIRCALL OR ITS AFFILIATES HAVE BEEN NOTIFIED ORALLY OR IN WRITING OF THE POSSIBILITY OF SUCH DAMAGES. ANY CLAIM OR CAUSE OF ACTION RESULTING FROM CUSTOMER’S ACCESS OR USE OF THE SITE AND THE SERVICES MUST BE PROVIDED OFFICIALLY IN WRITING TO AIRCALL BY REGISTERED MAIL WITH RECEIPT ACKNOWLEDGEMENT ADDRESSED TO ITS HEAD OFFICE WITHIN ONE (1) YEAR AFTER THE CLAIM OR CAUSE OF ACTION HAS ARISEN OR IT SHALL BE DEEMED WAIVED BY CUSTOMER.

11. Term, Suspension, and Termination

    1. Term. This Agreement shall commence on the Effective Date and remain in effect for as long as Customer has an active subscription term under the Zendesk Agreement or uses any portion of the Services, unless earlier terminated in accordance with this Section.

    2. Suspension. Aircall may suspend or limit Customer’s and/or Users’ access to the Services immediately if (i) Customer is in breach of its payment obligations for Usage Fees or Additional Fees, (ii) Customer and/or any User is using the Services in violation of law or these terms, or (iii) suspension is necessary to prevent material harm to the Services or other customers. In addition to any other rights and remedies herein, Aircall may suspend provision, access and/ or use of Services, in whole or in part, in the following cases, as determined by Aircall in its sole but reasonable discretion:

• • • Customer or any User is in violation of (i) the terms of the Agreement (including in case of non- payment on the due date), (ii) Applicable Laws, or (iii) any policy provided or made available to Customer in writing, including the Permissible Use Policy;

    • in the event the Customer’s or any User’s access and/or use of the Services results in a degradation of the Services or otherwise damages or is likely to damage the rights of Aircall or third parties;

Without limiting the foregoing, Aircall may suspend access to the Services, if Customer has not complied within the delay provided by Aircall in the notice sent by Aircall to Customer, Aircall may suspend access to and provision of the Services until such violation, degradation, or damage has been remedied by Customer. Suspension will not relieve Customer of its obligation to pay Fees and any costs associated with the reactivation of the Services. Aircall shall not be liable for any damages arising from any Services suspension.

3. Termination. Subject to the Terms of Section 12 of the T&Cs, either party may terminate this Agreement (a) if the other party materially breaches and fails to cure within thirty (30) days after receipt of written notice, or (b) in the event of insolvency or bankruptcy of the other party. Termination of the Zendesk Agreement may also result in the termination of this Agreement unless Aircall and Customer separately agree to continue the Services.

4. Effects of Termination. Upon termination, Customer must immediately cease using the Services, and any outstanding payment obligations (including for accrued Usage Fees and Additional Fees) shall become due and payable. Aircall will provide reasonable instructions for Customer’s retrieval of any stored data if applicable.

5. End of Life Notice. Aircall will provide the Customer with at least six (6) months advance notice of the Aircall Solution end of life or deprecation, provided that such notice period shall not apply in cases where discontinuation is required due to legal, regulatory, or judicial obligations. Notice will be provided in accordance with the terms of this Agreement. 

12. Governing Law and Dispute Resolution

    • Governing Law. This Agreement shall be governed by and construed in accordance with the laws specified in the applicable Aircall T&Cs. 

    • Venue and Jurisdiction. The courts or dispute resolution bodies indicated in Exhibit A (Applicable T&Cs) shall have exclusive jurisdiction unless otherwise provided for under local law.

    • Dispute Resolution. In the event of any dispute, claim, question or disagreement (“Dispute”) arising from or relating to the Agreement, the Parties shall use their best efforts to settle the Dispute by normal business discussions. Should the Dispute remain unresolved thirty (30) days after notice of the Dispute was provided by one Party to the other, either Party may take further legal action to resolve the Dispute.

13. Amendments

Aircall may update the T&Cs, including changes to the rates, features of the Aircall Services or the content of the offerings selected by Customer, or to any policies, upon thirty (30) days’ prior notice to Customer at the email address associated with Customer's Account. Such updates will become effective thirty (30) days after such notice to Customer. In the event that any such update affects a material part of the Agreement, Customer may, within thirty (30) days of receipt of the update, notify termination of the Agreement, or the affected Services without cost or penalty and without being entitled to any compensation. Any use of the Services after the effective date will be deemed Customer’s acceptance of the change. The updated version of the T&Cs will be deemed incorporated by reference into this Agreement as of their effective date and will govern the continued use of the Services accordingly. The current version of the T&Cs in force is available at: https://legal.aircall.io/ .

For the avoidance of doubt, it is specified that no termination may take place if the changes made are imposed by Law or regulation and/or if it does not adversely affect the substantial elements of the Services. 

14. Miscellaneous

    1. Notices. Notices required under this Agreement should be given in writing and delivered:

1. to the Customer: to the addresses specified in the relevant Order Form or by electronic mail to the designated account contact.

2. to Aircall: to the address indicated in Exhibit A below. 

2. Entire Agreement. This ECA (including the Aircall T&Cs and the Agreement Exhibits thereof) constitutes the entire agreement between the parties regarding the subject matter herein and supersedes all prior or contemporaneous agreements or understandings relating to such subject matter

By subscribing to and using Aircall’s Services, Customer acknowledges and agrees to be bound by the terms of this Agreement, including the applicable Aircall Terms and Conditions incorporated herein by reference.

Exhibit A – Applicable Terms

 

Exhibit B - Information Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the Customers, Aircall will use commercially reasonable efforts to implement and maintain appropriate measures substantially similar to those detailed below as appropriate to the level of risk to keep content, materials, data (including personal data) and non-public information provided or made available by the Customer (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, Aircall will act in good faith and diligence, using reasonable care and skill in accordance with industry standards. 

A. Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Aircall regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any Aircall security policy, (ii) unplanned service disruption that prevents the normal operation of the Services, or (iii) Breach.
• B. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.
• Aircall will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, Aircall will promptly remove Data upon request by the Customer to be removed from Aircall’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request. Upon Customer’s request, Aircall will provide the Customer with a written confirmation regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

C. Measures: Malicious Code Protection. 

• All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. Aircall will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or Aircall’s computing environment.
• Aircall will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
• Aircall will quarantine or remove files that have been identified as infected and will log the event.
• D. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:
• Aircall ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
• security and encryption of all personal computers or other mobile devices that may access Data;
• limited access to employees and contractors except for authorized visitors; 
• identification of the persons having access authority;
• restriction on keys; and security alarm system or other appropriate security measures.

Aircall will revoke access to physical locations, systems, and applications that contain or process Data with no undue delay following the cessation of such authorized agent’s need to access the system(s) or application(s).

E. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

Aircall shall inform the Customer upon its reasonable request which authorized Users are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

F. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by Aircall.

All network controls shall include the following measures:

• On a regular basis, Aircall will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• Aircall will deploy reasonably appropriate firewall technology in operation of its networks. 
• At a minimum, Aircall will review firewall rule sets on a regular basis to ensure that legacy rules are removed and active rules are configured correctly.
• Aircall will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• Aircall shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.
• Wireless network controls shall include the following additional measures:
• Network access to wireless networks should be restricted only to those authorized. 
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

G. Measures: Aircall will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, Aircall will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) where required under Applicable Data Protection Laws, notify the affected Customer with no undue delay following the Incident being identified and provide a written report thereafter; and (iii) respond promptly to any reasonable request from the Customer for detailed information pertaining to the Incident. Aircall’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

H. Measures: Business Continuity & Disaster Recovery. Aircall will implement a commercially reasonable and industry standard business continuity plan to maintain availability of the Services (the “Continuity Plan”). Aircall shall maintain such Continuity Plan throughout the term of all subscriptions; provided that Aircall shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on Aircall ability to maintain availability of the Services.

 

Exhibit C

Aircall Service Level Agreement

1. Definitions 

For purposes of this Exhibit, the following terms have the meanings set forth below. All initial capitalized terms in this Schedule that are not defined in this Section or in this Schedule shall have the respective meanings given to them in the End-Customer Agreement (as defined below). 

• "Customer Cause" means any of the following causes of an incident: (a) any negligent or improper use, misapplication, misuse, or abuse of, or damage to, the Services by Customer or its Users; (b) any improvement, or other modification to or alteration of the Services by Customer or its Users; (c) any use of the Services by Customer or its Users in a manner inconsistent with the then-current Terms; (d) any use by Customer or Users of any third-party products or services that Aircall has not provided or caused to be provided to Customer; or (e) any use by Customer or Users of a non-current version or release of the Services. 
• “Downtime” means the core functionality of the Services (receiving and making telephone calls) was not available for use, as measured in continuous five (5) minute increments. The term “Downtime” shall not include any Services unavailability in connection with any Exclusion (as defined below). 
• "Error" means a failure of the Services as defined in the Service Levels table in Section 3.c below. 
• "Feature Request" means a Request to incorporate a new feature or enhance an existing feature of the Services that is currently not available. 
•  “End-Customer Agreement’” means the Aircall Customer Agreement between Aircall and Customer. 
• “Request” means a request from Customer to Aircall Support Personnel for technical support to address a question or problem regarding Aircall Services or usage. 
• "Support". Aircall will provide technical support to the Customer excluding any support Requests in connection with an Exclusion as defined in Section 4 below. For avoidance of doubt, Billing questions and enquiries and Porting requests are not considered as part of Support in the context of this Schedule. 
• “Uptime Percentage” means the general service availability calculated as the difference between 100 percent (100%) and the percentage of Downtime calculated on a calendar monthly basis for the applicable month. The term “Uptime” shall not include any Services unavailability in connection with any Exclusion (as defined below).

2. Aircall Service Levels 

a) Aircall Service Availability 

The Aircall Services’ Uptime Percentage shall be 99.95%. Planned maintenance/downtime shall be limited in accordance with the terms of the End Customer Agreement.

3. Aircall Support 

a) Conditions for Support 

• Accessing Aircall Support. Support Requests must be submitted using the Aircall Support Portal (support.aircall.io). 
• Compliance with the End Customer Agreement. Aircall will make commercially reasonable efforts to provide technical support to ensure that the performance of the Services materially complies with the End Customer Agreement. For avoidance of doubt, Aircall will not provide any technical support in case of Exclusions as defined below. 
• Characterization of Requests. Customer determines the level of severity upon the Request submission. Upon receiving a Request from the Customer, Aircall will confirm the Request’s severity level in its sole discretion and based on the definitions set forth in Section 3.c below. Aircall may update the severity and priority level’s designation of the Request as necessary. 
• Language Support. The Parties agree that all Support provided by Aircall pursuant to these guidelines can be provided in French, Spanish or German language during European
  • working hours, using commercially reasonable efforts. In case regional language speakers are not available, Support will remain available in the English language. 
• Procedures for Acknowledgement and Request Resolution. When creating a Request, Customer will provide full details of the reported issue and requested diagnostic information including, but not limited to: 
  • Aircall account name or instance name; 
  • Description of the issue, including any error messages; 
  • Description of Customer’s efforts to resolve the issue prior to contacting Aircall; 
  • User’s software version; 
  • Customer’s machine, network, and/or hardware specifications and configuration, when relevant. 

Before creating a Request, Customer shall read and use all the Aircall knowledge base and documentation to ensure alignment with the requirements, adoption of best practices, and product guidance requested by Aircall to ensure the performance of the Services. 

Customer commits to further communication via email or telephone to answer questions and to assist Aircall Support Personnel as needed and at the quickest. Customer undertakes to follow any instructions and guidelines recommended by Aircall Support Personnel to correct the Error. In case of Customer’ lack of availability that requires their participation, the Request will be considered as resolved by Aircall. 

b) Aircall Support Hours 

c) Severity Levels 

The table below describes the Severity Levels of the reported Error by the Customer. Upon submission of the Request, Aircall will investigate the Error and will make commercially reasonable efforts to respond to such Request in accordance with the table below:

4. Exclusions 

Notwithstanding any provision in this End Customer Agreement to the contrary, no SLA breach will be deemed to have occurred if such event: (a) is caused by factors outside of Aircall’s reasonable control, including, without limitation, third parties, hosting providers or carrier related problems or issues, or Internet access or related problems occurring beyond the point in the network where Aircall maintains access and control over the Aircall Services; (b) results from any act or omission of Customer or any third party; (c) results from the Customer’s application, Customer’s equipment, software or other technology or third party equipment, software or other technology (except for equipment within Aircall’s direct control); (d) occurs during Aircall’s scheduled or emergency maintenance, acts of God or Force Majeure event; and/or (e) results from Customer Cause.

 

Exhibit 1

Zuper Master Terms

These Zuper Master Terms (this “Agreement”) are made and executed between Zuper, Inc. (‘ZUPER”) with a place of business at 24754 NE, 3rd Pl, Sammamish, WA - 98074, and the subscriber listed on the Zendesk SOW to which this Agreement is attached (“Customer”). Customer and ZUPER will be individually referred to as a “Party” and collectively referred to as the “Parties.”

 

PREAMBLE

WHEREAS, ZUPER has developed a field workforce management solution (the “Zuper Platform”) to improve the efficiency and the productivity of the workforce and affirms it has the necessary experience, expertise, and staff to implement, integrate and provide support services for the Service (as defined below).

And WHEREAS, Customer is interested in implementing the Service provided by ZUPER.

And WHEREAS,  Customer and ZUPER agree that Zendesk, Inc., a Delaware corporation, and any of its applicable affiliates (“Zendesk”), will process billing for Customer’s subscription(s) to the Service ordered by Customer from ZUPER under this Agreement pursuant to a Zendesk SOW executed between Customer and Zendesk. “Zendesk SOW” means the statement of work or similar ordering document issued by Zendesk to Customer that sets forth, without limitation, Customer’s service plan, fees, billing, and subscription period to the Service under this Agreement.

NOW THEREFORE, in consideration of the representations and mutual covenants and agreements set forth herein, and for good and valuable consideration, the sufficiency of which the Parties hereby acknowledge, the Parties agree as follows:

 

PRODUCT AND SERVICES

Under the terms of this Agreement, ZUPER provides and sells subscriptions for field workforce management solution (the “Zuper Platform”) via zuper.co or any other website specified by ZUPER (the “Service”).

Subject to the timely payment of applicable fees specified under the Zendesk SOW, and subject to the terms and conditions of this Agreement, ZUPER hereby grants to Customer and any person or legal entity which is subject, directly or indirectly, to Customer’s Control a non-sublicensable, non-transferable, non-exclusive right to access and use the Service. For the purposes of this Clause, “Control” means the power to direct or cause the direction of the management, business or policies of an entity, whether through the ownership of voting securities, by contract or otherwise, or the power to elect or appoint at least one third of the directors, managers, partners or other individuals exercising similar authority with respect to such entity. 

Other than the rights expressly specified hereunder, no other rights or interest whatsoever in the Zuper Platform or the Service and/or any component thereof, are transferred or granted to Customer. Without limiting the foregoing, Customer may not: (i) use the Zuper Platform or the Service for purposes other than the purposes explicitly set forth hereunder; (ii) copy or duplicate the Zuper Platform (iii) reverse engineer or de-compile, modify or revise, attempt to access the source of the Zuper Platform or any part thereof, or create derivative works thereof; (iv) transfer in whole or in part the right to use the Service or any part thereof. 

Included Features:

 

TRAINING

Online instructor led training is included as part of the package. 

1.          Personalized instructor driven interactive sessions.

2.          Access to product documentation and How-To contents

3.          Share best practices and recommendations.

The goal of the training is to ensure the team gets ramped up and hands-on the product and understands the best practices to leverage all the capabilities in the most optimized manner. 

 

FEES

Zendesk shall processing billing of fees for Customer’s subscription to the Service ordered by Customer from ZUPER under this Agreement, as set forth on the Zendesk SOW. Invoices will be sent to, and payment will be due, in accordance with the terms of the Zendesk SOW. Any changes to the scope of Customer’s subscription to the Service under this Agreement shall be issued through a separate Zendesk SOW.

 

ROUTINE UPDATES AND REQUESTED IMPROVEMENTS

ZUPER will schedule meetings with Customer on a bimonthly basis to inform Customer of the roadmap and the updates to the Service. The price as set out herein are inclusive of any regular updates released by ZUPER and Customer shall not be entitled to additional payments for such updates. Premium capabilities are not included in the subscription pricing. ZUPER will share updates on premium capabilities on Customer and the pricing will be shared and mutually agreed independent of this Agreement. 

Customer may from time-to-time request for modifications to the Service based on evolving requirements. Independent of this Agreement, the Parties shall mutually agree on terms, such as costs and timeframe, should Customer require any major modifications to the Service. 

All future 3rd party software integrations with Zuper are included in the monthly user pricing.

 

END OF LIFE NOTICE; AVAILABILITY UPTIME

ZUPER will provide Customer with at least six (6) months advance notice of any feature end of life or deprecation.

ZUPER represents and warrants that the Service will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes downtime per month) during the Term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and ZUPER will provide at least seven (7) day advanced written (email acceptable) notice to Customer of such unavailability (“Scheduled Downtime”).

 

SUPPORT

Phone and email support are included in the package at no additional cost. In case of any issues and questions, the users of Customer can contact Zuper Support for help and assistance. The phone support specialist will provide immediate assistance with technical support by troubleshooting and debugging the issue. Email support available for both technical and nontechnical issues. Zuper shall provide Customer with the support commitments set forth in Exhibit A, attached hereto.  

 

INFORMATION SECURITY REQUIREMENTS

ZUPER shall provide and comply with the information security requirements set forth in Exhibit B, attached hereto.

 

DATA PROCESSING AGREEMENT

The Parties agree to the Data Processing Agreement set forth in Exhibit C, attached hereto.

 

TERM

This Agreement shall enter into effect upon the effective date of the applicable Zendesk SOW and remain in effect, unless terminated earlier in accordance with any terms of the Zendesk SOW, until the expiration of all applicable Zendesk SOWs (the “Term”).

 

PROPRIETARY RIGHTS

Certain portions of software available with the Zuper Platform (by way of example only - JQuery) may be subject to "open source" or "free software" licenses ("Third Party Software"). Such Third Party Software is not subject to the terms and conditions of this Agreement but is made available under the terms and conditions of the terms that accompany such Third-Party Software.

Except with respect to Third Party Software (as defined above), ZUPER owns and shall retain all rights, including all intellectual property rights, in and to the Zuper Platform and the Service, and any and all adaptations, modifications, enhancements, or improvements thereto, and in and to ZUPER’s Confidential Information. To remove any doubt, any content developed by Customer using the Service will be the property of the Customer.

 

MARKETING

 Customer hereby grant ZUPER the right to

1.          Use the name and service marks in its marketing materials or other oral, electronic, or written promotions, which shall include naming Customer as a customer of ZUPER and a brief scope of services provided. 

2.          Issue a press release related to this Agreement. 

3.          Publish a case study.

4.          Publish testimonials to the website and/or other marketing materials.

 

INDEMNIFICATION AND LIMITATION OF LIABILITY

ZUPER shall defend, indemnify and hold harmless  Customer , from and against any and all damage, cost and expenses (including reasonable attorneys' fees) finally awarded by a competent court, which incurred as a result of any claim, suit or proceeding brought against any of them based on a claim that the Zuper Platform and/or the Service infringes upon intellectual property rights; provided that  Customer  has notified ZUPER promptly in writing of such claim, and gave ZUPER the authority, information, and assistance (at Company's expense) to control and handle the claim or the defense of any such suit, proceeding or settlement. The above indemnification shall be the sole remedy to which Customer shall be entitled in connection with the foregoing. 

Except for claims of willful misconduct, gross negligence, or any breaches Confidentiality, in no event shall either party be liable to the other for any indirect, incidental, special, consequential, or punitive damages of any nature or kind whatsoever, including but not limited to lost profits, lost revenues, or loss of goodwill in connection with or arising out of this agreement, even if the other party has been advised of the possibility of such damages. In no event shall either party’s aggregate liability under this agreement exceeds the aggregate fees actually paid to ZUPER hereunder during the period preceding the respective applicable claim.

 

CONFIDENTIALITY

ZUPER and Customer agree that they are mutually bound by and shall adhere to all applicable laws and regulations governing the confidentiality of information exchanged pursuant to this agreement.

 

Internal Disclosure: Each Party shall maintain the confidentiality and sensitive nature of the Disclosing Party’s Confidential Information and shall not disclose to any third party any Confidential Information. The Receiving Party may disclose the Disclosing Party’s Confidential Information to its own personnel, and officers having a legitimate need-to-know regarding such Confidential Information for the purposes of this Agreement and who are bound by confidentiality obligations at least as restrictive as the Confidential Information terms of this Agreement, and the Receiving Party shall use Confidential Information only if and as required for the purpose of this Agreement.

Pricing Disclosure: The pricing quoted in Zendesk SOW is an exclusive Customer only pricing and cannot be shared by Customer with any other Zuper customers, partners or the press. 

Safeguarding: The Receiving Party shall take all reasonable precautions necessary and appropriate to guard the confidentiality of the Confidential Information. 

Non-Compete: Zuper will not solicit business or directly approach any Customer clients without prior approvals.

 

MATERIAL BREACH

In the event of a material breach of this Agreement, the affected Party (the “Notifying Party”) shall notify the other Party (“Notified Party”) of such a breach. If the Notified Party fails to rectify the breach within one (1) month of receipt of such notice, the Notifying Party may terminate this Agreement without providing further notice and may pursue legal action to claim any damages resulting from such breach.

 

FORCE MAJEURE

If either Party fails to fulfill its obligations hereunder, when such failure is due to an act of God, or other circumstances beyond its reasonable control, including but not limited to fire, flood, civil commotion, riot, war (declared and undeclared), revolution, or embargoes, then said failure shall be excused for the duration of such event and for such a time thereafter as is reasonable to enable the parties to resume performance under this Agreement, provided however, that in no event shall such time extend for a period of more than one hundred eighty (180) days.

 

DISPUTE RESOLUTION 

This Agreement and any disputes arising under or related to this Agreement shall be governed by and construed in accordance with the laws of the State of Washington, without reference to its conflict of law principles. Both Parties agree to submit to the personal jurisdiction for any legal proceeding and this Agreement, regardless of who initiated the proceeding. 

 

Exhibit A – Support Responsibilities and Procedures

1. Definitions

In this Exhibit A:

 

a) “Level 1 Support” means the first level of support given to Customer by ZUPER to collect customer input, verify symptoms, and escalate, if required, to Level 2 Support.

(b) “Level 2 Support” means the second level of support given by ZUPER to Customer that addresses Product operational and infrastructure issues and resolutions.

(c) “Level 3 Support” means the third level of support given by ZUPER that covers the resolution of application code bugs or infrastructure code.

(d) “Vendor Support Hours” for non-Critical and non-Major Business Impact issues means between 09:00 and 24:00 on a business day (Monday - Friday, every week of the year). Support hours and response obligations for Critical and Major Business Impact issues are as described below.    

 

2. Zuper Support Obligations

ZUPER shall provide Customer with all support in relation to issues identified by Zendesk or Customer and reported to ZUPER. These support services will be provided by means of the Zendesk help desk ticket system.

ZUPER shall respond to requests for support:

(a) with respect to Critical Business Impact issues, within thirty (30) minutes twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. ZUPER shall provide Customer (and Zendesk, if such Critical Business Impact issues relate to Customer support requests forwarded to ZUPER by Zendesk) updates on Critical Business Impact issues every thirty (30) minutes until the issue is resolved. Critical Business Impact shall be defined as an issue that disrupts material functionality within the production environment in the Service or compromises the security/integrity of data in the Service. Critical Business Impact issues will remain so long as the disruption is ongoing, the need for resolution is acutely time-sensitive, with no reasonable workaround available;

(b) with respect to Major Business Impact issues within one (1) hour, twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. ZUPER shall provide Customer (and Zendesk, if such Critical Business Impact issues relate to Customer support requests forwarded to ZUPER by Zendesk) updates on Major Business Impact issues every hour (1) until the issue is resolved. Major Business Impact shall be defined as an issue that degrades a material functionality or significantly disrupts or degrades Customer’s normal business operation, is in Customer’s production environment and is highly time-sensitive, and/or a significant unplanned effort is required to work around the issue to maintain normal business operations;

(c) for other issues and enquiries, within six (6) Vendor Support Hours;

(d) to resolve issues raised to it within a commercially reasonable timeframe; and

(e) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved.

 

Exhibit B – Information Security Requirements

ZUPER warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by the Customer (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, Zuper will act in good faith and diligence, using reasonable care and skill.

 

1.           Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by ZUPER regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any ZUPER security policy, (ii) unplanned service disruption that prevents the normal operation of the Service, or (iii) Breach.

2.          Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• ZUPER will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, ZUPER will promptly remove Data upon (a) completion of Service; or (b) request by Customer (or Zendesk, where applicable) to be removed from ZUPER’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. Zuper will provide Customer (and Zendesk, where applicable) with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3.          Measures: Malicious Code Protection.

• All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server.   Virus definitions must be updated promptly upon release by the anti-virus software provider.  ZUPER will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or ZUPER’s computing environment.
• ZUPER will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
• ZUPER will quarantine or remove files that have been identified as infected and will log the event.

4.          Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

• ZUPER ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
• security and encryption of all personal computers or other mobile devices that may access Data;
• limited access to employees and contractors except for authorized visitors; 
• identification of the persons having access authority;
• restriction on keys;
• visitors books (including timekeeping); and
• security alarm system or other appropriate security measures.

ZUPER will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such authorized agent’s need to access the system(s) or application(s).

5.          Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

ZUPER shall inform Customer upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6.          Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by ZUPER.

All network controls shall include the following measures:

• On a regular basis, ZUPER will run internal and external network vulnerability scans.  Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• ZUPER will deploy reasonably appropriate firewall technology in operation of its networks.
• At a minimum, ZUPER will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• ZUPER will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• ZUPER shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized.
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger.

7.          Measures: ZUPER will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, ZUPER will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify Customer within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii) respond promptly to any reasonable request from Customer for detailed information pertaining to the Incident. ZUPER’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

8.          Measures: Business Continuity & Disaster Recovery. ZUPER has provided Customer a commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”).  The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery.  ZUPER shall maintain such Continuity Plan throughout the term of all subscriptions; provided that ZUPER shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on ZUPER ability to maintain availability of the Service.

9.          At Customer’s request Zuper shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to the Customer’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time.  Customer shall provide ZUPER with documentation of such baselines, which shall be part of Customer’s confidential information under the Agreement.  ZUPER shall develop a written information security plan for Customer containing, at a minimum, the topics called for in this agreement.

 

Exhibit C – Zuper Data Processing Agreement

Please read the Data Processing Agreement (“DPA") carefully as they form a contract between the Customer (“Customer” or “Controller” which expression shall mean and include its successors and assigns) and Zuper (“Zuper” or “Processor” which expression shall mean and include its successors and assigns). This DPA will apply where Zuper is a processor of personal data. Processor and Controller are individually referred to as “Party” and collectively as “Parties”.

 

1.     Scope of contract and Distribution of Responsibilities

1.1    The Parties agree that, for Processing Personal Data, the Parties shall be Controller and Processor.

1.2    Processor shall Process Personal Data only on behalf of Controller and at all times only in accordance with this Data Processing Agreement, especially the respective exhibits.

1.3    Within the scope of the Zuper Master Terms (the “Agreement”), each Party shall be responsible for complying with its respective obligations as Controller and Processor under Data Protection Laws.

2.     Processing Instructions

2.1    Processor will process Personal Data in accordance with Controller's instructions. This Data Processing Agreement contains Controller's initial instructions to Processor. The Parties agree that the Controller may communicate any change in its initial instructions to the Processor by way of written notification to the Processor and that the Processor shall abide by such instructions. The Processor shall maintain a secure, complete, accurate and up to date record of all such individual instructions.

2.2   For the avoidance of doubt, any instructions that would lead to processing outside the scope of this Data Processing Agreement (e.g. because a new Processing purpose is introduced) will require a prior agreement between the Parties and, where applicable, shall be subject to the contract change procedure under the respective Agreement.

2.3   Where instructed by the Controller, the Processor shall correct, delete or block Personal Data.

2.4   Processor shall promptly inform the Controller in writing if, in Processor's opinion, an instruction infringes Data Protection Laws, and provide an explanation of the reasons for its opinion in writing.

2.5   Processor shall not be liable for any DP Losses arising from or in connection with any processing made in accordance with Controller’s instructions which are found to be non-compliant with the GDPR, following Controller’s receipt of any information provided by Processor in this Section 2.

3.     Processor Personnel

Processor will restrict its personnel from Processing Personal Data without authorization. Processor will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

4.     Disclosure to Third Parties; Data Subjects Rights

4.1    Processor will not disclose Personal Data to any third party (including any government agency, court, or law enforcement) except as set forth in this agreement or with written consent from Controller or as necessary to comply with applicable mandatory laws. If Processor is obliged to disclose Personal Data to a law enforcement agency or third party, Processor agrees to give Controller reasonable notice of the access request prior to granting such access, to allow Controller to seek a protective order or other appropriate remedies. If such notice is legally prohibited, Processor will take reasonable measures to protect the Personal Data from undue disclosure as if it were Processor’s own confidential information being requested and shall inform Controller promptly as soon as possible if and when such legal prohibition ceases to apply.

4.2   In case Controller receives any request or communication from Data Subjects which relates to the Processing of Personal Data ("Request"), Processor shall provide the Controller with full cooperation, information and assistance ("Assistance") in relation to any such Request where instructed by Controller.

4.3   Where Processor receives a Request, Processor shall (i) not directly respond to such Request, (ii) forward the request to Controller within 3 (three) business days of identifying the Request as being related to the Controller and (iii) provide Assistance according to further instructions from the Controller.

5.     Technical and Organizational Measures (“TOMs”)

5.1    Processor shall implement and maintain appropriate technical and organizational security measures to ensure that Personal Data is Processed according to this Data Processing Agreement, to provide Assistance and to protect Personal Data against a Personal Data Breach. Such measures are set out in Exhibit 2 Appendix 2.

5.2   Processor shall document the implemented TOMs and shall provide Controller with such documentation upon request including, where available, any certifications such as an ISO 27001 certification.

6.     Assistance with Data Protection Impact Assessment

6.1    Where a Data Protection Impact Assessment ("DPIA") is required under applicable Data Protection Laws for the Processing of Personal Data, Processor shall provide upon request Controller with reasonable cooperation and assistance needed to fulfill Customer’s obligation to carry out a DPIA related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and to the extent such information is available to Zuper.

6.2   The Controller shall pay the Processor reasonable charges mutually agreed between the parties for providing the assistance in Section 7, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

7.     Information Rights and Audit

7.1    Processor shall, in accordance with Data Protection Laws, make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by the Processor with its obligations under Data Protection Laws.

7.2    Zuper has obtained third-party certifications and audits set forth on our security page. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, Zuper will make available to Controller a copy of Zuper then most recent third-party audits or certifications, as applicable.

8.     Data Incident Management and Notification

In respect of Service Data incident Processor shall:

8.1    notify Controller of a Personal Data Breach involving Processor or a subcontractor without undue delay (but in no event later than 72 hours after becoming aware of the incident).

8.2   make reasonable efforts to identify the cause of such incident and take those steps as Processor deems necessary and reasonable in order to remediate the cause of the incident to the extent that it is within Zuper’s reasonable control.

8.3   provide reasonable information, cooperation and assistance to the Controller in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.

The obligations contained in Section 8 should not apply to Data Incidents that are caused by Customer or Customer’s users.

9.     Subprocessing

9.1    Controller consents to Processor engaging third party sub processors as listed below to process the Personal Data to fulfil its obligations under this Agreement provided that, Processor will provide at least fifteen (15) days’ either an in-product notice or a notice by email to the Account administrator prior to the appointment or replacement of any subprocessor.

 

List of Sub-Processors

 

 

Sub-Processors Contact Information

 

 

The Controller may object to Processor’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, the Processor will either not appoint or replace the subprocessor or, if this is not possible, the Controller may suspend or terminate the Service(s) (without prejudice to any fees incurred by Controller prior to such suspension or termination).

9.2   Where Processor, with Controller's consent, subcontracts its obligations and rights under this Data Processing Agreement it shall do so only by way of a binding written contract with the subcontractor which imposes essentially the same obligations according to Art. 28 GDPR especially with regard to instructions and TOMs on the subcontractor as are imposed on the Processor under this Data Processing Agreement.

9.3   Processor must ensure that he has carefully selected the subprocessor with particular regard for the suitability of the subcontractor’s TOMs. Processor has entered a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Service Data to the extent applicable to the nature of the Services provided by such Sub-processor.

9.4   Where the subcontractor fails to fulfil its data protection obligations under the subcontracting agreement, Processor shall remain fully liable to Controller for the fulfilment of its obligations under this Data Processing Agreement and for the performance of the subcontractor's obligations.

10.   Term and Termination

10.1  This Data Processing Agreement becomes effective upon signature. It shall continue to be in full force and effect as long as the Processor is processing Personal Data according to Exhibit 1 and shall cease automatically thereafter.

10.2  The Controller may terminate the Data Processing Agreement as well as the Agreement for cause, at any time upon reasonable notice or without notice, as selected by Controller, if the Processor is in material breach of the terms of this Data Processing Agreement.

10.3  Where amendments are required to ensure compliance of this Data Processing Agreements or an Appendix with Data Protection Laws, the Parties shall agree on such amendments upon request of Controller and, for the avoidance of doubt, with no additional costs to Controller. Where the parties are unable to agree upon such amendments, either party may terminate the Agreement and this Data Processing Agreement with 90 days written notice to the other party.

11.    Deletion or Return of Personal Data

The Controller may export all Service Data prior to the termination of the Customer’s Account. In any event, following the termination of the Customer’s Account, (i) subject to (ii) and (iii) below and the Agreement , Service Data will be retained for a period of 14 days from such termination within which Controller may contact Processor to export Service Data; (ii) where the Controller does not use custom mailbox and uses the e-mail feature, if available within the Service(s), e-mails forming part of Service Data are automatically archived for a period of 3 months; and (iii) logs are archived for a period of thirty (30) days in the log management systems, post which logs are retired to a restricted archived cold storage for a period of eleven (11) months (each a “Data Retention Period”). Beyond each such Data Retention Period, Processor reserves the right to delete all Service Data in the normal course of operation except as necessary to comply with Processor’s legal obligations, maintain accurate financial and other records, resolve disputes, and enforce its agreements. Service Data cannot be recovered once it is deleted.

12.    Miscellaneous

12.1  In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of any other agreement with Processor.

12.2  The limitation of liability stated in the Agreement applies to the breach of the Data Processing Agreement.

12.3  No Party shall receive any remuneration for performing its obligations under this Data Processing Agreement except as explicitly set out herein or in another agreement.

12.4  Where this Data Processing Agreement requires a "written notice" such notice can also be communicated per email to the other Party. Notices shall be sent to the contact persons set out in Exhibit 1 VII.

12.5  Any supplementary agreements or amendments to this Data Processing Agreement must be made in writing and signed by both Parties.

12.6  Should individual provisions of this Data Processing Agreement become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.

13.    Definitions

“Account Administrator” shall mean the individual authorized by the Controller to receive notices from the Processor.

"Data Protection Laws" shall mean the data protection laws of the country in which Controller is established, including the GDPR, and any data protection laws applicable to the Controller in connection with the Agreement.

“DP Losses” means all liabilities, including:

a)     costs (including legal costs)

b)     claims, demands, actions, settlements, charges, procedures, expenses, losses and damages (whether material or non-material, and including for emotional distress)

c)     to the extent permitted by applicable law:

i)      administrative fines, penalties, sanctions, liabilities or other remedies imposed by a data protection authority or any other relevant Regulatory Authority

ii)     compensation to a Data Subject ordered by a data protection authority to be paid by the Processor

iii)    the costs of compliance with investigations by a data protection authority or any other relevant Regulatory Authority.

"GDPR" shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data.

"Personal Data" shall mean any information relating to an identified or identifiable natural person as defined by the General Data Protection Regulation of the European Union ("GDPR" EC-2016/679) that is Processed by Processor as part of providing the services to the Controller as described in Exhibit 1.

"Standard Contractual Clauses/EU Standard Contractual Clauses" mean the standard contractual clauses set forth in Schedule 1 for the transfer of Personal Data from a Data Controller in the European Economic Area to Processors established in third countries in the form set out in the Annex of European Commission Decision 2010/87/EU, as amended by incorporating the description of the Personal Data to be transferred and the technical and organizational measures to be implemented as set out in the Appendix.

"Controller", "Data Subject", "Personal Data Breach", "Processor" and "Process" shall have the meaning given to them in the GDPR.

 

 

Exhibit 1

Details of processing

 

Data subjects

Data Subjects are those individuals to whom personal data relates to and are Users or End-Users who interact using the Service(s).

Categories of data

Categories of data refers to the personal data of Users and End-Users, contained in electronic data, text, messages or other materials, submitted to the Service(s) by Customer through Customer’s Account in connection with Customer’s use of the Service(s).

Subject-matter and nature of the processing

The personal data processed will be subject to the basic processing activities required for the provision of the Service(s) by Zuper to the Customer that involves the processing of personal data. Personal data will be subject to those processing activities as may be specified in the Agreement and the DPA.

Purpose of the processing

Personal data will be processed for purposes of providing the Service(s) set out in a Form, as further instructed by Customer in its use of the Service(s), and otherwise agreed to in the Agreement, this DPA and any applicable Form.

Duration of processing

Personal Data will be processed for the duration of the Agreement.

 

Exhibit 2

EU Standard Contractual Clauses (processors)

 

For the purposes of Article 46.3 of Regulation (EU) 2016/679 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

The entity identified as “Controller” in the Data Processing Agreement (the “data exporter”)

And Zuper , Inc.

24754 NE, 3 rd Way, Sammamish, WA - 98074 (the “data importer”)

each a “party”; together “the parties”,

 

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1

Definitions

For the purposes of the Clauses:

(a)    'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Regulation (EU) 2016/679;

(b)   'the data exporter' means the controller who transfers the personal data;

(c)    'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Regulation (EU) 2016/679;

(d)   'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)    'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)    'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1.      The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.     The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.     The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4.     The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

 

Clause 4

Obligations of the data exporter

 

The data exporter agrees and warrants:

(a)    that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)   that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c)    that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d)   that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)    that it will ensure compliance with the security measures;

(f)    that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Regulation (EU) 2016/679;

(g)    to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension.

(h)   to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)     that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data imported under the Clauses; and

(j)     that it will ensure compliance with Clause 4(a) to (i).

 

Clause 5

Obligations of the data importer

 

The data importer agrees and warrants:

(a)    to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)   that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)    that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(d)   that it will promptly notify the data exporter about:

(i)     any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)    any accidental or unauthorized access, and

(iii)   any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e)    to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred.

(f)    at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)    to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)   that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)     that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j)     to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

 

Clause 6

Liability

 

1.      The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2.     If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3.     If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 

Clause 7

Mediation and jurisdiction

 

1.      The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)    to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)   to refer the dispute to the courts in the Member State in which the data exporter is established.

2.     The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

 

Clause 8

Cooperation with supervisory authorities

 

1.      The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.     The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3.     The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

 

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

 

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

 

1.      The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

2.     The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.     The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4.     The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

 

Clause 12

Obligation after the termination of personal data processing services

 

1.      The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

 

2.     The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

Appendix 1 to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses and must be completed and signed by the parties. By signing the signature page of the Data Processing Agreement, the parties will be deemed to have signed this Appendix 1.

Data exporter - The data exporter is the entity identified as “Controller” in the Data Processing Agreement.

Data importer - The data importer is the entity identified as “Processor” in the Data Processing Agreement.

Data subjects - Data Subjects are defined in Appendix 1 No.2 of the Data Processing Agreement.

Categories of data - Categories of data are identified in Appendix 1 No. 3 of the Data Processing Agreement.

Processing operations - The personal data transferred will be subject to the following basic processing activities identified in Appendix 1 No. 1 of the Data Processing Agreement.

 

Appendix 2 to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses and must be completed and signed by the parties. By signing the signature page of the Data Processing Agreement, the parties will be deemed to have signed this Appendix 2.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Processor maintains and enforces various policies, standards and processes designed to secure personal data and other data to which Processor employees are provided access, and updates such policies, standards and processes from time to time consistent with industry standards. Following is a description of some of the technical and organizational measures implemented by Processor as of the date of signature:

1.     General Security Procedures

 

1.1    Processor shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Processor, if any, comply with all of the foregoing. Processor shall designate an individual to be responsible for the information security program. Such individuals shall respond to Controller inquiries regarding computer security and to be responsible for notifying Controller-designated contact(s) if a breach or an incident occurs, as further described herein.

1.2    Processor shall conduct formal privacy and security awareness training for all its employees as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Processor, confirming that this training and subsequent annual recertification process have been completed.

1.3    Controller shall have the right to review an overview of Processor’s information security program prior to the commencement of Service and annually thereafter upon Controller request.

1.4    Processor shall not transmit any unencrypted Personal Data over the internet or any unsecured network, and shall not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where

there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.

1.5    In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and without undue delay and within 72 hours following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller.

2.     Network and Communications Security

2.1    All Processor connectivity to Controller computing systems and/or networks and all attempts at same shall be only through Controller’s security gateways/firewalls and only through Controller-approved security procedures.

2.2   Processor shall not access and will not permit unauthorized persons or entities to access Controller computing systems and/or networks without Controller’s express written authorization and any such actual or attempted access shall be consistent with any such authorization.

2.3   Processor shall take appropriate measures to ensure that Processor’s systems connecting to Controller’s systems and anything provided to Controller through such systems does not contain any computer code, programs, mechanisms or programming devices designed to, or that would enable, the disruption, modification, deletion,

damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of Controller’s systems.

2.4   Processor shall maintain technical and organizational measures for data protection including: (i) firewalls and threat detections systems to identify malicious connection attempts, to block spam, viruses and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; and (iii) encrypted data in transit over public networks using industry standard protocols.

3.     Personal Data Handling Procedures

3.1    Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP800-88 Guidelines for Media Sanitization, prior to departing Controller Work Area(s), with the exception of encrypted Personal Data residing on portable media for the express purpose of providing service to the Controller. Processor shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources.

3.2   Processor shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Personal Data, including: (i) granting access rights on the basis of the need-to-know-principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) encrypting, logging and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits.

3.3   Processor shall maintain logical controls to segregate Personal Data from other data, including the data of other customers.

3.4   Processor shall maintain measures to provide for separate processing of data for different purposes including: (i) provisioning Controller within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.

4.     Physical Security

4.1    Processor shall ensure that at least the following physical security requirements are met:

i)      All backup and archival media containing Personal Data must be contained in secure, environmentally controlled storage areas owned, operated, or contracted for by Processor. All backup and archival media containing Personal Data must be encrypted.

ii)     Technical and organizational measures to control access to data center premises and facilities are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and

(vi) segregation of shipping and receiving areas with equipment checks upon arrival.

iii)    Processor shall maintain measures to protect against accidental destruction or loss of Personal Data including: (i) fire detection and suppression, including a multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system and a Very Early Smoke Detection and Alarm (VESDA); (ii) redundant on-site electricity generators with adequate supply of generator fuel and contracts with multiple fuel providers; (iii) heating, ventilation, and air conditioning (HVAC) systems that provide stable airflow, temperature and humidity, with minimum N+1 redundancy for all major equipment and N+2 redundancy for chillers and thermal energy storage; and (iv) physical systems used for the storage and transport of data utilizing fault tolerant designs with multiple levels of redundancy.

5      Security Testing

5.1    During the performance of Services under the Agreement, Processor shall engage, at its own expense and at least one time per year, a third party vendor (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Processor’s systems containing and/or storing Personal Data.

5.2   The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Processor systems containing and/or storing Personal Data, which could expose Controller’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Processor systems containing and/or storing Personal Data that could be exploited by a malicious party.

5.3   Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un- sanitized input; broken or excessive access controls; broken authentication and session management; cross- site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.

5.4   Within a reasonable period after the Security Test has been performed, Processor shall remediate the issues (if any) identified and subsequently engage, at its own expense, the Testing Company to perform a revalidation Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Controller upon request.

6.     Security Audit

6.1    Processor, and all subcontracted entities (as appropriate) shall conduct at least annually an SSAE 18 (or equivalent) audit covering all systems and/or facilities utilized to provide the Service to the Controller and will furnish to Controller the results thereof promptly following Controller’s written request. If, after reviewing such audit results, Controller reasonably determines that security issues exist relating to the Service, Controller will notify Processor, in writing, and Processor will promptly discuss and where commercially feasible, address the identified issues. Any remaining issues shall be documented, tracked and addressed at such time as agreed upon by both the Processor and the Controller.

Exhibit 1 

Master Service Agreement

between,

Subscriber (as set forth in the Zendesk Resell Agreement)

(“Customer”)

and

babelforce GmbH

Mindspace, Friedrichstr. 68, 10117 Berlin

Co. Register-Nr.: HRB 150717 B

(“babelforce“ or “Supplier”)

(collectively, the “Parties”)

The Parties agree as follows:

The purpose of this agreement:

This agreement makes it possible for You, the Customer to use babelforce Services to communicate with your customers and to enhance your business processes. The actual elements of the babelforce Services that You can make use of are those on the Zendesk Resell Agreement to which this Master Service Agreement is attached or incorporated. This Agreement governs the contractual terms and conditions entered into between You and babelforce.

The contractual Parties and how the agreement comes into force:

This “Agreement“ is entered into by and between babelforce and “You” (the “Customer”). The Agreement shall be considered as binding once both Parties sign the Zendesk Resell Agreement for the initial contracted services and each appendix or addendum included by reference. In particular the following documents form parts of the overall Agreement:

• this Master Service Agreement
• Service Level and Scope Agreement (referred to as the “Service Level Agreement”), attached hereto as Attachment A
• Data Protection Addendum, attached hereto as Attachment B
• Information Security Requirements, attached hereto as Attachment C

Definitions of specific words and phrases

Each word or phrase that has a specific meaning defined in this Agreement and any addenda or referenced documents is introduced at the point where it is defined in quotes and bold type and is later used in text with the first letters capitalized. Such words and phrases only have the meaning as specified in this Agreement. “babelforce” refers to babelforce GmbH, registered at Amtsgericht Charlottenburg, Berlin with Register number.: HRB 150717 B.

“Agreement“ refers to this document and documents referenced within it and is used to mean the entire contract entered into by both Parties.

“Customer” or “You” or “Your” refers to the legal entity, natural or legal person, entering into this Agreement with babelforce.

“Customer Affiliates” are the subsidiaries or other legal entities of the Customer who are entitled to be the signatories of the Zendesk Resell Agreement for services under this agreement and/or who in a particular Zendesk Resell Agreement are entitled to make use of the contracted services.

“We” or “Us” or “Our” refer to babelforce.

“Registration Form“ is the form completed by You with the details of the legal entity (including the authorized legal representative and the company name) and submitted to indicate acceptance of this Agreement.

“Services” are the babelforce products and any related services that it markets and sells to its customers. In particular, products that you acquire the use as indicated in the Zendesk Resell Agreement are parts of the babelforce “Services”.

“Documentation” means any written or electronic documentation, images, video, text or sounds specifying the functionalities or limitations of the Services or describing Service Plans, as applicable, provided or made available by babelforce to Subscriber in the applicable babelforce help center(s), Site or babelforce developer website(e.g. https://help.babelforce.com); provided, however, that Documentation shall specifically exclude any “community moderated” forums as provided or accessible through such knowledge base(s).

“Usage Charges” means additional charges that are incurred by Subscriber relating to the use of certain features and functionality that Subscriber enables within the Service and/or are purchased by the Subscriber in a Service Order. Usage Charges for telecommunications and other usage items are contracted for separately and directly with babelforce and invoiced by babelforce directly to the Subscriber regardless of whether other parts of the Services are contracted for and invoiced through a reseller or general contractor.

"Your Data" means electronic data and information submitted by or for You to the Services or collected and processed by or for You using the Services, excluding data submitted or processed through or by third party applications, products or services.

“Marketing Materials” are the trademarks, logos and URLs, content, videos and all associated materials that may be amended by babelforce from time to time and that can only be used subject to the terms of this agreement.

“Zendesk” refers to Zendesk, Inc., a Delaware corporation, and any of its applicable affiliates, which will serve as the billing agent for Customer’s subscription(s) to the babelforce Services ordered by Customer from babelforce under this Agreement pursuant to the Zendesk Resell Agreement.

“Zendesk Resell Agreement” means the statement of work, agreement, and/or similar ordering document issued by Zendesk to Customer, to which this Agreement is attached or incorporated, that sets forth, without limitation, Customer’s subscription plan, subscription term, fees, and billing for the babelforce Services under this Agreement.

Agreement

1. babelforce’s Responsibilities:

1. We will make the Services available to You subject to this Agreement and the applicable Zendesk Resell Agreement, Service Level Agreement and provide our “Standard Support” for the Services to You and provide specific support if you have purchased a specific support service. 
2. We will use all commercially reasonable efforts to make the online Services available 24 hours a day, 7 days a week, except for the following: (a) planned downtime (b) any unavailability caused by circumstances beyond Our reasonable control. See Section 5 (Standard Support) for more information.
3. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of “Your Data”. We commit to the Data Protection Addendum and Information Security Measures, attached respectively hereto as Attachment B and Attachment C.
4. We will be responsible for the performance of Our personnel (including Our employees and contractors) and their compliance with Our obligations under this Agreement, except as otherwise specified.
5. We will provide You with at least six (6) months advance notice of any feature end of life or deprecation within the babelforce Services.

2. babelforce Free Trial and evaluation:

1. If You register for a “Free Trial”, We will make one or more Services available to You on a trial basis free of charge. Unless otherwise specified when you sign-up for a Free Trial, the trial period is 30 days from the Start Date. The Free Trial ends automatically once the trial period ends and will end earlier if you purchase Services under a Zendesk Resell Agreement.
2. The Services provided in a Free Trial are for evaluation purposes only. It is not permitted to use the Services for live customer interactions nor to use any volumes of interactions. The Free Trial is intended only for the isolated testing of the Services provided for evaluation.
3. If you enter any data or content or if you configure any aspects of the Services during a Free Trial, such data, content and configuration will be lost if you do not subsequently purchase the same services. In addition, during a free trial any data, content or configuration information you use to evaluate Services may need to be re-entered later once you move to purchased and/or production Services.
4. During a Free Trial the Services are provided “as is” without any warranty.
5. The particular functionality and content made available in a Free Trial is solely at babelforce’s discretion. Regardless of marketing materials or any other descriptions of what the production Services include, the Free Trial is not guaranteed to include the same functionality or content.
6. Sometimes babelforce may provide You with services for evaluation purposes, for example, pilots, beta versions, trial applications, non-production applications or services, developer sandboxes, test versions of third party services, test versions of integrations to babelforce services, etc. Such evaluation services are provided without any warranty and may be discontinued at our sole discretion at any time. babelforce takes no responsibility for any third party services provided in such evaluations.

3. Third Party Providers and Add-ons:

1. babelforce or third parties may make available applications, integrations, content or other components or professional services that work with or alongside babelforce’s Services, these are referred to as “Add-ons” or as “Third Party Add-ons” when we wish to emphasize that they are made available by a “Third Party Provider”. Any purchase or use by You of such Third Party Add-ons is solely between You and the “Third Party Provider”.
2. babelforce merely acts as a commercial agent bringing together the parties of such agreements. The provider of each Third Party Add-on is solely responsible for that Add-on, the related content, and any claims that You or any other party may have relating to that Add-on or Your use of that Add-on.
3. If You make use of a Third Party Add-on with the Services, You grant Us permission to allow the provider of that Add-On to access Your Data as required for the interoperation of that Add-On with the babelforce Services. 
4. babelforce is not responsible for any disclosure, modification or deletion of Your Data resulting from access by an Add-On.
5. If functionality, content or any aspect of a Third Party Add-On that interoperates with babelforce Services changes, is made unavailable or if We decide at our discretion that the Add-On is not appropriate to interoperate with Our Services, we reserve the right to remove functionality or content and/or the ability of the Add-On to interoperate with the Services. Should this happen, you will not be entitled to any refund or other compensation.
6. In some instances, babelforce handles the collection of payment for the providers of Third Party Add-ons. All such fees are subject to the conditions in a separate purchase order issued by babelforce or by reference to an online description of the pricing for the particular Third Party Add-ons. You agree that babelforce has the right to submit claims in the name of such Third Party Providers for such payments.

4. Use of the Services:

1. You will be responsible for Your and Your employees’ and contractors’ compliance with this Agreement.
2. You will use the Services and/or any Add-Ons appropriately and in particular you will:

1. keep current your registration data, including your email address and, if applicable, billing information (including billing address);
2. ensure the fulfillment of all legal regulations and licensing requirements and comply with all applicable data privacy laws and data security regulations;
3. use the Services in accordance with the Documentation and applicable laws and government regulations;
4. keep your password and any other access credentials confidential and inform babelforce immediately if you have reason to suspect your password has been disclosed to or otherwise obtained by any third party; and
5. make all reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify Us promptly of any such unauthorized access or use.
6. If you make use of any third party applications, services or integrations, including but not limited to Add-ons, you will comply with the applicable terms and conditions for such services.
7. You will not make any Service or content available to, or use any Service or content for the benefit of anyone other than You and Your users who are permitted to access the Services. In particular, You may not sell, resell, license, sublicense, distribute, rent or lease any part of a Service or content. 
8. You may not use a Service to store or transmit infringing, libelous, or otherwise unlawful or tortuous material, or to store or transmit material in violation of third-party privacy rights or use a Service to store or transmit Malicious Code, interfere with or disrupt the integrity or performance of any Service or third-party data.
9. You may not attempt to gain unauthorized access to any Service or content or its related systems or networks.
10. You undertake not to permit direct or indirect access to or use of any Service or content in a way that circumvents a contractual usage limit.
11. You may not copy a Service or any part, content, feature, function or user interface. You may not copy content except as explicitly permitted.
12. You may not frame or mirror any part of any Service or content, other than framing on Your own intranets or otherwise for Your own internal business purposes or as permitted under this Agreement.
13. You may not access any Service or content in order to build a competitive product or service, or reverse engineer any Service to the extent such restriction is permitted by law.
14. You will notify babelforce about any experienced deficiencies in the Services and/or in any Add-Ons and reasonably assist babelforce in the identification of any such deficiencies and their causes, and in the remedy of such deficiencies.
15. In using the Services and/or any Add-Ons, you will not do or attempt to do any of the following:

• abuse the access to the Services and/or engage in any illegal or unlawful actions in relation to the Services and/or Add-Ons in any form. In particular it is prohibited to use any Services and/or Add-Ons in connection with third parties’ user accounts without such third parties’ permission;
• upload or create any kind of malware, spyware, viruses, worms, Trojan horses or similar harmful code;
• otherwise abuse or manipulate the Services or use the Services in a way that violates this Agreement;
• interrupt or block any communication features, e.g. causing overloads or distributing spam;
• distribute or enable access to illegal content of any kind. This applies without limitation to pornographic, racist, violent or any otherwise illegal or immoral content;
• infringe any third party’s rights, including without limitation trademarks, copyrights, patents, business and trade secrets and/or any other intellectual property rights.

13. babelforce may modify or remove any content you upload that babelforce determines in its discretion to violate this Agreement.

5. Standard Support:

1. babelforce provides “Standard Support” as specified in this Section 5, to You unless You have purchased another specific support package.
2. Under Standard Support, we will use all commercially reasonable efforts to make the telecommunications and online Services available 24 hours a day, 7 days a week, except for the following: (a) planned downtime (b) any unavailability caused by circumstances beyond Our reasonable control including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, act of terror, strike or other labor problems, internet service provider or telecommunications failure or delay, problems due to a third party service or application, or denial of service attack. 
3. Notwithstanding the fact that in practice we achieve high uptime rates on telecommunications services on a 24x7 basis for customers on Standard Support, the Standard Support does not include a specific target availability level. Specific service levels and the responsibilities of each Party with respect to the support and service processes are defined in the Service Level Agreement.
4. You may open a ticket at any time by contacting babelforce support as indicated on our website. We will use all reasonable commercial means to respond and resolve support tickets rapidly. We undertake to proactively engage to resolve all issues that are under our control and that are directly related to the Services you have purchased.

6. Licenses granted:

1. babelforce grants You a non-exclusive, worldwide, non-transferable, non-sublicensable license, to use the Services provided to you by babelforce as part of the Services and/or Add-Ons. This license is for the sole purpose of enabling you to use the Services and/or Add-Ons, as permitted by this Agreement and is limited to the term of this Agreement and subject to the payment of such fees as may be applicable under the Zendesk Resell Agreement for particular Services.
2. babelforce grants you a non-exclusive, worldwide, royalty-free, non-transferable, non-sublicensable license, limited to the term of this Agreement, to use the babelforce “Marketing Materials” for the sole purpose of promoting or advertising that You use the Services. You will refrain from any use of babelforce’s trademarks that could damage the goodwill, reputation or interests of babelforce. You are, of course, not obliged to promote Your use of the Services.
3. The license granted to use the Marketing Materials is subject to babelforce’s Marketing Materials Usage Guidelines (“Marketing Guidelines”) (which can be found at http://www.babelforce.com/company/legal/marketing-materials-guidelines/ ). The Marketing Guidelines are part of this agreement by reference and may be updated from time to time by babelforce at its sole discretion.  babelforce may revoke this license at any time by giving the You a written notice (including via email).
4. You grant babelforce a non-exclusive, worldwide, royalty-free, transferable and sublicensable license, limited to the term of this Agreement, to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content, including any application, you upload, create or configure using the Services, for the sole purpose of enabling babelforce to provide you with the Services and otherwise perform its obligations under this Agreement. For example, in order to make a component like “Web call-back” available for You, you will need to upload your logo and your company name and configure the application. These materials and content will need to be published and displayed in order to provide the Services.
5. You agree that babelforce, at its sole discretion, may use your trade names, trademarks, service marks, logos, domain names and other distinctive brand features in presentations, marketing materials, customer lists, financial reports, website listings and links to your website(s) for the purpose of publicizing your use of the Services. babelforce undertakes to make all commercially reasonable efforts to ensure that such materials and content are used to promote You and Your company and products in the best possible light. babelforce is not under any obligation to so advertise, market, promote, or publicize Your use of the Services.

7. Fees and Payment

1. You will pay all fees specified in the Zendesk Resell Agreement. Payment obligations are non-cancelable and fees paid are non-refundable. 
2. You are responsible for keeping any data relevant to billing, payments and payment methods used up-to-date and valid. You will notify us and Zendesk promptly of any changes to such information.
3. Billing and payment information for the Services You order from babelforce under this Agreement will be set forth in the Zendesk Resell Agreement. You authorize Zendesk to act as the billing agent for the Services ordered from babelforce provided in the Zendesk Resell Agreement. 
4. If any amount owing by You is 30 or more days overdue, We reserve the right to suspend Our services to You until such amounts are paid in full. We will give You at least 7 days’ prior notice that Your account is overdue, in accordance with Section 8.4, before suspending services to You.

8. Term and Termination

1. This Agreement shall become effective as of the Start Date and continues until the end of the longest term, referred to as the “Active Term”, specified in any Zendesk Resell Agreement.
2. The term applicable to Services will be as specified in the Zendesk Resell Agreement.
3. Free Trials and any other form of evaluation services (see Section 2) are provided solely at babelforce’s discretion and may be discontinued at any time. The participation in a Free Trial or the evaluation of services does not specify a term applicable to this Agreement.
4. The specific termination conditions are specified in a Purchase Form for specific ordered services and/or a Service Level Agreement or other document included by reference in this Agreement. Except for the explicitly defined termination conditions, either Party may terminate this Agreement at any time, effective immediately upon written notice to the other Party who has materially breached this Agreement, provided that prior to terminating this Agreement the terminating Party shall adhere to the terms and conditions defined in this Agreement, including the Purchase Forms and Service Level Agreement.
5. Either Party may terminate this Agreement at any time, effective immediately upon written notice to the other Party who has materially breached this Agreement, provided that prior to terminating this Agreement the terminating Party shall provide written notice of such material breach in accordance with all terms and conditions defined in this Agreement, and its related Purchase Forms, Service Level Agreements. In any case, the notified Party must be given the maximum of the specified periods in this Agreement, and its Purchase Forms and Service Level Agreement, for the particular type of breach and certainly not less than thirty (30) days opportunity for the breaching Party to cure such breach.
6. If this Agreement is terminated by You in accordance with 8.5, We will refund You any prepaid fees covering the remainder of the Active Term after the effective date of termination. If this Agreement is terminated by Us in accordance with Section 8.4, You will pay any unpaid fees covering the remainder of the Active Term. In no event will termination relieve You of Your obligation to pay any fees payable to Us for the period prior to the effective date of termination.
7. After a thirty (30) day period from the effective date of termination, We will have no obligation to maintain or provide Your Data, and will thereafter delete or destroy all copies of Your Data in Our systems or otherwise in Our possession or control, unless legally prohibited.
8. The following Sections will survive any termination or expiration of this Agreement: Section 7 (Fees and Payment), 8.5 (Refund or Payment upon Termination), 8.6 (Portability and Deletion of Your Data), 10 (Intellectual Property Rights), 11 (Warranty, Disclaimer of Warranty), 12 (Limitation of Liability), 14 (Mutual Indemnification), 15 (Confidential Information and Publicity), 16 (Prohibition on Raiding or Solicitation), 18 (Entire Agreement, Notices), 19 (Disputes and Dispute Resolution), 20 (Governing Law and Jurisdiction).

9. Assignment and sub-contracting

1. Neither Party may assign or otherwise transfer this Agreement or any part of it to a third party without the prior written consent of the other Party, such consent not to be unreasonably withheld.
2. This Agreement is enforceable by the original Parties to it and by their successors in title and permitted assignees.
3. Customer Affiliates are entitled to make use of contracted services with other Customer Affiliates.

10. Intellectual Property Rights

1. All intellectual property rights in babelforce Marketing Materials, the babelforce Services and related content and technology around the world (“babelforce Intellectual Property Rights”) are and will remain the exclusive property of babelforce and its subsidiary companies. These babelforce Intellectual Property Rights include but are not limited to trademarks, trade names, logos, patents, copyrights, domain names and derivative rights.
2. The License granted by babelforce to You under Section 5 of this Agreement is granted solely under the terms of this Agreement. Your right to use the Marketing Materials is at the discretion of babelforce and is subject to Your compliance with the terms of this Agreement, Marketing Guidelines, and with all applicable laws and regulations. 
3. You agree to always use the Licensed Marks and any other babelforce Marks in compliance with the Marketing Guidelines.
4. You agree not to create or obtain any intellectual property rights (including but not limited to trademarks, trade names, logos, patents, copyrights, domain names and derivative rights) that are substantially similar to any babelforce Intellectual Property Rights.
5. You agree to promptly notify babelforce of any unauthorized use of any babelforce Intellectual Property Rights of which You have actual knowledge.
6. babelforce may perform periodic reviews of any Marketing Materials presented by You, and shall have the exclusive authority and discretion to order the removal and/or amendment of any Marketing Materials presented by You.
7. Where babelforce provides software or related artefacts and resources (including but not limited to source code, HTML and other markup languages, javascript and other scripting, audio and graphics) to You, babelforce owns all intellectual property and derivative rights and does not grant any license to the software other than to allow You to make use of and promote the babelforce Services in accordance with this Agreement. 

11. Warranty, Disclaimer of Warranty

1. Both Parties warrant that at all times during the Active Term they will comply with all applicable laws, regulations, codes of practice, as well as this Agreement. 
2. While this Agreement is in effect and after its termination for any reason whatsoever, You expressly undertake not to do anything that might reasonably be expected to damage the business, interests or reputation of babelforce and will not make, publish or allow to be made or published any disparaging remarks concerning babelforce, its representatives, or the babelforce Services.
3. Other than babelforce’s express warranty under 11.1, babelforce makes no other warranty, express or implied, of any kind and babelforce expressly disclaims any and all warranties and conditions, including but not limited to any implied warranty of merchantability, fitness for a particular purpose, availability, security, title, and/or non-infringement of the subject matter of this Agreement.

12. Limitation of Liability

1. By entering this Agreement You recognize the limitations on babelforce’s liability. 
2. Except for as explicitly defined in this Agreement in no event will either party have any liability to the other party for any lost profits, revenues or indirect, special, incidental damages, regardless of the theory of liability, even if a party has been advised of the possibility of such damages.
3. In any case, each party’s liability to the other will be limited to the greatest extent permitted by law.

13. Independent Contractors

1. The Parties act on their own behalf as independent contractors. Nothing in this Agreement shall create any joint venture, agency, franchise, sales representative, employment or any other relationship between the Parties beyond the relations set out in this Agreement, and You are expressly precluded from acting on babelforce’s behalf. 
2. Your display of Marketing Materials under this Agreement, other content presented by You, or contact between You and third parties shall not misrepresent the relations between the Parties as independent contractors to this Agreement.

14. Mutual Indemnification

1. babelforce shall defend, indemnify and hold You harmless against any loss, damage or costs (including reasonable attorneys' fees) incurred in connection with claims, demands, suits, or proceedings ("Claims") made or brought against you by a third party alleging that the use of the Services infringes, misappropriates or violates any intellectual property rights of a third party; provided, that You (a) promptly give written notice of the Claim to babelforce; (b) give sole control of the defense and settlement of the Claim (provided that babelforce may not settle or defend any Claim unless it unconditionally releases you of all liability); and (c) provide to Us, at Our cost, all reasonable assistance.
2. You will indemnify, defend and hold babelforce and its subsidiaries, affiliates, officers and employees (the “babelforce Indemnified Parties”) harmless from and against any and all costs, liabilities, losses and expenses (including but not limited to reasonable attorneys’ fees) resulting from any claim, suit, action, demand or proceeding brought by any third party against the babelforce Indemnified Parties arising from any of the following: (i) a breach of the Agreement by You; (ii) the negligence, gross negligence or willful misconduct of You or Your employees, agents or contractors; or (iii) a failure by You or Your employees, agents, contractors or invitees to comply with applicable laws and regulations.
3. These indemnification obligations shall continue after the expiration or termination of this Agreement.

15. Confidential information and publicity

1. Neither Party shall use or disclose any Confidential Information of the other Party, including any information or data relating to the Parties technical solutions or business plans. Information shall in any event be considered confidential if related to pricing, discounts or contractual information or if designated as confidential by either of the Parties. For the avoidance of doubt, the Parties agree that Zendesk is permitted to receive pricing and contractual information related to the babelforce Services that Customer orders pursuant to a Zendesk Resell Agreement as necessary for Zendesk to act as the billing agent under this Agreement.  
2. The foregoing provisions shall not prevent the disclosure or use by either Party of any part of such disclosed information or data which:

• is in or comes into the public domain in any way without breach of this contract by the receiving Party;  or 
• the receiving Party can show was i) in its possession or known to it by being in its use or being recorded in its files or computers or other recording media prior to receipt from the disclosing party and was not previously acquired by the receiving Party from the disclosing Party under an obligation of confidence, or ii) to have been developed by or for the receiving party at any time independently of any information disclosed to it by the disclosing Party; or iii) the receiving Party obtains or has available from a source other than the disclosing Party without breach by the receiving party or such source of any obligation of confidentiality or non-use towards the disclosing Party; or iv) is hereafter furnished by the disclosing Party to a third party without restriction on disclosure or use; or v) is disclosed by the receiving Party with the prior written approval of the disclosing Party.

3. The receiving Party shall maintain the disclosing Party's Confidential Information in confidence and shall exercise in relation thereto no lesser security measures and degree of care than those which the receiving party applies to its own confidential information.  The receiving Party shall ensure that disclosure of such Confidential Information is restricted to those employees or directors of the receiving party whose work requires them to know the same.  Copies or reproductions (“Copies”) shall not be made except to the extent reasonably necessary for the purposes of this Clause 15.3 and all Copies made shall be the property of the disclosing Party.
4. The receiving party shall 

• not divulge the disclosing Party's Confidential Information, in whole or in part, to any third party or to any other associated party or business division, and
• make no commercial use of the same or any part thereof without the prior written consent of the disclosing Party. Notwithstanding the foregoing, the receiving Party shall be entitled to make any disclosure required by law of the disclosing Party's Confidential Information provided that it gives the disclosing Party not less than two working days' notice of such disclosure.

5. Each Party warrants its right to disclose its Confidential Information to the other Party.

16. Prohibition on Raiding or Solicitation

1. Neither Party shall for the duration of this Agreement and for one year after termination hire, employ or solicit any employee of the other Party, or have such employee work for such Party either directly or indirectly.

17. Force Majeure

1. If either Party shall be prevented (directly or indirectly) from performing any of its obligations under the Agreement, other than to pay invoices due, by reason of any Act of God, terrorism, fire, flood, unusually severe weather, explosions, riot, labor dispute, accident, war or the acts, denial of service attacks, cyber attacks, orders, restrictions of any government including the withdrawal or withholding of any export or import licence or regulatory approval, telecommunications network failure, improper performance by operators of, or defects in public telecommunications or internet services not under contract with babelforce, materials or software of third Parties, freight embargoes or other reason beyond its reasonable control excepting the negligence of the Party affected, it shall be entitled (providing it has promptly notified the other of the preventing circumstances arising and its likely duration and effect) to delay without penalty the performance of such obligations until the preventing circumstances cease.
2. If the period of the force majeure event exceeds two calendar months either Party may terminate this contract by written notice to the other Party. 

18. Entire Agreement; Severability Clause; Notices, Modification by Notice

1. This Agreement and documents referenced within it represent the entire agreement among the Parties.
2. Any modifications of this Agreement will be subject to a written amendment between the Parties and subject to a separate Zendesk Resell Agreement, as applicable.. The Customer must agree to such a change in writing. If a change is necessary to deal with regulatory circumstances, legal compliance, applicable law or the effective provision of the Services in accordance with this Agreement, both Parties undertake to negotiate in good faith to agree such a change to retain the spirit and intention of the original Agreement.
3. If individual provisions of this Agreement – including the conditions of business – should prove to be ineffective, this does not affect the effectiveness of the remaining provisions. The Parties shall without delay replace the ineffective provisions by others which as closely as possible approximate to the intentions of the ineffective provisions.
4. Either Party’s failure to enforce the other Party’s strict performance of any provision of this Agreement will not constitute a waiver of the first Party’s right to subsequently enforce such provision or any other provision of this Agreement.
5. This Agreement may be signed in counterparts and such counterparts shall be valid and binding on the Parties hereto with the same effect as if original signatures had been exchanged. All notices relating to this Agreement shall be delivered via email (with return receipt) or mail to the registered addresses of the legal entities, i.e. the Parties, entering into this Agreement.

19. Disputes and dispute resolution

1. Prior to initiating any legal action arising under or relating to this Agreement, a Party shall provide the other Party written notice of a dispute and the Parties shall actively and in good faith negotiate with a view to speedy resolution of such dispute within thirty (30) business days of the receipt of such notice.
2. All controversies or disputes, which by statute are not exclusively subject to court determination, shall in the first instance be addressed through direct negotiation and dispute resolution in good faith and at a senior management level.
3. If the matter is not resolved through negotiation at senior management level, the Parties will attempt to resolve the dispute in good faith through an Alternative Dispute Resolution (ADR) (e.g.Schlichtungsstelle für IT Streitigkeiten) that is provided by the Berlin Industry and Chamber of Commerce (Industrie- und Handelskammer Berlin).
4. If the matter has not been resolved by an ADR procedure within sixty (60) days of the initiation of that procedure, or if either Party will not participate in an ADR procedure, the dispute shall be decided by the court having jurisdiction according to Section 20.
5. Nothing in this Section 19 shall be taken as preventing at any time while the dispute resolution procedures are in progress or before or after they are invoked either Party instituting against the other proceedings before the courts to protect that Party’s intellectual property rights, trade secrets or confidential information. 

20. Governing Law, Jurisdiction

1. This Agreement shall be governed by the laws of the Federal Republic of Germany. The sole and exclusive jurisdiction and venue for any litigation arising out of this Agreement shall be an appropriate court in Berlin, Germany and the Parties agree not to raise, and hereby waive, any objections or defenses based upon venue or forum.

Attachment A – Service Level and Service Scope Agreement

Purpose

The Customer depends on services that are provided by, maintained and supported by babelforce (“the Supplier”). Some of these services are of critical importance to the Customer’s business operations.

This service level agreement sets out what levels of availability and support the Customer is guaranteed to receive for specific parts of the provided services. It also explains what measures will be applied when different kinds of issues occur.

This SLA forms an important part of the contract between the Customer and the Supplier. It aims to enable the two parties to work together effectively.

The business operations of the Customer are enabled by a combination of the services provided by babelforce and integrated products and processes of other vendors contracted by the Customer and components and processes operated directly by the Customer. This part of the overall agreement specifies the responsibilities of each party to ensure that the overall business processes operate as effectively and efficiently as possible.

Scope

The Customer is using services from babelforce where high availability and uptime is required for core components. In order to achieve this, it is necessary to clearly define the status of services under stages of change management, what elements are under whose control and what processes are to be followed by each party to ensure high quality and performance.

This section defines the elements of the service that are covered under this agreement and those that are under the control of the Customer and others which are not covered. It also defines the statuses that the services as they relate to change management.

Uptime levels

In order to enable the Customer to do business effectively, the Supplier guarantees that certain items will be available for a certain percentage of time.

The uptime level applies to items in the Equipment, software and services covered table that show a tick in the “Counted in uptime SLA calculation?” column.

The level of guaranteed uptime, and the related downtime measurement is defined only with respect to priority 1 (one), severity level “Severe” or “Fatal” and to service items explicitly indicated as “Counted in uptime SLA calculation?”:

The % uptime is calculated on the basis of nearest minute. babelforce represents and warrants that the Services will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e., max forty-three (43) minutes downtime per month) during the Term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and babelforce will provide at least seven (7) days’ advance written (email acceptable) notice to Customer of such availability.

Operational Hours used for SLA and Service Scope

babelforce and the Customer will agree the operational hours that apply to this Agreement and to the measurement of uptime and SLAs in such a way that maintenance windows can be utilized to ensure maximal reliability and to take into account the working hours of the relevant Customer and babelforce teams in each location.

Uptime is measured over each period. It is calculated to the nearest minute, based on the number of minutes in the given period only within the operational hours for the SLA and against the criteria defined for determining an uptime relevant event.

Note that these operational hours do not affect network operations 24 / 7 monitoring of all services, nor babelforce’s undertaking to detect and resolve issues as fast as possible at any time. They only affect the specification of uptime, response and resolution times and the related SLAs.

Response and resolution times specifications

When the Customer raises a support issue with the Supplier, the Supplier promises to respond to the issue and then resolve it in a timely fashion.

Note that the response times and the resolution times are the defined limits not the actual achieved or desired times. babelforce monitors the services for the Enterprise plan of the Customer and aims to automatically detect Fatal or Severe faults. Where possible, babelforce endeavors to automatically or manually rapidly recover from such faults and also rapidly resolve other issues reported.

Response times

The response time measures how long it takes the Supplier to respond to a support request raised via the Supplier’s online support system. 

The Supplier is deemed to have responded when it has replied to the Customer’s initial request. This may be in the form of an email or other communication, to either provide a solution or request further information or to initiate the process of isolating the issue.

Guaranteed response times depend on the priority of the item(s) affected and the severity of the issue. They are shown in this table:

*Only Priority 1 service items can by definition have a fault with severity level “Fatal”

Response times are measured from the moment the Customer submits a support request via the Supplier’s online support system in accordance with the agreed documented processes.

Response times by a support person for Medium and Minor severity level issues apply only during standard working hours for the team in the location responsible for your account..

Resolution times

The resolution time measures how long it takes the Supplier to resolve or fix an issue raised via the Supplier’s online support system.

Guaranteed resolution times only apply when the highest-priority items are affected by the most serious issues. In other situations, the Supplier will make its best effort to resolve the issue as soon as possible

Resolution times are measured from the moment the Customer submits a support request via the Supplier’s online support system.

Resolution of a non-Fatal issue is deemed exercised when a workaround, fallback or recovery procedure has been defined and put in place. Note that several possible fault types have workaround, fallback and recovery positions that can be agreed and documented between the Parties in a Contact Communications and Service Triage Processes document. For any not yet defined issue reported, babelforce will identify a suitable resolution (fix, workaround, fallback recovery) and then the process to isolate and apply that resolution can be included in an update to the Contact Communications and Service Triage Processes that is agreed by both Parties.

Status of deployed services and scope of agreement

At any time, the entire services made available by babelforce to the Customer are in one, and only one, of three statuses as defined in the following table:

Note that babelforce takes a number of process measures to ensure the high performance of enterprise services and the statuses above are related directly to the ability to work in partnership with the Customer to ensure smooth operations of complex systems that are subject to change.

In particular, babelforce will only make changes to software components that are in the software branches deemed “enterprise-stable” by the babelforce platform team. The only exception to this process is when babelforce agrees with the Customer to make some other changes. For example because the Customer regards them as important for their operations and enters into a project or specific services agreement with babelforce to apply additional changes. Any such change will impact the time frame when the services are regarded as in the statuses above.

Equipment, software and services covered

This agreement covers only services in the table below. 

Please note:

• There can be defined response and resolution times for any items listed in this section, but the Supplier can only ensure resolution times for items fully under the Supplier’s control. 
• The uptime measurement and SLA only applies to items where indicated in the Counted in uptime SLA calculation? column.

These items have been assigned a priority level, from 1 (most important) to 3 (least important). The priority levels help determine the importance for the particular item for the effective operation of the services.

Specific equipment, software and services not covered

Any equipment, software and services not under the direct control of babelforce is excluded and not counted in uptime SLA calculation. The following list is not exhaustive, but lists some of the most important equipment, software and services that are excluded from the scope of this agreement.

Clarification of scope and exclusions

Regardless of whether an item is listed above or not, for the avoidance of any doubt, this Agreement does not apply to:

• Any equipment, software, services or other parts of the overall systems and processes not under the complete and direct operational control and under contract solely to babelforce
• In particular, any software, equipment or services not purchased via and managed by the Supplier
  Additionally, this Agreement does not apply when:
• The problem has been caused by the Customer using equipment, software, configurations or services in a way that is not recommended. 
• The Customer has made changes to the configuration or setup of affected equipment, software or services.
• The Customer has prevented the Supplier from performing required maintenance and update tasks. 
• The Customer personnel do not follow the agreed Contact Communications and Service Triage Processes.
• The issue has been caused by unsupported equipment, software or other services.
• The babelforce services are not designated formally as in status “Fully-live” and under SLA with respect to the definitions in this Agreement. In particular,:

• Newly deployed features of functionality for the Customer or any vendor supplying the Customer and using babelforce will result in the overall Services leaving the “Fully-live” status and entering the “Work-in-progress” status. The services will be regarded changing again to “Bedding-in” and then to “Fully-live” only when both parties formally confirm that this is the case.

• Issues with end-to-end network data packet transmission and media (e.g. voice or audio) quality.

• Fixing these issues generally requires a project together with the Customer and or contractors or outsourced vendors to the Customer
• Resolving these issues usually involves longer time-scales to isolate and fix issues
• babelforce regularly undertakes these projects with Customers and both network and media issues can be optimized to achieve highest possible quality. Processes can be put in place by the Customer (and contractors or vendors of the Customer), and by babelforce to maintain that high quality, but the response and resolution times are not those specified in this agreement.

This Agreement does not apply in circumstances that could be reasonably said to be beyond the Supplier’s control. Section 17 of the Master Service Agreements covers the Force Majeure definition and this applies to the provisions of this agreement. Among other force majeure events, denial of service attacks and telecoms or public internet network issues are not covered by uptime measurement and SLAs defined in this document.

This Agreement also does not apply if the Customer is in breach of its contract with the Supplier for any reason, for example but not limited to late payment.

Notwithstanding the practical and necessary limitations on scope, babelforce aims to be helpful and accommodating at all times, and will do its absolute best to assist the Customer wherever possible. In particular, this document and any agreed Contact Communications and Service Triage Processes also specify the kinds of known or possible events that can occur that are not directly under the control of babelforce and not supported under this SLA, but where the Customer and babelforce have responsibilities and need to work in partnership to maintain good quality service.

Also note that regardless of the service level specifications in this document, babelforce network operations will continuously monitor the services provided to the Customer. Independently of uptime SLA, response and resolution times, babelforce endeavors to rapidly detect and apply a resolution to an issue impacting service.

Service level specification

Severity level definitions

The severity levels used in this agreement are defined as follows:

• Fatal: Complete degradation — all users or critical functions affected. Item or service completely unavailable.
• Severe: Significant degradation — large number of users or critical functions affected. Some enabled business processes continue.
• Medium: Limited degradation — limited number of users or functions affected. Business processes can continue.
• Minor: Small degradation — few users or only some interactions affected. Business processes can continue.

Responsibilities

Contact communications and service triage processes

At any point in time after the beginning of the initial setup of the babelforce services for the customer, the Contact Communications and Service Triage Processes can be defined.

The set of agreed triage processes for investigating, isolating and reporting issues must be followed by the Customer.

The purpose of these arrangements is to ensure the optimal operation of the combined set of service components and processes.

The defined means to raise an issue and the information required, and the investigative procedures to isolate the issue are defined in the document. 

It is the responsibility of the Customer to ensure that at least 2 members of Customer’s team have been trained in the triage and communication processes. The customer must designate the contact persons who can investigate, raise issues and work on resolving issues. At least one such designated contact person and subject matter expert must be on hand during the operating hours defined for this service level and service scope agreement.

Supplier responsibilities

The Supplier will fulfill all obligations in the overall Services Agreement and in particular with respect to this Service Level and Service Scope Agreement and will:

• Provide and maintain the services to operate effectively.
• Respond to relevant support requests within the parameters defined in this agreement.
• Take steps to escalate and resolve issues within the timescales defined in this agreement.
• Assist the Customer in line with the Contact Communications and Service Triage Processes to ensure high performance of the combined services and components operated by the Customer and babelforce
• Work closely with the Customer’s designated contact persons and babelforce and overall service subject matter experts
• Maintain good communication with the Customer at all times

Customer responsibilities

The Customer will fulfill its obligations in the overall Services Agreement and in particular with respect to this Service Level and Service Scope Agreement and will:

• Notify babelforce of issues or problems in a timely manner
• Investigate, isolate, report and fix issues in accordance with the Contact Communications and Service Triage Processes as agreed and updated on an ongoing basis by both Parties.
• Ensure that employees of the Customer are trained in the overall integrated systems and the Customer’s configurations of babelforce and that the designated subject matter experts are on hand during operational hours for this agreement. 
• Ensure that all service items (components, products, equipment, processes) under the Customer’s control (or under the control of other vendors to the Customer) are maintained appropriately to ensure optimal interoperability with the services provided by babelforce.

Relationship to other agreements

This document is incorporated by reference into the Main Service Agreement. 

Since this agreement is only meaningful for the contracted services ordered from babelforce, the start and end of the contract term and the renewal conditions are explicitly linked to the main subscription plan of the Customer. This linked term is achieved as follows: The term of the provisions of this document begins on the “Subscription plan start date” agreed in the applicable Zendesk Resell Agreement for the main subscription plan of the Customer, assuming that the execution date is earlier in time. In any case, the term of this agreement ends on the “Subscription term end date” or with the currently valid end of term of the main subscription plan and contract with the Customer.

 

Attachment B – Data Protection Addendum

Preamble

The parties have entered into the Service Agreement, which governs services relating to the processing of personal data. This Data Processing Agreement specifies the Parties‘ obligations in respect to data protection. It applies to any activities relating to the Service Agreement that may cause Processor, Processor‘s employees or Processor’s agents to access Controller’s personal data. It shall ensure compliance with the applicable data protection law, in particular with the General Data Protection Regulation (GDPR).

“Service Agreement” refers to the babelforce Master Service Agreement, entered into by the Controller both at registration and when ordering particular services, and includes all terms and conditions agreed in purchase forms, orders and other annexes to the Master Service Agreement.

1. Subject-Matter and Duration of the Processing (Art. 28(3) first subparagraph GDPR / Sec. 11(2)(2) no. 1 BDSG)

Processor processes Controller’s personal data on behalf of Controller in order to perform its contractual obligations under the Service Agreement. The subject matter and duration are defined in Annex 1 to this Data Processing Agreement.

2. Nature, Scope and Purpose of the Processing / Categories of Data Subjects / Types of Personal Data (Art. 28(3) first subparagraph GDPR / Sec. 11(2)(2) no. 2 BDSG)

The Nature, scope and purpose of the processing, the categories of data subjects and the types of personal data subject to the processing are defined in Annex 1.

3. Controller’s Rights and Obligations (Art. 28(3) first subparagraph GDPR)

Controller’s rights and obligations follow from the Service Agreement and this data processing agreement.

4. Processing of Personal Data only on Documented Instructions (Art. 28(3) second subparagraph, lit. a GDPR / Sec. 11(2)(2) no. 9 BDSG)

Processor processes and transfers Controller‘s personal data only on documented instructions of Controller. This in particular, but without limitation, applies to any transfer of Controller’s personal data to recipients in third countries (i.e. countries outside of the European Economic Area), to international organisations as well as to the processing of such data in a third country by the Processor, all of which require the express prior written consent of the Controller.

Instructions are initially documented in this agreement and may subsequently be changed or amended by Controller’s written instruction (including instruction by e-mail).

Processor may also process and transfer personal data of Controller where required by European Union or Member State law. In such case, Processor informs Controller about that legal requirement before the processing, unless that law prohibits such information on important grounds of public interest.

5. Commitment of Involved Personnel to Confidentiality (Art. 28(3) second subparagraph, lit. b and Art. 32(4) GDPR / Sec. 11(2)(2) no. 5 and 11(4) BDSG)

Processor ensures that personnel deployed for the processing of Controller’s personal data or otherwise authorized to process such data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

6. Technical and Organisational Measures (Art. 28(3) second subparagraph, lit. c GDPR / Sec. 11(2)(2) no. 3 BDSG)

Processor organizes its business in compliance with data protection requirements. Processor implements adequate technical and organisational measures to protect Controller’s personal data as required under data protection law. These requirements in particular follow from Section 9 BDSG or – as of 25 May 2018 – from Art. 32 GDPR. Particular measures taken are documented in Annex 2. 

Technical and organisational measures are subject to technical development. For the duration of the processing, Processor continuously develops and improves the technical and organisational measures as necessary. The level of protection shall not fall below the level described here and in Annex 2. Processor shall regularly test, assess and evaluate the effectiveness of the measures.

7. Sub-Processors (Art. 28(3) second subparagraph, lit. d GDPR / Sec. 11(2)(2) no. 6 BDSG)

Controller agrees that Processor engages the sub-processors listed in Annex 3 (if any). 

[    ]  Option 1: Processor may engage further sub-processors only with Controller‘s prior specific written authorisation. 

[ x ]  Option 2: Controller hereby authorizes Processor to engage further sub-processors under the following conditions: Processor informs Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving Controller the opportunity to object to such changes. Controller may object to any engagement of additional sub-processors and changes to existing engagements of sub-processors. Processor informs Controller in due time prior to any engagement of sub-processors or changes to an engagement of a sub-processor in order to enable Controller to duly consider whether or not to exercise its right to object. 

Processor ensures for any sub-processor engaged, whether listed in Annex 3 or not, to impose on such sub-processor the same data protection obligations as implemented between Controller and Processor under this agreement. Processor in particular ensures that any sub-processor implements appropriate technical and organisational measures in such a manner that the processing will meet the requirements of data protection law and of this agreement. Processor is responsible and liable for the sub-processor’s compliance with these data protection requirements. 

8. Processor’s Assistance to Controller (Art. 28(3) second subparagraph, lit. e and f GDPR) / Sec. 11(2)(2) no. 4 BDSG)

Processor assists Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to requests for exercising the data subject’s rights, including any rights under Chapter III of the GDPR, and in particular the rights to transparency, information and access to personal data, rectification, blocking, erasure, the right to be forgotten, the right to object and the right to data portability. Processor does not itself respond to any request by a data subject, but rather refers the data subjects to Controller for such requests.

Processor corrects, deletes or blocks Controller’s personal data upon Controller’s instructions. Where not contractually agreed upon, Processor, upon individual instruction, ensures that data are destroyed in a secure manner and in compliance with data protection requirements. Where instructed by Controller, Processor retains or hands over personal data. 

Processor assists Controller in (i) implementing appropriate technical and organisational measures to ensure an appropriate level of security, (ii) making, in case of personal data breaches, legally required notifications to the supervisory authority and communications to the data subjects, (iii) carrying out legally required data protection impact assessments and (iv) consulting, where legally required, the supervisory authority. In determining required measures of assistance, Processor shall consider the kind of processing and available information.

9. Deletion or Return of Data after the End of the Provision of Services Related to the Processing (Art. 28(3) second subparagraph, lit. g GDPR)

At the choice of Controller, Processor deletes or returns all of Controller’s personal data after the end of the provision of services relating to the processing. Processor deletes existing copies unless European Union or Member State law requires the retention of personal data.

10. Data Processor’s Data Protection Obligations, Compliance Documentation and Audit Rights (Art. 28(3) second subparagraph, lit. h GDPR / Sec. 11(2)(2) no. 5 and 7 BDSG)

Prior to the processing and regularly during the processing, Controller may audit the technical and organisational measures implemented by Processor. For this purpose, Controller may request information from Processor, existing audit certifications and inspect data processing facilities personally or let them be inspected by third parties. 

Processor regularly self-audits technical and organisational measures and appoints a data protection officer where required by law. Processor maintains the processing register according to Sec. 4g(2)(1) BDSG and with effect as 25 May 2018 of the records of processing activities under Art. 30 GDPR. These documents shall be provided to Controller upon request. Processor provides to Controller any information required to establish compliance with contractual and statutory obligations as a processor. Processor allows Controller and Controller’s auditors to carry out respective audits including on-site inspections. Processor stands ready for required assistance in this respect.

11. Notification in Case Instructions Infringe Data Protection Law (Art. 28 (3) third subparagraph GDPR / Sec. 11(3)(3) BDSG)

Processor informs Controller if, in its opinion, an instruction of Controller infringes any applicable data protection or other law.

12. Incident Notification (Art. 28(3) second subparagraph, lit. f, Art. 33 and Art. 34 GDPR / Sec. 11(2)(2) no. 8 BDSG)

Processor informs Controller in case of unauthorised access to personal data by third parties or other severe infringements of data protection law or this agreement, whether caused by Processor or Processor’s personnel. In such event, Processor takes any required measures to secure personal data and to mitigate any further consequences for the data subjects. Any respective activities shall be carried out in correspondence with Controller. The above notification obligation shall apply in any case where the possibility of a Controllers notification obligation under Sec. 42a BDSG or similar provisions may not be fully ruled out. 

With effect as of 25 May 2018, according to Art. 33(2) GDPR, Processor notifies Controller about any data protection infringement in the meaning of Art. 14 no. 12 GDPR, and assists Controller in ensuring compliance with Art. 33 and 34 GDPR taking into account the nature of the processing and the information available to Processor.

13. Further Obligations and Miscellaneous

Processor names a contact person for any data protection issues relating to this agreement and provides the contact details to Controller. 

Processor will inform Controller where personal data of Controller is endangered by sequestration, seizure, insolvency proceedings, requests for disclosure in the context of court proceedings or any other event or third parties action. In such event, Processor informs any involved parties that the personal data belong to Controller and that Controller is responsible for the personal data under data protection law. 

The Annexes form an integral part of this data processing agreement. Changes and amendments to this agreement must be made in writing and contain explicit reference to this agreement and the intention to amend it. This also holds true for this requirement of written form. 

In any case of conflict between this data processing agreement and the Service Agreement or any other agreement, this data processing agreement shall prevail. In case individual provisions of this agreement should be invalid, the remaining provisions of this agreement shall remain unaffected.

This agreement is subject to German law.

14. Execution of the agreement

This agreement is incorporated into the overall agreement between the Customer (and the Data Controller) and babelforce (the Data Processor).

Annex 1

Details Regarding the Processing of Data

 

Annex 2

Processor’s Technical and Organizational Measures

 

Annex 3

Sub-Processors

 

Attachment C – Information Security Measures

babelforce warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by the Customer (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, babelforce will act in good faith and diligence, using reasonable care and skill. 

A. Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by babelforce regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any babelforce security policy, (ii) unplanned service disruption that prevents the normal operation of the Services, or (iii) Breach.

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• babelforce will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, babelforce will promptly remove Data upon (a) completion of the Services; or (b) request by Customer to be removed from babelforce’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. babelforce will provide Customer with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3. Measures: Malicious Code Protection. 

• • All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. babelforce will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or babelforce’s computing environment.
  • babelforce will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
  • babelforce will quarantine or remove files that have been identified as infected and will log the event.

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

• • babelforce ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
  • security and encryption of all personal computers or other mobile devices that may access Data;
  • limited access to employees and contractors except for authorized visitors; 
  • identification of the persons having access authority;
  • restriction on keys;
  • visitors books (including timekeeping); and
  • security alarm system or other appropriate security measures.

babelforce will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such Authorized Agent’s need to access the system(s) or application(s).

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

babelforce shall inform the Customer upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by babelforce.

All network controls shall include the following measures:

• On a regular basis, babelforce will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• babelforce will deploy reasonably appropriate firewall technology in operation of its networks. 
• At a minimum, babelforce will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• babelforce will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• babelforce shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized. 
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

7. Measures: babelforce will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, babelforce will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify the Customer within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii) respond promptly to any reasonable request from the Customer for detailed information pertaining to the Incident. babelforce’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

8. Measures: Business Continuity & Disaster Recovery. babelforce has provided the Customer commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”). The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery. babelforce shall maintain such Continuity Plan throughout the term of all subscriptions; provided that babelforce shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on babelforce ability to maintain availability of the Service.

1. At the Customer’s request, babelforce shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to the Customer’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time. The Customer shall provide babelforce with documentation of such baselines, which shall be part of the Customer’s confidential information under the Agreement. babelforce shall develop a written information security plan for the Customer containing, at a minimum, the topics called for in this Agreement.

Exhibit 1 

Cloudset Terms of Use

These Cloudset Terms and Conditions and the statement of work (the “SOW”) to which they are attached (together, the “Agreement”) contain the terms upon which Provider will licence the Cloudset Web Services to Customer who is identified as “Subscriber” in the SOW.

AGREEMENT:

(1) Definitions and interpretation

1.1 In the Agreement:

"Agreement" means the agreement between the Provider and the Customer for the provision of access to the Cloudset Platform and use of the Cloudset Web Services, incorporating these terms and conditions, the SOW, and any amendments to the Agreement from time to time;

"Business Day" means any week day, other than a bank or public holiday in England;

"Charges" means the amounts payable by the Customer to Zendesk in relation to the Cloudset Platform provided by Provider to Customer under the SOW;

"Cloudset Platform" means the software platform known as Cloudset that is owned and operated by the Provider, and that will be made available to the Customer as a service via the internet;

"Cloudset Web Services" means the web services provided or to be provided by the Provider to the Customer by means of the Cloudset Platform, being either the Cloudset SLA Management services or the Cloudset Apps services, as specified in the SOW;

"Customer" means the customer for the Cloudset Web Services identified as “Subscriber” in the SOW;

"Customer Confidential Information" means

(a) any information disclosed (whether disclosed in writing, orally or otherwise) by the Customer to the Provider during the Term that is marked as "confidential", described as "confidential" or should have been understood by the Provider at the time of disclosure to be confidential; and

(b) the Customer Materials.

"Customer Data" means the identity and details of the Customer supplied in the Cloudset Platform registration (as updated from time to time) and all information about the Customer's use of, and rights to use, the Cloudset Platform and Cloudset Web Services, including Customer agent names and groups;

"Customer Materials" all works and materials (excluding the Customer Data) uploaded to the Cloudset Platform, or processed or transmitted using the Cloudset Web Services, by or on behalf of the Customer;

“Metadata” means data about data, specifically in the context of Zendesk ticket management the ticket, user, and org ID’s, ticket system and custom field names and option field values data;

“End-customer Ticket Data” means ticket subject data, ticket organization names, ticket requester names that is processed by the Provider on behalf of the Customer in relation to the Agreement;

"Customer Personal Data" means any Personal Data that is processed by the Provider on behalf of the Customer in relation to the Agreement;

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Customer Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679);

"Defect" means a defect, error or bug having a material adverse effect on the operation or functionality of the Cloudset Platform, but excluding any defect, error or bug caused by or arising as a result of an incompatibility between the Cloudset Platform and any other system, application, program or software other than the Interface Software;

"Documentation" means the data sheets produced by the Provider and made available on the Cloudset Platform to the Customer;

"Effective Date" means the date that the Agreement comes into force as specified in Clause 2;

"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of or problems with the internet or a part of the internet, hacker attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);

"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registered or unregistered, including any application or right of application for such rights (and the "intellectual property rights" referred to above include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);

"Interface Software & API’s" means secure system-to-system OAuth & JWT software supplied by the Provider and Reseller to the Customer for the purpose of enabling the Customer to utilize the Cloudset Web Services and access the Zendesk REST and Zendesk Incremental Ticket (streamed ticket data changes) API’s;

"Personal Data" has the meaning given to it in the Data Protection Laws applicable in the United Kingdom from time to time, specifically any information to an identified or identifiable natural person;

"Provider" means Cloudset Limited, a company incorporated in England and Wales (registration number 04399183) having its registered office at 3rd Floor 86-90 Paul Street, London, EC2A 4NE, United Kingdom;

"Subscription Period" means:

(a) if the Agreement relates to Cloudset Performset, a 12 month period, unless otherwise in writing between Customer and Zendesk; and

(b) if the Agreement relates to Cloudset Apps, a 12 month period, unless otherwise in writing between Customer and Zendesk;

"Support Services" means support and maintenance services provided or to be provided by the Provider to the Customer in accordance with Clause 4;

"Term" means the term of the Agreement; and

"Upgrades" means new versions of, and updates to, the Cloudset Platform, whether for the purpose of fixing an error, bug or other issue in the Cloudset Platform or enhancing the functionality of the Cloudset Platform.

1.2 In the Agreement, a reference to a statute or statutory provision includes a reference to:

(a) that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and

(b) any subordinate legislation made under that statute or statutory provision.

1.3 The Clause headings do not affect the interpretation of the Agreement.

1.4 The ejusdem generis rule is not intended to be used in the interpretation of the Agreement.

1.5 References in the Agreement to time are references to the time in London, UK.

(2) Agreement and Term
2.1 The Agreement will come into force upon your execution of the SOW which defines the Cloudset products, quantities, and term period.

2.2 Once in force, the Agreement will continue in force indefinitely, unless and until the Agreement is terminated in accordance with Clause 13 or as otherwise specified in the SOW.

(3) Cloudset Platform and Cloudset Web Services
3.1 Subject to the prohibitions set out in Clause 3.2, the Provider hereby grants to the Customer a non-exclusive licence to access the Cloudset Platform and to use the Cloudset Web Services, by means of the Interface Software only, for the sole purpose of processing the data of the Customer, during the Term. Access to Cloudset configuration services is only available to Customer’s administrators from within the Zendesk interfaces.

3.2 The licence granted by the Provider to the Customer under this Clause 3 is subject to the following prohibitions:

(a) the Customer must not sub-license its right to access and use the Cloudset Web Services or allow any unauthorised person to access or use the Cloudset Web Services; and

(b) the Customer must not alter or adapt or edit the Cloudset Platform.

3.3 For the avoidance of doubt, the Customer has no right to access the object code or source code of the Cloudset Platform, either during or after the Term.

3.4 All Intellectual Property Rights in the Cloudset Platform will remain, as between the parties, the property of the Provider.

3.5 The Customer shall use all reasonable endeavours to ensure that no unauthorised person will or could access the Cloudset Platform or use the Cloudset Web Services using the Customer's access credentials.

3.6 To the extent that Customer purchases professional or implementation services from Provider regarding the Cloudset Platform and/or Cloudset Web Services (“Professional Services”), as indicated on the SOW, such Professional Services will be subject to the Cloudset Professional Service Terms attached hereto as Exhibit B.

(4) Support Services and Upgrades

4.1 During the Term, the Provider will provide the Support Services to the Customer, and may apply Upgrades to the Cloudset Platform, in accordance with the provisions of this Clause 4.

4.2 The Provider will make available between 09.00 and 24.00 London time on Business Days an EU (Ireland) based Zendesk helpdesk facility for the purposes of:

(a) assisting the Customer directly with the proper use of the Cloudset Platform; and/or 

(b) determining the causes of errors and fixing errors in the Cloudset Platform.

(c) liaising where applicable with Zendesk Premier Support on critical support using ticket Zendesk sharing facilities.

(d) in all cases, the Customer must exclude and End-customer Ticket Data in support tickets that breach any End-customer data privacy or territory data processing agreements.

4.3 The Provider will use reasonable endeavours to ensure that a member of its support staff can be reached by mobile phone outside the support hours referred to in Clause 4.2 in the case of an emergency.

4.4 The Customer will make reasonable use of the helpdesk facility, and the Provider reserves the right to suspend the helpdesk facility in the event that, after being provided with written warning of misuse by Provider, the Customer continues to make unreasonable use of that facility.

4.5 The Customer acknowledges that from time to time during the Term the Provider may apply Upgrades to the Cloudset Platform, and that such Upgrades may result in changes the functionality of the Cloudset Platform.

4.6 In the event of the interruption of the Cloudset Web Services, the Provider shall use reasonable endeavours to arrange for the resumption of the Cloudset Web Services in such manner that the Customer does not suffer any data loss.

4.7 The Provider may suspend access to the Cloudset Platform in order to carry out scheduled maintenance, such maintenance to be carried out on any day which is not a Business Day.

4.8 The Provider may sub-contract the provision of any of the Support Services without obtaining the consent of the Customer.

4.9 Provider will provide Customer with at least six (6) months advance notice of any feature end of life or deprecation. Notice will be provided as described in Clause 15.

4.10 Provider represents and warrants that the Cloudset Web Services will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes of downtime per month) during the Term. Uptime will be monitored by Pingdom against select critical endpoints and published at https://cloudset.statuspage.io/. Planned maintenance/downtime shall be limited to under 4 hours in a given month and Provider will provide Customer at least seven (7) days advanced notice to Customers of such unavailability (“Scheduled Downtime”). Notice will be provided as described in Clause 15.

(5) Customer Materials
5.1 The Customer grants to the Provider a non-exclusive licence to store, copy and otherwise use the Customer Materials, at a minimum ticket Metadata and ticket subject line (End-customer Ticket Data) in the case of the Cloudset SLA Management services on the Cloudset Platform for the purposes of operating the Cloudset Platform, providing the Cloudset Web Services, fulfilling its other obligations under the Agreement, and exercising its rights under the Agreement. Customers can elect at the configuration stage, two functionality extension levels for Cloudset SLA Management services:

(a) Minimum SLA Dashboard requires the temporary persistent storage of agent name, and agent (Customer Personal Data)

(b) Full SLA Dashboard requires the temporary persistent storage of the requester name and requester name (End-customer Ticket Data)

(c) In no case does ticket comment data (End-customer Ticket Data) get stored, only processed as a system look-up on the SLA Dashboard (Minimum & Full only).

(d) Cloudset support agents or infrastructure engineers, in all instances, don’t have the possibility to access Cloudset encrypted End-customer data, nor a Customer Zendesk agent or admin licence to view End-customer Ticket Data in the Customer’s Zendesk instance, unless the Customer expressly issues the Provider a licence to access the Customer’s Zendesk instance.

(e) Once the ticket closes and all reporting data is delivered to the ticket, the ticket Metadata and ticket subject line (End-customer Ticket Data is purged from the Cloudset Platform.

5.2 Subject to Clause 5.1, all Intellectual Property Rights in the Customer Materials will remain, as between the parties, the property of the Customer.

5.3 The Customer warrants and represents to the Provider that the Customer Materials, and their use by the Provider in accordance with the terms of the Agreement, will not:

(a) breach any laws, statutes, regulations or legally-binding codes;(b) infringe any person's Intellectual Property Rights or other legal rights; or

(c) give rise to any cause of action against the Provider or the Customer or any third party, in each case in any jurisdiction and under any applicable law.

5.4 Where the Provider reasonably suspects that there has been a breach of the provisions of this Clause 5, the Provider may:

(a) delete or amend the relevant Customer Materials; and/or

(b) suspend any or all of the Cloudset Web Services and/or the Customer's access to the Cloudset Platform while it investigates the matter.

5.5 Any breach by the Customer of this Clause 5 will be deemed to be a material breach of the Agreement for the purposes of Clause 13.

(6) Charges

6.1 The Charges for the Cloudset Web Services will be processed through Zendesk, Inc. (“Zendesk”). The exact Charges will be as reflected on the SOW or similar ordering documents executed by Customer with Zendesk. Failure to pay Zendesk for the Charges will result in the actions described in this Clause 6. For clarity, Cloudset is the provider of the Cloudset Platform to Customer.

6.2 Reserved.

6.3 All Charges stated in or in relation to the Agreement are stated exclusive of VAT, unless the context requires otherwise. Where applicable, VAT will be payable by the Customer to the Provider in addition to the principal amounts.

6.4 The Provider may vary the Charges by giving to the Customer not less than 30 days' written notice of the variation expiring after the end of the then-current Subscription Period.

6.5 Reserved.

6.6 Reserved.

6.7 If the Customer does not pay any amount properly due to the Provider, through Zendesk, under or in connection with the Agreement, the Provider may:

(a) charge the Customer interest on the overdue amount at the rate of 8% per year above the base rate of HSBC Bank Plc from time to time (which interest will accrue daily and be compounded quarterly); or

(b) claim interest and statutory compensation from the Customer pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.

6.8 The Provider may suspend access to the Cloudset Platform and the provision of the Cloudset Web Services if any amounts due to be paid by the Customer for the Cloudset Web Services are overdue.

6.9 The Customer acknowledges that, where the Customer does not fully utilise any Cloudset Web Services usage allowances included in the fixed Charges, such allowances will not be carried over to the following period.

(7) Refund policy

7.1 If either party terminates the Agreement in accordance with Clause 13.3, then the Customer shall be released from any obligation to pay the Charges in respect of any subsequent Subscription Period, and where such Charges have already been paid to the Provider, the Customer shall be entitled to a refund of such Charges.

7.2 If Customer terminates the Agreement in accordance with Clause 13.6, then the Customer shall be released from any obligation to pay the Charges in respect of any period after the date of effective termination of the Agreement (such amount to be pro-rated by Provider on a straight-line basis over the then-current Subscription Period).

7.3 In no event will the Customer be entitled to any refund of, or release from liability to pay, variable Charges that the Customer has incurred.

7.4 Save as expressly provided in this Clause 7, the Customer will not be entitled to any refund of the Charges or released from any liability to pay the Charges on the termination of this Agreement.

(8) Warranties

8.1 The Customer warrants and represents to the Provider that it has the legal right and authority to enter into and perform its obligations under the Agreement.

8.2 The Provider warrants and represents to the Customer:

(a) that it has the legal right and authority to enter into and perform its obligations under the Agreement;

(b) that it will perform its obligations under the Agreement with reasonable care and skill; and

(c) that the Cloudset Platform will operate without Defects and will perform substantially in accordance with the Documentation (subject to any Upgrades).

8.3 The Customer acknowledges that:

(a) complex software is never wholly free from defects, errors and bugs, and the Provider gives no warranty or representation that the Cloudset Platform will be wholly free from such defects, errors and bugs;

(b) the Provider does not warrant or represent that the Cloudset Platform will be compatible with any application, program or software other than (i) the Interface Software, and (ii) the customer service software and services provided by Zendesk, Inc. as at the date of the Agreement; and

(c) the Provider will not and does not purport to provide any legal, taxation or accountancy advice under the Agreement or in relation to the Cloudset Platform and (except to the extent expressly provided otherwise) the Provider does not warrant or represent that the Cloudset Platform will not give rise to any civil or criminal legal liability on the part of the Customer or any other person.

8.4 All of the parties' warranties and representations in respect of the subject matter of the Agreement are expressly set out in the terms of the Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of the Agreement will be implied into the Agreement.

(9) Customer indemnity

9.1 The Customer will indemnify and will keep indemnified the Provider against all liabilities, damages, losses, costs and expenses (including legal expenses and amounts paid in settlement of any disputes) suffered or incurred by the Provider and arising as a result of any breach by the Customer of Clause 5.3.

9.2 Provider will indemnify and hold Customer harmless, from and against any claim against any infringement by the Cloudset Platform and/or the Cloudset Web Services of a third party's patent, copyright, trademark or trade secret (an "IP Claim"). Provider shall, at its expense, defend any alleged IP Claim and pay damages finally awarded against Customer in connection therewith, providing that the Customer shall:

(a) upon becoming aware of an actual or potential IP Claim, notify the Provider;

(b) provide to the Provider all reasonable assistance in relation to the IP Claim, at the Provider's expense;

(c) allow the Provider the exclusive conduct of all disputes, proceedings, negotiations and settlements relating to the IP Claim, provided that (i) Customer shall be entitled to participate in same at Customer's expense, and (ii) Provider will not compromise or settle any IP Claim unless Customer obtains a complete release of all liability under such compromise or settlement; and

(d) not admit liability in connection with the IP Claim or settle the IP Claim without the prior written consent of the Provider.

(10) Limitations and exclusions of liability

10.1 Nothing in the Agreement will:

(a) limit or exclude the liability of a party for death or personal injury resulting from negligence;

(b) limit or exclude the liability of a party for fraud or fraudulent misrepresentation by that party;

(c) limit any liability of a party in any way that is not permitted under applicable law; or

(d) exclude any liability of a party that may not be excluded under applicable law.

10.2 The limitations and exclusions of liability set out in this Clause 10 and elsewhere in the Agreement:

(a) are subject to Clause 10.1; and
(b) govern all liabilities arising under the Agreement or in relation to the subject matter of the Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty.

10.3 Neither party will be liable to the other party in respect of any loss of profits, income, revenue, use, production or anticipated savings.

10.4 Neither party will be liable to the other party for any loss of business, contracts or commercial opportunities.

10.5 Neither party will be liable to the other party for any loss of or damage to goodwill or reputation.

10.6 Neither party will be liable to the other party in respect of any loss or corruption of any data, database or software.

10.7 Neither party will be liable to the other party in respect of any special, indirect or consequential loss or damage.

10.8 EXCEPT FOR (I) A PARTY'S INDEMNIFICATION OBLIGATIONS UNDER CLAUSE 9 HEREOF, AND/OR (II) A PARTY'S BREACH OF CLAUSE 12, EACH PARTY'S AGGREGATE LIABILITY TO ANY PARTY ARISING OUT OF THESE TERMS OR OTHERWISE IN CONNECTION WITH ANY SUBSCRIPTION TO, OR USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE GREATER OF (I) THE CHARGES PAID BY CUSTOMER DURING THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT OR OCCURRENCE GIVING RISE TO SUCH LIABILITY, OR (II) TEN THOUSAND U.S. DOLLARS (US$10,000).

(11) Data protection

11.1 Each party shall comply with the Data Protection Laws with respect to the processing of the Customer Personal Data.

11.2 The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with the Agreement.

11.3 The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to the Agreement, the Personal Data of users of the Cloudset Web Services, the following types: names, job titles, organization or employer identities, and any personal data contained in any free text field submitted as part of a support query. The Provider shall only process the Personal Data for the purpose of providing, and monitoring the provision of, the Cloudset Web Services and the Support Services.

11.4 The Provider shall only process the Personal Data during the Term and for not more than ten (10) days following the end of the Term, subject to the other provisions of this Clause 11.

11.5 The Provider shall only process the Personal Data on the documented instructions of the Customer (including with regard to transfers of the Personal Data to any place outside the European Economic Area (EEA)), as set out in the Agreement or any other document agreed by the parties in writing. The Customer hereby authorises the transfers of Personal Data from within the EEA to the USA specified in Clause 11.11 below, unless, in the case of Cloudset SLA Management Services, the Customer can elect in the SOW to stipulate an EU or US exclusive facility which is not transferable.

 

11.6 The Provider shall promptly inform the Customer if, in the opinion of the Provider, an instruction of the Customer relating to the processing of the Personal Data infringes the Data Protection Laws.

11.7 Notwithstanding any other provision of the Agreement, the Provider may process the Personal Data if and to the extent that the Provider is required to do so by applicable law. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

11.8 The Provider shall ensure that persons authorised to process the Personal Data committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

11.9 The Provider and the Customer shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Personal Data. Provider will protect Customer Materials and Customer Confidential Information in accordance with the information security measures described on Exhibit A.

11.10 The Provider must not engage any third party to process the Personal Data without the prior specific or general written authorisation of the Customer. In the case of a general written authorisation, the Provider shall inform the Customer at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then the Customer may terminate the Agreement on 7 days' written notice to the Provider, providing that such notice must be given within the period of 7 days following the date that the Provider informed the Customer of the intended changes. The Provider shall ensure that each third party processor is subject to equivalent legal obligations as those imposed on the Provider by this Clause 11.

11.11 As at the Effective Date, the Provider is hereby authorised by the Customer to engage, as sub-processors with respect to Customer Personal Data, third parties within the following categories:

(a) support services infrastructure providers (as at the Effective Date, the appointed services provider is Zendesk, Inc); and

(b) hosting services providers (as at the Effective Date, the appointed services provider is Amazon Web Services, Inc), and the Customer acknowledges that the servers of these services providers may be situated in the USA or EU and agrees that the Customer Personal Data may be transferred to those servers providing that the transfers are protected by the following appropriate safeguards: (i) the applicable standard contractual clauses approved by the European Commission, (ii) the Privacy Shield scheme, or (iii) binding corporate rules. In the case Cloudset SLA Management Services, the Customer can elect in the SOW to stipulate an EU or US exclusive facility which is not to be transferable.

11.12 The Provider shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.

11.13 The Provider shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Provider shall report any Personal Data breach relating to the Personal Data to the Customer within 48 hours following the Provider becoming aware of the breach.

11.14 The Provider shall make available to the Customer all information necessary to demonstrate the compliance of the Provider with its obligations under this Clause 11 and the Data Protection Laws.

11.15 The Provider shall, at the choice of the Customer, delete or return all of the Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.

11.16 The Provider shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of the Provider's processing of Personal Data with the Data Protection Laws and this Clause 11.

11.17 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under the Agreement, then the parties shall use their best endeavours promptly to agree such variations to the Agreement as may be necessary to remedy such non-compliance.

11.18 The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 11.13 or 11.16, providing that the Provider shall have no right to charge under this Clause if the request arises out of any breach by the Provider of the Agreement or any security incident affecting the software or systems of the Provider.

(12) Confidentiality

12.1 The Provider will:

(a) keep confidential and not disclose the Customer Confidential Information to any person save as expressly permitted by this Clause 12;

(b) protect the Customer Confidential Information against unauthorised disclosure by using the same degree of care as it takes to preserve and safeguard its own confidential information of a similar nature, being at least a reasonable degree of care; and

(c) without prejudice to the generality of Clause 12.1(b), ensure that all Customer account information stored on the Platform is stored in encrypted form, and that communications between the Platform and the Interface Software are protected by SSL technology.

12.2 Customer Confidential Information may be disclosed by the Provider to its officers, employees, agents, insurers and professional advisers, provided that the recipient is bound in writing to maintain the confidentiality of the Customer Confidential Information disclosed.

12.3 The obligations set out in this Clause 12 shall not apply to:

(a) Customer Confidential Information that is publicly known (other than through a breach of an obligation of confidence);

(b) Customer Confidential Information that is in possession of the Provider prior to disclosure by the Customer;

(c) Customer Confidential Information that is received by the Provider from an independent third party who has a right to disclose the relevant Confidential Information; or

(d) Customer Confidential Information that is required to be disclosed by law, or by a governmental authority, stock exchange or regulatory body.

(13) Termination

13.1 Either party may terminate the Agreement immediately by giving written notice to the other party if the other party commits any material breach of any term of the Agreement.

13.2 Either party may terminate the Agreement immediately by giving written notice to the other party if:

(a) the other party:

(i) is dissolved;

(ii) ceases to conduct all (or substantially all) of its business;

(iii) is or becomes unable to pay its debts as they fall due;

(iv) is or becomes insolvent or is declared insolvent; or

(v) convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;

(b) an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;

(c) an order is made for the winding up of the other party, or a petition in bankruptcy for the other party is filed, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under the Agreement); provided, however, that in the event of a filing against the other party of an involuntary petition in bankruptcy, such petition must not have been dismissed within 60 days of such filing; or

(d) (where that other party is an individual) that other party dies, or as a result of illness or incapacity becomes incapable of managing his or her own affairs, or is the subject of a bankruptcy petition or order.

13.3 Either party may terminate the Agreement by giving at least 30 Business Day's written notice of termination to the other party, expiring at the end of the then-current Subscription Period.

13.4 Reserved.

13.5 The Provider may terminate the Agreement immediately by giving 60 days' written notice of termination to the Customer where the Customer fails to pay any amount due to be paid for the Cloudset Platform date, unless the Customer cures such failure within such 60-day notice period. Provider will provide notice of any late payment of Charges to Zendesk in addition to Customer.

(14) Effects of termination

14.1 Upon termination of the Agreement, all the provisions of the Agreement will cease to have effect, save that the following provisions of the Agreement will survive and continue to have effect (in accordance with their terms or otherwise indefinitely): Clauses 1, 7, 9, 10, 12, 14 and 17.

14.2 Termination of the Agreement will not affect either party's accrued liabilities and rights as at the date of termination.

14.3 Upon termination of the Agreement, Customer shall be granted limited access to the Cloudset Platform and the Cloudset Web Services for up to ten (10) days for the sole purpose of permitting Customer to retrieve Customer Data. For a period of up to twelve (12) months thereafter, upon Customer's request and at Customer's expense, Provider will retrieve Customer Data on back-up tapes from archives at Provider's then applicable rate for such services.

(15) Notices
15.1 Any notice given under the Agreement must be in writing (whether or not described as "written notice" in the Agreement) and must be delivered personally or sent by recorded signed-for post, or sent by email, for the attention of the relevant person, and to the relevant address given below (or as notified by one party to the other in accordance with this Clause).

The Provider

Addressee: Legal Department

Email address: legal@cloudset.net

Postal address: Cloudset Limited, 3rd Floor 86-90 Paul Street, London, EC2A 4NE, United Kingdom.

The Customer

The addressee and address or email address set out in the Cloudset Platform service registration or subsequently notified by the Customer to the Provider.

15.2 A notice will be deemed to have been received at the relevant time set out below (or where such time is not on a Business Day, at the start of the next Business Day after the relevant time set out below):

(a) where the notice is delivered personally, at the time of delivery;

(b) where the notice is sent by recorded signed-for post, 48 hours after posting; and

(c) where the notice is sent by email, at the time of the transmission (providing the sending party retains written evidence of the transmission).

15.3 A party receiving a notice under this Agreement must send to the other party an acknowledgement of receipt within 2 Business Days of the date of receipt of the notice.

(16) Force Majeure Event
Where a Force Majeure Event gives rise to a failure or delay in either party performing its obligations under the Agreement (other than obligations to make payment), those obligations will be suspended for the duration of the Force Majeure Event.

(17) General

17.1 No breach of any provision of the Agreement will be waived except with the express written consent of the party not in breach.

17.2 If a Clause of the Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other Clauses of the Agreement will continue in effect. If any unlawful and/or unenforceable Clause would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the Clause will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant Clause will be deemed to be deleted).

17.3 The Agreement may not be varied except by a written document signed by or on behalf of each of the parties.

17.4 The Customer hereby agrees that the Provider may freely assign any or all of its contractual rights and/or obligations under the Agreement to any successor to all or a substantial part of the business of the assigning party from time to time. The Customer must not without the prior written consent of the Provider assign, transfer, charge, license or otherwise dispose of or deal in the Agreement or any contractual rights or obligations under the Agreement. Notwithstanding the foregoing, Customer's assignment of the Agreement or its rights and/or obligations thereunder to an entity that Customer controls, is controlled by or is under common control with shall not require Provider's consent.

17.5 The Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to the Agreement are not subject to the consent of any third party.

17.6 Subject to Clause 10.1:

(a) the Agreement constitutes the entire agreement between the parties in relation to the subject matter of the Agreement, and supersedes all previous agreements, arrangements and understandings between the parties in respect of that subject matter; and

(b) neither party will have any remedy in respect of any misrepresentation (whether written or oral) made to it upon which it relied in entering into the Agreement unless expressly set forth in the Agreement.

17.7 The Agreement will be governed by and construed in accordance with the laws of England and Wales; and the courts of England will have exclusive jurisdiction to adjudicate any dispute arising under or in connection with the Agreement.

 

Exhibit A Information Security Measures

Provider warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep Customer Materials and Customer Confidential Information secure and protect Customer Materials and Customer Confidential Information (Customer Materials and Customer Confidential Information shall be collectively referred to as “Data” within this Exhibit A) against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, Provider will act in good faith and diligence, using reasonable care and skill.

1. Definitions:

• "Process" means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• "Breach" means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Provider regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any Provider security policy, (ii) unplanned service disruption that prevents the normal operation of the Cloudset Platform, or (iii) Breach.

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• Provider will utilize industry standard encryption algorithms and key strengths to encrypt the following:
  • Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks.
  • Encrypt all Data while in storage. "In Storage" means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as "at rest."
• Except where prohibited by law, Provider will promptly remove Data upon (a) completion of Cloudset Platform; or (b) request by Zendesk to be removed from Provider’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. Provider will provide Zendesk with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3. Measures: Malicious Code Protection.

• All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. Provider will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or Provider’s computing environment.
• Provider will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
• Provider will quarantine or remove files that have been identified as infected and will log the event.

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

Provider ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:

• security and encryption of all personal computers or other mobile devices that may access Data;
• limited access to employees and contractors except for authorized visitors;
• identification of the persons having access authority;
• restriction on keys;
• visitors books (including timekeeping); and
• security alarm system or other appropriate security measures.

Provider will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such Authorized Agent’s need to access the system(s) or application(s).

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

The Provider shall inform the Customer upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by Provider.

All network controls shall include the following measures:

• On a regular basis, Provider will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• Provider will deploy reasonably appropriate firewall technology in operation of its networks.
• At a minimum, Provider will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• Provider will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• Provider shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized.
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger.

7.          Measures: Provider will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, Provider will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify Customer within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii) respond promptly to any reasonable request from Customer for detailed information pertaining to the Incident. Provider’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

 

8.          Measures: Business Continuity & Disaster Recovery. Provider has provided Customer commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”). The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery. Provider shall maintain such Continuity Plan throughout the term of all subscriptions; provided that Provider shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on Provider ability to maintain availability of the Service

9. At Customer’s request Provider shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to Customer’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time. Customer shall provide Provider with documentation of such baselines, which shall be part of Customer Confidential Information under this Agreement. Provider shall develop a written information security plan for Customer containing, at a minimum, the topics called for in this agreement.

 

Exhibit B

Cloudset Professional Service Terms

1. Services

 

1.1 Provider will provide to Customer the professional services specified in the SOW with reasonable care and skill.

 

1.2 Customer will provide Provider with all co-operation, information and documentation reasonably required for the provision of the services.

 

2. Fees and Expenses

 

Provider’s professional services fees (“Professional Services Fees”) will be set forth on the SOW. Such Professional Services Fees will be invoiced by and processed through Zendesk. Failure to pay Zendesk for the Charges will result in the actions described in this Clause 6. For clarity, Cloudset is the provider of the Cloudset Platform and professional services to Customer.

 

3. Intellectual Property Rights

 

3.1 For the purpose of this Clause 3: (a) “Materials” means the materials (including software, but excluding source code) that Provider delivers or has a contractual obligation to deliver to Customer in the course of providing the services; and (b) “Intellectual Property Rights” means all intellectual property rights throughout the world whether vested or contingent and whether currently in existence or otherwise including (without limitation) copyright, database rights, design rights, registered designs, patents, trade marks, trade names signs and other designations, trade secrets and all similar rights whether registered or otherwise and all extensions, revivals, reversions and renewals of any of the above and, in relation to registrable rights, any applications made in respect thereof.

 

3.2 Provider hereby grants to Customer a worldwide, irrevocable, royalty-free, non-exclusive licence under the Intellectual Property Rights in the Materials to copy, adapt and publish the Materials, together with the right to sub-license these rights.

 

4. Termination

 

Termination of the Agreement will not affect our or your accrued rights and liabilities, or the continuing application of Clauses 3.1 and 3.2

Exhibit 1 

eOne Cloud Terms of Service

Revised: March 16th, 2023

Thanks for using eOne’s Cloud Solutions.  These eOne Cloud Terms of Service (“Terms”) describe your rights and responsibilities as a customer of SmartConnect and Popdock and any future cloud solutions we bring to market. These Terms are between you (the “Subscriber” identified on the Zendesk Resell Agreement) and eOne Integrated Business Solutions.

By agreeing with these terms, you are agreeing on behalf of the entity you represent, or, if that does not apply, you individually. By accepting, you represent and warrant that: (i) you have full legal authority to bind your employer or such entity to these Terms; (ii) you have read and understand these Terms; and (iii) you agree to these Terms on behalf of the party that you represent.

These Terms are effective as of the date the Zendesk Resell Agreement is executed or as otherwise specified on the Zendesk Resell Agreement.

 

1. What these Terms cover.

1.1. Cloud Solutions. These Terms govern our Cloud Solutions, related Support, and Additional Services. These Terms include Privacy Policy.

 

2. How Cloud Solutions are administered?

2.1. Administrators. Through the Cloud Solutions, you will be able to specify certain End Users to act as administrators, who will have important rights and controls over your use of Cloud Solutions and End User Accounts. This may include making additional purchases, creating, removing, monitoring, or modifying End User Accounts, and setting End User usage security permissions and managing access to Your Data by End Users or others.  You are responsible for whom you allow to become Administrators and any actions they take, including as described above. You agree that our responsibilities do not extend to the internal management or administration of the Cloud Solutions for you.

2.2. Reseller as Administrator. If you order Cloud Solutions through a Reseller, then you are responsible for determining whether the Reseller may serve as an Administrator and for any related rights or obligations in your applicable agreement with the Reseller.  As between you and eOne, you are solely responsible for any access by Reseller to your accounts or your other End User Accounts.

2.3. Credentials. You must require that all End Users keep their user IDs and passwords for the Cloud Solutions strictly confidential and do not share such information with any unauthorized person. User IDs are granted to individual, named persons and may not be shared. You are responsible for any and all actions taken using End User Accounts and passwords, and you agree to immediately notify us of any unauthorized use of which you become aware.

 

3. What is included in your Cloud Solution subscriptions?

3.1. Access to Cloud Solutions. Subject to these Terms and during the applicable Subscription Term, you may access and use the Cloud Solutions for your own business purposes. This includes the right, as part of your authorized use of the Cloud Solutions, to download and use any client software associated with the Cloud Solutions (if any). The rights granted to you in this Section 3.1 are non-exclusive, non-sublicensable and non-transferable.

3.2. Support. During the Subscription Term, we will provide Support for the Cloud Solutions in accordance with the subscription plans selected and in accordance with Exhibit A attached hereto, providing there are no payments in arrears.

3.3. Restrictions. Except as otherwise expressly permitted in these Terms, you will not: (a) reproduce, modify, adapt or create derivative works of the Cloud Solutions; (b) rent, lease, distribute, sell, sublicense, transfer or provide access to the Cloud Solutions to a third party; (c) use the Cloud Solutions for the benefit of any third party; (d) incorporate any Cloud Solutions into a product or service you provide to a third party without specific approval from eOne; (e) interfere with or otherwise circumvent mechanisms in the Cloud Solutions intended to limit your use; (f) reverse engineer, disassemble, decompile, translate or otherwise seek to obtain or derive the source code, underlying ideas, algorithms, file formats or non-public APIs to any Cloud Solutions, except to the extent expressly permitted by applicable law (and then only upon advance notice to us); (g) use the Cloud Solutions for competitive analysis or to build competitive products; (h) publicly disseminate information regarding the performance of the Cloud Solutions; or (i) encourage or assist any third party to do any of the foregoing.

3.4. Availability Uptime/SLA.  eOne represents and warrants that the Cloud Solutions will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes downtime per month) during the Subscription Term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and eOne will provide at least seven (7) days’ advanced written (email acceptable) notice to you of such unavailability (“Scheduled Downtime”).

 

4. Our security and data privacy policies.

4.1. Security and Certifications. We implement and maintain physical, technical, and administrative security measures designed to protect Your Data from unauthorized access, destruction, use, modification, or disclosure.

4.2. Privacy. We collect certain data and information about you and your End Users in connection with your and your End Users’ use of the Cloud Solutions and otherwise in connection with these Terms. We collect and use all such data and information in accordance with our Privacy Policy, which you acknowledge.

4.3. Improving Cloud Solutions. We are always striving to improve our Cloud Solutions. In order to do so, we use usage data and analytic techniques to better understand how our Cloud Solutions is being used.

4.4. Subpoenas. Nothing in these Terms prevents us from disclosing Your Data to the extent required by law, subpoenas, or court orders, but we will use commercially reasonable efforts to notify you where permitted to do so.

 

5. Terms that apply to Your Data.

5.1. Using Your Data to provide Cloud Solutions to You. You retain all right, title and interest in and to Your Data in the form submitted to the Cloud Solution. Subject to these Terms, and solely to the extent necessary to provide the Cloud Solution to you, you grant us a worldwide, limited term license to access, use, process, copy, distribute, perform, export, and display Your Data. These rights are granted solely for the purposes of delivering a functioning application to you. Your data will not be shared, in any form, with any third party. We may also access your accounts, End User Accounts, and your Cloud Solutions with End User permission in order to respond to your support requests.

5.2. Your Data Compliance Obligations. You and your use of Cloud Solutions must comply at all times with these Terms. You represent that: (i) you have obtained all necessary rights, releases and permissions to submit all Your Data to the Cloud Solutions and to grant the rights granted to us in these Terms and (ii) Your Data and its submission and use as you authorize in these Terms will not violate (1) any Laws, (2) any third-party intellectual property, privacy, publicity or other rights, or (3) any of your or third-party policies or terms governing Your Data. Other than our express obligations of our security and data privacy policies, we assume no responsibility or liability for Your Data, and you are solely responsible for Your Data and the consequences of submitting and using it with the Cloud Solutions.

5.3. Mutual Indemnity. Each party will defend, indemnify, and hold the other party harmless (including Affiliates, officers, directors, agents, and employees) from and against any and all claims, costs, damages, losses, liabilities, and expenses (including reasonable attorneys’ fees and costs) resulting from any claim arising from or related to your breach of the terms of this document. This indemnification obligation is subject to receiving (a) prompt written notice of such claim (but in any event notice in sufficient time for response without prejudice); (b) the exclusive right to control and direct the investigation, defense, or settlement of such claim and (c) all reasonably necessary cooperation by us at your expense.

5.4. Indemnity for IP Infringement. eOne shall indemnify and hold You harmless of any damages and costs awarded by a court of competent jurisdiction against You, which relate directly to a finding by such court that your use of the Online Solutions in accordance with this Agreement infringed any copyright, patent, trade secret or other intellectual property right of a third party; provided, however, This indemnification obligation is subject to receiving (a) prompt written notice of such claim (but in any event notice in sufficient time for response without prejudice); (b) the exclusive right to control and direct the investigation, defense, or settlement of such claim and (c) all reasonably necessary cooperation by us at your expense.

 

6. Additional Services.

6.1. Additional Services. Subject to these Terms, you may purchase Additional Services that we will provide in addition to the Subscription. Additional Services may be subject to additional policies and terms as specified by us.

6.2. Our Deliverables. We will retain all right, title and interest in and to Our Deliverables. You may use any of Our Deliverables provided to you only in connection with the Cloud Solutions, subject to the same usage rights and restrictions as for the Cloud Solutions.

6.3. Your Materials. You agree to provide us with reasonable access to Your Materials as reasonably necessary for our provision of Additional Services. If you do not provide us with timely access to Your Materials, our performance of Additional Services will be excused until you do so. You retain your rights in Your Materials, subject to our ownership of any Cloud Solutions, any of Our Deliverables or any of Our Technology underlying Your Materials. We will use Your Materials solely for purposes of performing the Additional Services. You represent and warrant that you have all necessary rights in Your Materials to provide them to us for such purposes.

6.4. Training Not Covered. Your purchase, and our provision, of Training is subject to the specific offerings included in your selected subscription plan. Additional training is available in multiple forms including public bootcamps, private training sessions and learn as you build programs.

 

7. Subscriptions and renewals.

7.1. Monthly and Annual Plans. Except for No-Charge Products, all Cloud Solutions are offered either on a monthly subscription basis or an annual subscription basis, with multiyear prepayment options.

7.2. Renewals. Any renewal of the Cloud Solutions under these Terms shall be subject to a new Zendesk resell agreement or similar ordering document that specifies the subscription details.

 

8. Our return policy.

8.1. As part of our commitment to customer satisfaction, you may terminate your subscription for any reason effective at the next renewal date of your subscription. Upon cancellation of the subscription, no further charges will made to the credit card on file. Cancelling your subscription means that you will not be charged for the next billing cycle, but you will not receive any refunds or credits for amounts that have already been charged.

 

9. Taxes not included.

9.1. Taxes. Your fees under these Terms exclude any taxes or duties payable in respect of the Cloud Solutions in the jurisdiction where the payment is either made or received. To the extent that any such taxes or duties are payable by us, you must pay to us the amount of such taxes or duties in addition to any fees owed under these Terms.

 

10. If you purchased through a Reseller. If you make any purchases through an authorized partner or reseller of eOne (“Reseller”):

10.1. Instead of paying us, you may be required to pay the applicable amounts to the Reseller, as agreed between you and the Reseller. We may suspend or terminate your rights to use Cloud Solutions if we do not receive the corresponding payment from the Reseller. You acknowledge that Zendesk will be the Reseller under these Terms, and you authorize Zendesk to act as the billing agent for the Cloud Solutions ordered from eOne provided in the Zendesk Resell Agreement.

10.2. Your Subscription details (e.g., the Cloud Solutions you are entitled to use, the number of End Users, the Subscription Term, etc.) will be as stated in the Zendesk Resell Agreement, and Reseller is responsible for the accuracy of any such order as communicated to us.

10.3. If you are entitled to a refund under these Terms, then unless we otherwise specify, we will refund any applicable fees to the Reseller and the Reseller will be solely responsible for refunding the appropriate amounts to you.

10.4. Resellers are not authorized to modify these Terms or make any promises or commitments on our behalf, and we are not bound by any obligations to you other than as set forth in these Terms.

10.5. The amount paid or payable by the Reseller to us for your use of the applicable Cloud Solutions under these Terms will be deemed the amount actually paid or payable by you to us under these Terms for purposes of calculating the liability cap in Section 17.2.

 

11. Evaluations, trials, and betas.

11.1. We may offer certain Cloud Solutions to you at no charge, including free accounts, trial use and Beta Versions as defined below (collectively, “No-Charge Products”). Your use of No-Charge Products is subject to any additional terms that we specify and is only permitted during the Subscription Term we designate (or, if not designated, until terminated in accordance with these Terms).

 

12. IP Rights in the Cloud Solutions and Feedback.

12.1. Cloud Solutions are made available on a limited access basis, and no ownership right is conveyed to you, irrespective of the use of terms such as “purchase” or “sale”. We retain all right, title and interest, including all intellectual property rights, in and to Our Technology (including the Cloud Solutions). From time to time, you may choose to submit Feedback to us. We may in connection with any of our products or services freely use, copy, disclose, license, distribute and exploit any Feedback in any manner without any obligation, royalty or restriction based on intellectual property rights or otherwise. No Feedback will be considered your Confidential Information, and nothing in these Terms limits our right to independently use, develop, evaluate, or market products or services, whether incorporating Feedback or otherwise.

 

13. Confidentiality.

13.1. The parties acknowledges that one party may disclose (“Discloser”) to the other party (“Recipient”) trade secrets and confidential information in the possession of Discloser and owned by Discloser or companies affiliated, associated or related to Discloser and acquired through the expenditure of time, effort and money, including without limitation computer programs, source code, data, software modules and related documentation, know-how, algorithms, financial information, business plans, customer information, customer data, and all proprietary software products of Discloser (collectively and individually hereinafter referred to as the “Confidential Information”).

13.2. Ownership. The Recipient acknowledges that Confidential Information is and shall be the sole and exclusive property of Discloser. The Recipient acknowledges and agrees that the Recipient shall not acquire any right, title or interest in and to the Confidential Information.

13.3. Exclusion. The obligations of the Recipient under this section shall not apply to Confidential Information which:

13.3.1. at the time of disclosure is readily available to the public other than through a breach of this Agreement;

13.3.2. is lawfully disclosed to the Recipient by a third party who has a legal right to make such disclosure;

13.3.3. the Recipient can establish, through written records, was in its possession prior to the date of first disclosure of the Confidential Information to the Recipient by Discloser; or

13.3.4. that is or has been independently acquired (without restriction on disclosure) or developed by Recipient without use of, or reliance on, the Confidential Information of Discloser in any way.

13.4. Limited Disclosure and Reproduction. The Recipient, during the term of this Agreement and thereafter, shall keep the Confidential Information strictly confidential and shall take all necessary precautions against unauthorized disclosure of the Confidential Information during the term of this Agreement and thereafter. Without limiting the generality of the foregoing, the Recipient shall not, directly or indirectly, disclose, allow access to, transmit or transfer the Confidential Information to an unauthorized third party without Discloser’s consent, nor shall the Recipient, including its principals, employees, agents and representatives, copy or reproduce the Confidential Information, or use the Confidential Information for any purpose other than as reasonably required to provide the Cloud Solutions.

13.5.  The Receiving Party acknowledges that disclosure of Confidential Information would cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such disclosure by the Receiving Party the Disclosing Party will be entitled to appropriate equitable relief in addition to whatever other remedies it might have at law.

 

14.  Data Security.

14.1. eOne shall comply at all times with its Privacy Policy and shall maintain appropriate security measures to safeguard against any unauthorized or unlawful access to, or breach of, a parties’ Confidential Information.

14.2. eOne agrees that, to the extent it utilizes subcontractors to perform any portion of the Cloud Services, it shall be liable for any breach of the terms of this agreement by its subcontractors as if it had committed such breach itself.

14.3. eOne takes great caution in verifying service providers and suppliers that are used to provide its Cloud Services to ensure their standards are at least as rigorous as eOne’s.   eOne does not and cannot guarantee the actions and conduct of these parties.  eOne will only share confidential information with these parties as required to provide the Cloud Services.

14.4. In respect of any data security breach involving Confidential Information, eOne shall, without undue delay (and in any event, within 48 hours):

14.4.1. Notify all parties, providing details of the breach, including the type of information exposed;

14.4.2. Use reasonable endeavors to implement any measures necessary to restore the security of the compromised data;

14.4.3. Provide additional updates to the other party in a timely manner while eOne performs its investigation of the incident and its cause;

14.4.4. Assist the other party in notifying impacted data subjects and government authorities, as required;

14.5. eOne commits to the information security terms set forth in Exhibit B, attached hereto.

 

15. Term and Termination.

15.1. Term. These Terms are effective as of the Effective Date and expire on the date of expiration or termination of all Subscription Terms.

15.2. Termination for Cause. Either party may terminate these Terms if the other party (a) fails to cure any material breach of these Terms within thirty (30) days after notice; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors’ arrangement, composition, or comparable proceeding, or if any such proceeding is instituted against that party (and not dismissed within sixty (60) days thereafter).

15.3. Termination for Convenience. You may choose to stop using the Cloud Solutions and terminate these Terms at any time for any reason upon notice to us, although you will not be entitled to a refund of any pre-paid fees and (ii) if you have not already paid all applicable fees for the then-current Subscription Term or related services period (as applicable), any such fees that are outstanding will become immediately due and payable.

 

16. Warranties and Disclaimer.

16.1. Mutual Warranties. Each party represents and warrants that it has the legal power and authority to enter into these Terms.

16.2. Our Warranties. We warrant, for your benefit only, that we use commercially reasonable efforts to prevent introduction of viruses or similar harmful materials into the Cloud Solutions (but we are not responsible for harmful materials submitted by you or End Users)

16.3. Warranty Remedy. We will use commercially reasonable efforts, at no charge to you, to correct reported non-conformities with the Performance Warranty. If we determine corrections to be impracticable, either party may terminate the applicable Subscription Term. The Performance Warranty will not apply: (i) unless you make a claim within thirty (30) days of the date on which you first noticed the non-conformity, (ii) if the non-conformity was caused by misuse, unauthorized modifications or third-party products, software, services, or equipment or (iii) to No-Charge Products. Our sole liability, and your sole and exclusive remedy, for any breach of the Performance Warranty are set forth in this Section 16.

16.4. WARRANTY DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 16, ALL ONLINE SOFTWARE, SUPPORT AND ADDITIONAL SERVICES ARE PROVIDED “AS IS,” AND WE AND OUR SUPPLIERS EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES AND REPRESENTATIONS OF ANY KIND, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT, TITLE, FITNESS FOR A PARTICULAR PURPOSE, FUNCTIONALITY OR MERCHANTABILITY, WHETHER EXPRESS, IMPLIED OR STATUTORY. WITHOUT LIMITING OUR EXPRESS OBLIGATIONS IN THESE TERMS, WE DO NOT WARRANT THAT YOUR USE OF THE ONLINE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT WE WILL REVIEW YOUR DATA7 FOR ACCURACY OR THAT WE WILL PRESERVE OR MAINTAIN YOUR DATA WITHOUT LOSS. YOU UNDERSTAND THAT USE OF THE ONLINE SOFTWARE NECESSARILY INVOLVES TRANSMISSION OF YOUR DATA OVER NETWORKS THAT WE DO NOT OWN, OPERATE OR CONTROL, AND WE ARE NOT RESPONSIBLE FOR ANY OF YOUR DATA LOST, ALTERED, INTERCEPTED OR STORED ACROSS SUCH NETWORKS. WE CANNOT GUARANTEE THAT OUR SECURITY PROCEDURES WILL BE ERROR-FREE, THAT TRANSMISSIONS OF YOUR DATA WILL ALWAYS BE SECURE OR THAT UNAUTHORIZED THIRD PARTIES WILL NEVER BE ABLE TO DEFEAT OUR SECURITY MEASURES OR THOSE OF OUR THIRD-PARTY SERVICE PROVIDERS. WE WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS OR OTHER SYSTEMS OUTSIDE OUR REASONABLE CONTROL. YOU MAY HAVE OTHER STATUTORY RIGHTS, BUT THE DURATION OF STATUTORILY REQUIRED WARRANTIES, IF ANY, WILL BE LIMITED TO THE SHORTEST PERIOD PERMITTED BY LAW.

 

17. Limitation of Liability.

17.1. Consequential Damages Waiver. EXCEPT FOR EXCLUDED CLAIMS (AS DEFINED BELOW), NEITHER PARTY (NOR ITS SUPPLIERS) WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS FOR ANY LOSS OF USE, LOST OR INACCURATE DATA, LOST PROFITS, FAILURE OF SECURITY MECHANISMS, INTERRUPTION OF BUSINESS, COSTS OF DELAY, OR ANY INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

17.2. Liability Cap. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY’S AND ITS SUPPLIERS’ AGGREGATE LIABILITY TO THE OTHER ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE AMOUNT ACTUALLY PAID OR PAYABLE BY YOU TO US UNDER THESE TERMS IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE CLAIM.

17.3. Excluded Claims. “Excluded Claims” means (1) amounts owed by you, (2) either party’s express indemnification obligations in these Terms.

17.4. Nature of Claims and Failure of Essential Purpose. The parties agree that the waivers and limitations specified in this Terms document apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy specified in these Terms is found to have failed of its essential purpose.

 

18. Publicity Rights.

18.1. We will only identify you as an eOne customer in our promotional materials with your prior written consent. If prior written consent is provided, we will promptly stop doing so upon your request sent to sales@eonesolutions.com.

19. Dispute Resolution.

19.1. Informal Resolution. In the event of any controversy or claim arising out of or relating to these Terms, the parties will consult and negotiate with each other and, recognizing their mutual interests, attempt to reach a solution satisfactory to both parties. If the parties do not reach settlement within a period of sixty (60) days, either party may pursue relief as may be available under these Terms.

19.2. Governing Law; Jurisdiction. These Terms will be governed by and construed in accordance with the applicable laws of the State of North Dakota, USA, without giving effect to the principles of that State relating to conflicts of laws.

19.3. Injunctive Relief; Enforcement. Notwithstanding the provisions of these terms, nothing in these Terms will prevent us from seeking injunctive relief with respect to a violation of intellectual property rights, confidentiality obligations or enforcement or recognition of any award or order in any appropriate jurisdiction.

 

20. Changes to these Terms. These Terms may be amended upon a mutual writing signed by authorized representatives of the parties.

 

21. Changes to the Cloud Solutions.

21.1. You acknowledge that the Cloud Solutions is on-line, subscription-based, and that in order to provide improved customer experience we may make changes to the Cloud Solutions, and we may update the applicable Documentation accordingly. Subject to our obligation to provide Cloud Solutions, we can discontinue any Cloud Solutions, any Additional Services, or any portion or feature of any Cloud Solutions for any reason at any time without liability to you. Provided, however, eOne will provide you with at least six (6) months advance notice of any Cloud Solutions feature end of life or deprecation.

 

22. General Provisions.

22.1. Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under these Terms (except for a failure to pay fees) if the delay or failure is due to events which are beyond the reasonable control of such party, such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or diminishment of power or telecommunications or data networks or services, or refusal of a license by a government agency.

22.2. Assignment. You may not assign or transfer these Terms without our prior written consent. As an exception to the foregoing, you may assign these Terms in their entirety to your successor resulting from a merger, acquisition, or sale of all or substantially all of your assets or voting securities, provided that you provide us with prompt written notice of the assignment and the assignee agrees in writing to assume all of your obligations under these Terms. Any attempt by you to transfer or assign these Terms except as expressly authorized above will be null and void. We may assign our rights and obligations under these Terms (in whole or in part) without your consent. We may also permit our Affiliates, agents, and contractors to exercise our rights or perform our obligations under these Terms, in which case we will remain responsible for their compliance with these Terms. Subject to the foregoing, these Terms will inure to the parties’ permitted successors and assigns.

22.3. Entire Agreement. These Terms are the entire agreement between you and us relating to the Cloud Solutions and any other subject matter covered by these Terms and supersede all prior or contemporaneous oral or written communications, proposals and representations between you and us with respect to the Cloud Solutions or any other subject matter covered by these Terms. No provision of any purchase order or other business form employed by you will supersede or supplement the terms and conditions of these Terms, and any such document relating to these Terms will be for administrative purposes only and will have no legal effect.

23. Certain specific terms are defined in this Section, and others are defined contextually in these Terms.

“Additional Services” means Professional Services delivered by our Consulting or Support team

“Administrators” mean the personnel designated by you who administer the Cloud Solutions to End Users on your behalf.

“Cloud Solutions” means our hosted or cloud-based solutions, including but not limited to SmartConnect online and Popdock.

“Documentation” means our standard published documentation for the Cloud Solutions.

“End User” means an individual you or an Affiliate permits or invites to use the Cloud Solutions. For the avoidance of doubt: (a) individuals invited by your End Users, (b) individuals under managed accounts, and (c) individuals interacting with a Cloud Solution as your customer are also considered End Users.

“End User Account” means an account established by you or an End User to enable the End User to use or access a Cloud Solution.

“Feedback” means comments, questions, ideas, suggestions, or other feedback relating to the Cloud Solutions, Support or Additional Services.

“Laws” means all applicable local, state, federal and international laws, regulations, and conventions, including those related to data privacy and data transfer, international communications, and the exportation of technical or personal data.

“Order” means Subscription Purchase.

“Our Deliverables” means any materials, deliverables, modifications, derivative works, or developments that we provide in connection with any Additional Services.

“Subscription Term” means your permitted subscription period for a Cloud Solutions.

“Support” means support for the Cloud Solutions.

“Training” means eOne-provided training and certification services.

“Zendesk” means Zendesk, Inc., a Delaware corporation, and any of its applicable affiliates, which will serve as the billing agent for your subscription(s) to the eOne Cloud Solutions and related services ordered by you from eOne under these Terms pursuant to the Zendesk Resell Agreement.

“Zendesk Resell Agreement” means the statement of work, agreement, or similar ordering document issued by Zendesk to you, to which these Terms are attached or incorporated, that sets forth, without limitation, your eOne Cloud Solutions subscription plan, Subscription Term, fees, and billing for the eOne Cloud Solutions under these Terms.

 

Exhibit A – Support Responsibilities and Procedures

1. Definitions

In this Exhibit A:

a) “Level 1 Support” means the first level of support given to you by eOne to collect customer input, verify symptoms, and escalate, if required, to Level 2 Support.

(b) “Level 2 Support” means the second level of support given by eOne to you that addresses Cloud Solutions operational and infrastructure issues and resolutions.

(c) “Level 3 Support” means the third level of support given by eOne that covers the resolution of application code bugs or infrastructure code.

(d) “eOne Support Hours” for non-Critical and non-Major Business Impact issues means between 01:00 and 17:00 CST on a business day (Monday - Friday, every week of the year). Support hours and response obligations for Critical and Major Business Impact issues are as described below.     

2. eOne Support Obligations

eOne shall provide you with all support in relation to issues identified by the Reseller or you and reported to eOne. These support services will be provided by means of the Zendesk help desk ticket system.

eOne shall respond to requests for support:

(a) with respect to Critical Business Impact issues, within thirty (30) minutes twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. eOne shall provide you (and Zendesk, if such Critical Business Impact issues relate to your support requests forwarded to eOne by Zendesk) updates on Critical Business Impact issues every thirty (30) minutes until the issue is resolved. Critical Business Impact shall be defined as an issue that disrupts material functionality within the production environment in the Cloud Solutions or compromises the security/integrity of data in the Cloud Solutions. Critical Business Impact issues will remain so long as the disruption is ongoing, the need for resolution is acutely time-sensitive, with no reasonable workaround available;

(b) with respect to Major Business Impact issues within one (1) hour, twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. eOne shall provide you (and Zendesk, if such Critical Business Impact issues relate to your support requests forwarded to eOne by Zendesk) updates on Major Business Impact issues every hour (1) until the issue is resolved. Major Business Impact shall be defined as an issue that degrades a material functionality or significantly disrupts or degrades your normal business operation, is in your production environment and is highly time-sensitive, and/or a significant unplanned effort is required to work around the issue to maintain normal business operations; 

(c) for other issues and enquiries, within six (6) eOne Support Hours;

(d) to resolve issues raised to it within a commercially reasonable timeframe; and

(e) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved.

Exhibit B – Information Security Measures

eOne warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by you (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, eOne will act in good faith and diligence, using reasonable care and skill. 

A. Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by eOne regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any eOne security policy, (ii) unplanned service disruption that prevents the normal operation of the Products, or (iii) Breach.

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• eOne will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks.  
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, eOne will promptly remove Data upon (a) completion of Cloud Solutions; or (b) request by you to be removed from eOne’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. eOne will provide you with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3. Measures: Malicious Code Protection. 

• All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server.   Virus definitions must be updated promptly upon release by the anti-virus software provider.  eOne will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or eOne’s computing environment.
• eOne will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
• eOne will quarantine or remove files that have been identified as infected and will log the event.

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

• eOne ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
• security and encryption of all personal computers or other mobile devices that may access Data;
• limited access to employees and contractors except for authorized visitors;  
• identification of the persons having access authority;
• restriction on keys;
• visitors books (including timekeeping); and
• security alarm system or other appropriate security measures.

eOne will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such authorized agent’s need to access the system(s) or application(s).

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:
   
   

eOne shall inform you upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by eOne.

All network controls shall include the following measures:

• On a regular basis, eOne will run internal and external network vulnerability scans.  Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• eOne will deploy reasonably appropriate firewall technology in operation of its networks. 
• At a minimum, eOne will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• eOne will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• eOne shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized. 
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

7. Measures: eOne will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, eOne will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify you within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii)  respond promptly to any reasonable request from you for detailed information pertaining to the Incident. eOne’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

8. Measures: Business Continuity & Disaster Recovery. eOne has provided you commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”).  The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery.  eOne shall maintain such Continuity Plan throughout the term of all subscriptions; provided that eOne shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on eOne ability to maintain availability of the Cloud Solutions.

9. At your request, eOne shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to your baseline security requirements as outlined in all applicable exhibits to these Terms and as they exist from time to time.  You shall provide eOne with documentation of such baselines, which shall be part of your confidential information under these Terms.  eOne shall develop a written information security plan for you containing, at a minimum, the topics called for in these Terms.

Exhibit 1 

EZ Web Terms of Use

(TOUs)

 

These EZ Web Terms of Use (the “Agreement”), effective as of the date indicated on the applicable Zendesk SOW (the "Effective Date"), is entered by and between EZ Web Enterprises, Inc, having a place of business at 701 S Carson St STE 200, Carson City, NV 89701 (“EZ Web”) and the entity indicated on the applicable Zendesk SOW ("Customer"). The Customer and EZ Web may together be referred to as “Parties”.

Background

A. EZ Web provides access to its software-as-a-service offerings to its customers.

B. The Customer desires to obtain certain software-as-a-service offerings through Zendesk, Inc. (and its applicable affiliates) (the “Reseller”), which shall act as the billing agent among the Parties under this Agreement, and EZ Web desires to provide the Customer access to such offerings, subject to the terms and conditions set forth in this Agreement and the agreement between the Reseller and EZ Web.

 

NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions:

1.1.     “we”, “us” or “our” or “EZ Web” means EZ Web Enterprises, Inc.

1.2.     “You” or “Your” or the “Customer” means the person receiving a license to use the Service offered by EZ Web, or if applicable, the company or the legal entity for which you are accepting this Agreement.

1.3.     “Your Content” means the data, content and other information submitted by or for You to the Service or collected and processed by EZ Web and for You as a result of Your use of the Service.

1.4.     “Zendesk SOW” means the statement of work or similar document issued by the Reseller to You specifying the details of Your Subscription including, without limitation, the services and products ordered, number of items, account users, Subscription Term, and the applicable fees. 

1.5.     “Confidential Information” means any information or data disclosed by one party to the other party that is marked as confidential or otherwise designated as confidential or proprietary or that should otherwise be reasonably understood to be confidential in light of the nature of that information and the circumstances surrounding disclosure. However, Confidential Information will not include any information which (a) is in the public domain through no fault of the receiving party; (b) was properly known to the receiving party, without restriction, prior to the disclosure with the legal authority to do so; or (c) is independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information.

1.6.     “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.

1.7.     “Person” means an individual, trust, business entity (including a corporation, limited liability company, general partnership, limited partnership and business trust), not-for-profit foundation or other not-for-profit entity, association and government agency.

1.8.     “Privacy Laws” mean those laws that govern the retention and use of personal information data, including the European Union’s General Data Protection Regulations and the California Consumer Privacy Act.

1.9.     “Service” means the products and the services as specified in the Zendesk SOW that the Reseller orders on Your behalf and are made available to You, excluding any Non-EZ Web Applications.

1.10.     “Subscription” means the license to use the Service that EZ Web is granting You under this Agreement.

1.11.     “Subscription Term” means the period of time during which You and Your Users are permitted to use the Service hereunder, as specified in the applicable Zendesk SOW and including all renewals or extensions thereof.

1.12.     “User” means an individual whom You authorize to access and use the Service under Your Subscription.

1.13.     “User Account” means an account created by You to use the Service in accordance with Your allowed or purchased usage limits as per the Zendesk SOW.

1.14.     “Non-EZ Web Application” means a web-based or offline software application that is provided by You or a third party and interoperates with any part of the Service.

2. Overview:

2.1.     As a Customer, You are acquiring the Service through a Reseller. In addition to the terms and conditions described under an agreement between You and the Reseller, this Agreement contains additional terms and conditions governing Your access to and use of the Service. You expressly acknowledge and agree that EZ Web is an express beneficiary of this Agreement and shall have the right to enforce this Agreement against You.

2.2.     This Agreement constitutes the entire agreement and supersedes all prior agreements between You and EZ Web with regard to Your Subscription to the Service under this Agreement and any prior agreement between You and the Reseller with regard to the Service.

3. Use of Service:

3.1.     Your right to use the Service is personal to You and shall solely be used for Your internal purpose. You may not use the Service for any other purpose, such as to maintain inventories of asset records for third parties.

3.2.     The reports generated by the Service and information held in Your User Account do not provide evidence of ownership of equipment or proof that You possess the records shown in Your User Account.

4. Account Administrators:

When You sign up for a Subscription, You may specify one or more account administrators. These account administrators will have the right to manage and control Your use of the Service. Regardless of whether the account administrators are a part of Your business or are third parties acting on Your behalf, You shall have the sole responsibility to supervise their actions. EZ Web has no liability for the failure of account administrators to manage the use of Service in accordance with Your expectations.

5. Use and Restrictions:

5.1.     EZ Web grants You a non-exclusive, non-transferable, non-assignable, royalty-free and revocable license to use the Service in accordance with this Agreement during the Subscription Term.

5.2.     You may only access and use the Service in a manner consistent with this Agreement and all applicable laws and regulations, including Privacy Laws, patent, copyright, trademark, or other intellectual property laws and export control laws. Without limiting the generality of the foregoing, You shall not, nor shall You permit others to:

5.2.1.     abuse or fraudulently use or damage, overburden or impair the Service;

5.2.2.     gain unauthorized access to any part of the Service or process data of any third party that You are not expressly authorized to access and use for the Service;

5.2.3.     attempt to copy, reverse-engineer, decompile, disassemble, create a derivative work from, or otherwise attempt to derive the source codes of any part of the Service;

5.2.4.     use any robot, spider, scraper or other automated means to access any part of the Service or networks without EZ Web's express written permission;

5.2.5.     sell, resell, license, sublicense, distribute, make available, rent or lease any part of the Service;

5.2.6.     misrepresent or impersonate by creating accounts under subdomains, titles or trademarks of other Persons;

5.2.7.     circulate any spam or unwanted content including emails in bulk sent without proper written evidence of an opt in from the recipients or other evidence of consent;

5.2.8.     violate or circumvent or otherwise configure the Service to avoid Your allowed or purchased usage rights as set forth in an Zendesk SOW(s); or

5.2.9.     frame or mirror any part of any Service or Your Content, other than framing on Your own intranets or otherwise for Your own internal business purposes or as permitted.

6. Your Content:

6.1.     You grant EZ Web (including its subcontractors and EZ Web Affiliates) a limited, non-exclusive license to use, upload, and store Your Content for the purpose of providing the Service. As between You and EZ Web, You retain exclusive ownership of Your Content except any dashboards for displaying results, report templates or other components of the Service used by EZ Web.

6.2.     You are solely responsible for Your Content and for making certain that Your Content complies with Section 6.3 below (the “Content Guidelines”).  EZ Web has no obligation to pre-screen or monitor Your Content for the purpose of complying with the Content Guidelines.  However, if EZ Web determines that Your Content violates the Content Guidelines, EZ Web may, but will not be obligated, to, take all steps it deems necessary to minimize the potential liability and damage caused by that failure and to prevent further violations of the Content Guidelines, including, but not limited to, blocking  permissions to User Accounts, removing some or all of Your Content from the Service or terminating Your Subscription.

6.3.     You shall ensure that Your Content complies with the following requirements (the “Content Guidelines”):

6.3.1.     Your Content must not: (a) be false or misleading in terms of identity or origin of any communication; (b) be defamatory, derogatory, degrading or harassing of another or constitute a personal attack; (c) promote bigotry, racism, hatred or harm against any Person; (d) unlawfully invade another's privacy; or (e) include pornographic or other obscene materials.

6.3.2.     If any of Your Content consists of information that is confidential or proprietary to any Person (including personal information that is subject to Privacy Laws), You will not use the Service or Your Content in a manner that causes that information to be disclosed or used in a manner that violates any agreement or law pertaining to the confidentiality of that information.

6.3.3.     Your Content must not infringe upon or violate the rights of others, including intellectual property rights.

6.3.4.     Your Content must not contain any viruses, Trojan horses, or other components potentially limiting or harming the functionality of a computer program or files.

6.4.     To the extent applicable to Your Content and use of the Service, the Parties agree to the Data Processing Addendum in Exhibit A, attached hereto.

7. EZ Web’s right to use Your Content:

7.1.     You grant EZ Web and its Affiliates the right to use data and other information relating to the provision, use and performance of various aspects of the Service and related systems and technologies including, without limitation, information concerning Your Content and data derived therefrom in compliance with the applicable law, in order to:

7.1.1.     provide the Service;

7.1.2.     improve and enhance the Service and for other development, diagnostic and corrective purposes in connection with the Service and other EZ Web services, products, offerings; or

7.1.3.     disclose such data solely in aggregate or other de-identified form in connection with our business for marketing, product analytics and new product features, service utilization and related purposes.

8. Your Responsibilities:

8.1.     You understand that it shall be Your responsibility to obtain and maintain any equipment and ancillary service needed to connect to, access or otherwise use the Service, including, without limitation operating systems, networking, web servers, modems, hardware and the likes depending on Your intended use of the Service (“Equipment”).

8.2.     You acknowledge that it shall solely be Your responsibility for ensuring that; (1) Equipment is compatible with the Service; and (2) any information generated through the use of the Service is sufficient and accurate for Your purposes.

8.3.     You shall be solely responsible for maintaining the security of Your access to the Service, including the confidentiality of username and passwords of User Account(s). In case You suspect any access to the Service is not authorized by You or is not authorized under this Agreement, You agree to immediately notify EZ Web and the Reseller in writing.

8.4.     All activities that occur during Your Subscription are Your responsibility, therefore You should ensure that all activities through User Account(s) comply with this Agreement.

8.5.     You understand that You are responsible for obtaining any required export or import authorizations for the use of Service.

8.6.     You shall be responsible for ensuring that You possess all necessary rights and title to use, store and display Your Content while using the Service.

9. Confidentiality:

Each party agrees that it will use Confidential Information solely in accordance with this Agreement and shall protect Confidential Information from unauthorised use, access or disclosure in the same manner as it protects its own Confidential Information. However, either party may disclose Confidential Information (a) to its Affiliates, employees, officers, directors, attorneys, auditors, financial advisors, service providers or contractors and/or other representatives who have a need to know and are legally bound to keep such information confidential by confidentiality obligations consistent with this Agreement; (b) to any actual or potential lenders, investors or acquirers while maintaining confidentiality consistent with this Agreement; and (c) as required by law.

10. Your Feedback:

You may from time to time provide EZ Web input, suggestions or comments for enhancements or improvements, new features or functionality or other feedback (“Feedback”) with respect to the Service. Notwithstanding anything contained herein, all Feedback provided by You shall not be considered Confidential Information. You grant EZ Web with full discretion to proceed with the development of any requested enhancements, new features or functionality. EZ Web shall without any obligation to compensate or reimburse You, have a full, unencumbered right to use such Feedback for any purpose including but not limited to the right to display, market, sublicense and distribute such Feedback or to incorporate or implement such Feedback into EZ Web’s product or Service.

11. Service Availability & Support; Information Security Measures; Implementation Terms:

Availability uptime of the Service and the support responsibilities provided by EZ Web are set forth in Exhibit B, attached hereto. EZ Web will maintain appropriate administrative, technical, and organizational security measures with respect to Your Content, as provided in Exhibit C, attached hereto. To the extent that EZ Web will provide implementation services to Customer, as indicated in the Zendesk SOW, the Implementation Terms set forth in Exhibit D shall apply.

12. Proprietary Rights:

EZ Web shall own and retain all rights, title and interest (including, but not limited to intellectual property rights) in and to (a) the Service and software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with support, (c) Feedback provided by You, (d) any other data collected by EZ Web, including Your Content regarding the Service that may be used to generate logs, statistics and reports regarding the performance, availability, integrity and security of the Service and (e) all intellectual property rights related to any of the foregoing.

13. Free trial:

13.1.     We allow a free trial for an initial fifteen (15) days for You to become familiar with the features and the functions of the Service before You make a purchase. If You register for a free trial, EZ Web shall make the applicable Service available to You on a trial basis free of charge until the earlier of (a) the end of the free trial period for which You registered to use the applicable Service(s), or (b) termination by EZ Web at its sole discretion.

13.2.     Any data You enter into the Service during a free trial may be permanently lost unless a Subscription to the same Service as those covered by the trial are purchased or such data has been exported before the end of the trial period. Notwithstanding anything contained herein, for purposes of the free trial, the Service is provided on ‘as is’ basis and any representation, warranties or indemnities contained in this Agreement shall not apply. We will have no liability for any harm or damage arising out of or in connection with a free trial.

14. Indemnification:

You will indemnify and hold EZ Web, its parents, subsidiaries, EZ Web Affiliates, officers, and employees harmless (including, without limitation, from all damages, liabilities, settlements, costs and attorneys’ fees) from any claim or demand made by any third party due to or arising out of Your access to or use of the Service in violation of this Agreement, or the infringement by You of any intellectual property or other right of any Person.

15. Warranties and disclaimer:

15.1.     You warrant and represent that: (a) You have the legal right to enter into an agreement to receive Service under this Agreement and perform Your obligations hereunder; and (b) the performance of obligations by You shall not violate any Privacy Laws or cause a breach of any agreement between You and any third parties; and (c) Your acceptance of this Agreement constitutes a legally binding agreement and is enforceable in accordance with this Agreement.

15.2.     EZ WEB DOES NOT WARRANT THAT THE SERVICE WILL BE ERROR FREE, THAT ACCESS TO THE SERVICE WILL NOT BE INTERRUPTED, THAT ALL ERRORS OR OTHER DEFECTS IN THE SERVICE WILL BE CORRECTED OR THAT THE SERVICE WILL BE FREE FROM VIRUSES AND OTHER HARMFUL COMPONENTS THAT MAY AFFECT YOUR EQUIPMENT, COMPUTER PROGRAMS, YOUR CONTENT OR ANY OTHER PROPRIETARY MATERIAL DUE TO YOUR USE OF THE SERVICE.

15.3.     THE SERVICE IS PROVIDED ON AN “AS IS’ BASIS AND EZ WEB EXPRESSLY DISCLAIMS ALL WARRANTIES OTHER THAN THOSE EXPRESSLY STATED IN THIS AGREEMENT, INCLUDING EXHIBITS, WITH RESPECT TO THE SERVICE, INCLUDING BUT NOT LIMITED TO: (1) ANY IMPLIED WARRANTY OF MERCHANTABILITY; (2) ANY WARRANTY OF FITNESS OF THE SERVICE FOR A PARTICULAR PURPOSE; (3) ANY WARRANTY OF NON-INFRINGEMENT ON INTELLECTUAL PROPERTY RIGHTS OF OTHERS.

15.4.     YOU SHOULD NOT RELY ON ANY INFORMATION GENERATED FROM USE OF THE SERVICE IN SITUATIONS WHERE THE INACCURACY OF INFORMATION WOULD CAUSE YOU TO SUFFER ANY LOSS. EZ WEB DOES NOT WARRANT THAT ANY INFORMATION INCLUDING YOUR CONTENT PROVIDED THROUGH THE SERVICE IS ACCURATE OR COMPLETE.

15.5.     The Service may contain service features designed to interoperate or integrate with third-party products or services including Non-EZ Web Applications. EZ Web does not warrant the continued availability of such service features. Any exchange of data including Your Content is solely between You and the relevant Non-EZ Web Application. EZ Web does not warrant or support Non-EZ Web Applications or other third-party service or products, whether or not they are designated by us, or that the service features will function as per Your expectations or that the calculations, results, reports, other information generated from integrations or interoperability with third-party products will be error-free, reliable or accurate.

15.6.     EZ Web does not control the transfer of data over communication facilities, including the internet, and that the Service may be subject to limitations, delays, and other problems inherent in the use of such communication facilities.  EZ Web is not responsible for any delays, delivery failures, other damages resulting from such problems including loss of any data.

16. Limitation of Liability:

16.1.     THE AGGREGATE LIABILITY OF EZ WEB (TOGETHER WITH ALL OF ITS AFFILIATES) TO YOU (INCLUDING, BY WAY OF EXAMPLE, FOR A FAILURE OF THE SERVICE TO OPERATE PROPERLY OR A BREACH BY EZ WEB OF THIS AGREEMENT) WILL NOT EXCEED THE AMOUNT RESELLER PAID TO EZWEB WITH RESPECT TO YOUR USE OF SERVICE DURING THE SIX MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY REGARDLESS WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

16.2.     WITH THE EXCEPTION OF CLAIMS FOR INDEMNIFICATION ARISING UNDER SECTION 14 NEITHER PARTY (INCLUDING ITS AFFILIATES) WILL BE LIABLE FOR ANY INCIDENTAL, CONSEQUENTIAL, INDIRECT OR SPECIAL DAMAGES (INCLUDING FOR LOST PROFITS OR REVENUES TO YOU ARISING OUT OF A FAILURE OF THE SERVICE) EVEN IF THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF ANY OF THE FOREGOING TYPES OF LOSSES OR DAMAGES AT THE TIME OF ENTERING INTO THIS AGREEMENT.  IN NO EVENT WILL A PARTY BE LIABLE FOR PUNITIVE OR EXEMPLARY DAMAGES.  THE EXCLUSION OF LIABILITY IN THIS SECTION 16.2 WILL APPLY TO ANY CLAIM BROUGHT REGARDLESS WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

16.3.     YOU AND EZ WEB AGREE THAT THE LIMITATIONS AND EXCLUSIONS SET OUT IN SECTION 16.1 AND 16.2 ARE REASONABLE, HAVING REGARD TO ALL THE RELEVANT CIRCUMSTANCES AND THE LEVELS OF RISK ASSOCIATED WITH THE PROVISION OR USE OF SERVICE.

16.4.     Exclusions and Limitations: SOME JURISDICTIONS DO NOT ALLOW THE DISCLAIMER OR EXCLUSION OF CERTAIN WARRANTIES, OR THE EXCLUSION OR LIMITATION OF CERTAIN LIABILITIES TO THE EXTENT THAT THEY ARE HELD BY A COURT OF COMPETENT JURISDICTION TO BE INVALID. THE SCOPE OF THOSE DISCLAIMERS, EXCLUSIONS AND LIMITATIONS INCLUDING THOSE SET FORTH IN SECTION 15 AND 16 WILL BE GIVEN THE MAXIMUM EFFECT PERMISSIBLE UNDER APPLICABLE LAW AND ALL OTHER TERMS OF THIS AGREEMENT SHALL REMAIN IN FULL FORCE AND EFFECT.

17. Modifications of the Service:

EZ Web will provide Customer with at least six (6) months advance notice of any feature end of life or deprecation.

18. Suspension:

18.1.     If EZ Web becomes aware of any User(s) violating this Agreement, EZ Web may request You to suspend the User’s use of Service. In case of Your failure to comply with that request, EZ Web may suspend that User Account. The duration of suspension shall be the discretion of EZ Web and shall extend until the User has cured such breach to the satisfaction of EZ Web.

18.2.     If at any point Your use of the Service exceeds the amount for which You prepaid, EZ Web reserves the right to suspend Your access to the Service without notice.

18.3.     If at point in time, You have not paid fees payable in accordance with the applicable Zendesk SOW are not paid in accordance with this Agreement; 

18.4.     EZ Web shall have no liability in connection with any suspension of Service pursuant to this section 18.

18A. Payments, Refunds, Upgrades and Downgrading Terms

Reseller shall process billing for your Subscription to the Service ordered by You under this Agreement, pursuant to a Zendesk SOW executed between You and Zendesk. The applicable Zendesk SOW shall set forth, without limitation, the service plan, fees, payment information, and term of Your Subscription to the Service. Any changes to the scope of the Subscription shall be issued through a new Zendesk SOW; provided, however, no refunds will be provided in case: (i) You downgrade, terminate, or cancel a Subscription to the Service, (ii) EZ Web terminates or suspends Your Subscription in accordance with this Agreement, or (iii) Zendesk terminates the applicable Zendesk SOW in accordance with the terms of such Zendesk SOW.

19. Cancellation and Termination:

19.1.     You agree and understand that EZ Web is entitled to terminate Your Subscription if: (a) the Reseller notifies Your failure to pay amounts due to the Reseller with respect to Your Subscription, or (b) the Reseller fails to make payment due to us pursuant to our agreement with the Reseller with respect to Your Subscription. EZ Web will not be liable to You with respect to any such suspension or termination of Your Subscription. Your sole recourse with respect to such termination related to non-payment under this Section 19.1 shall be against the Reseller.

19.2.     A party may terminate a Subscription: (a) thirty (30) days after providing written notice to the other party of a material breach of its obligations of this Agreement if such breach remains uncured at the expiration of such thirty (30)-day period, (b) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors, or (c) upon ten (10) days’ written notice to the other party if the other party is in material breach of this Agreement more than two (2) times notwithstanding any cure of those breaches.

20. Effect of termination:

20.1.     Upon any termination of Your Subscription, EZ Web will make Your Content available to You for electronic retrieval for a period of thirty (30) days, but thereafter EZ Web may, but will not be obligated to, delete Your Content, in which case You will no longer have access to Your Content from EZ Web.

20.2.     Upon termination of Your Subscription, Your license to use the Service and EZ Web’s obligation to provide the Service to You will immediately terminate. Except for those provisions of this Agreement that are limited under their terms to the Subscription Term, all provisions of this Agreement (including sections titled: “Use and Restrictions”, “EZ Web’s right to use Your Content”, “Your Responsibilities”, “Confidentiality”, “Proprietary Rights”, “Indemnification”, “Warranties and disclaimer”, “Limitation of Liability”, and “General Terms”) will survive the termination of Your Subscription. Including but not limited to the foregoing, You will remain liable to pay Zendesk all outstanding fees as provided under the applicable Zendesk SOW.

21. Assignment:

21.1.     All agreements between the Reseller and the Customer that relate to Customer’s Subscription to the Service are assignable to EZ Web under the terms of our agreement with the Reseller. In case Your agreement with the Reseller is assigned to EZ Web, Your continued right to access and use the Service shall be subject to the then applicable standard online terms of services available at the product website that you are using. Upon the request of EZ Web, You agree to make all necessary information available to EZ Web including any information required to secure payment of Your Subscription.

21.2.     You may not assign any of Your rights under this Agreement without consent from EZ Web, and any such attempt will be void. However, EZ Web may assign its rights to any of its Affiliates or subsidiaries, or to any successor in interest of any business associated with the Service.

21.3.     Subject to the above restrictions, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.

22. General Terms:

22.1.     Publicity. After using the Service for more than two weeks following a successful trial period, we may refer You (including any related Affiliates) on our website or other marketing material which displays customers of our Service. You may decline us this right by emailing us stating that You do not wish to be used as reference or listed on our website. Thirty (30) days following a successful trial period, we may issue a press release or other public statement related to this Agreement if You consent in writing.

22.2.     Notice. Notices, permissions and approval hereunder shall be given in writing via email and shall be deemed to have been given upon the first business day after sending by an email. Notices to us shall be addressed to legal@ezofficeinventory.com. Notices to You shall be sent to Your account administrator’s email address or other address as may be specified in Your account information provided to us.

22.3.     Governing law and Jurisdiction. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods is specifically excluded from application to this Agreement and the Zendesk SOW(s). The construction, validity, performance, enforcement, and effect of this Agreement will be governed by the laws of the State of Nevada, without regard to conflict of law principles. All suits and claims will be made only in courts located in the State of Nevada.

22.4.     Certain Definitions.  Except where the term “business days” is used, all references in this Agreement to “days” mean calendar days.  “Business days” means days other than weekend days and federal holidays on which banks in Austin, Texas are authorized to remain closed.  If the date on which a notice is due or action to be taken or would otherwise be effective falls on a day other than a business day, that notice or action will be due, taken or effective on the first business day after that day.  For the purposes of this Agreement, the word “including” means “including, but not limited to.”

22.5.     Entire Agreement. This Agreement including all exhibits, constitute the entire agreement between You and EZ Web with respect to the subject matter of this Agreement, and supersede and replace any other prior or contemporaneous agreements, or terms and conditions applicable to the subject matter of this Agreement.

22.6.     Waiver, Severability & Subcontracting. EZ Web’s failure to enforce a provision is not a waiver of its right to do so later. All waivers and modifications must be in writing signed on behalf of both parties by their duly authorized representatives. If a provision is found unenforceable, the remaining provision of this Agreement will remain in full effect and an enforceable term will be substituted reflecting our intent as closely as possible. You may not assign any of Your rights under this Agreement without consent from EZ Web, and any such attempt will be void. However, EZ Web may assign its rights to any of its Affiliates or subsidiaries, or to any successor in interest of any business associated with the Service. EZ Web reserves the right to subcontract any part of its obligations under this Agreement without prior consent from You.

22.7.     Nature of Relationship. No agency, partnership, joint venture, or employment is created as a result of this Agreement and each party does not have any authority of any kind to bind or attempt to bind the other party in any respect whatsoever.

 

Exhibit A - Data Processing Addendum

This Data Processing Addendum, including its Schedules (“DPA”) forms part of the Agreement between EZ Web Enterprises Inc. having address at 701 S Carson St STE 200, Carson City, NV 89701 (“EZ Web”) and Customer for the purchase of Service from EZ Web to reflect the parties’ agreement with regard to the Processing of Personal Data.

 

The Customer enters into this DPA on behalf of itself and as required by Data Protection Laws, to the extent EZ Web processes Personal Data for which such Customer acts as a Data Controller.

 

In the course of providing the Service to the Customer pursuant to the Agreement, EZ Web may Process Personal Data on behalf of the Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

 

Capitalized terms unless otherwise defined under this DPA shall have the same meaning as given to them under the Agreement.

 

1.          Definitions

 

1.1.   “Authorized Person” means a necessary employee, contractor or agent authorized by EZ Web, who has a need to know or access Personal Data for fulfilling obligations of EZ Web to the Customer.

 

1.2.   “Data Controller” means the entity which determines the purposes and the means of the Processing of Personal Data. The Customer will be treated as the Data Controller under this DPA.

 

1.3.   “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. EZ Web will be treated as the Data Processor under this DPA.

 

1.4.   “Data Subjects” means identified or identifiable person to whom Personal Data relates. 

 

1.5. “Personal Data” means any identified or identifiable information that relates to a Data Subject.

 

1.6. “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

 

1.7. “Sub-Processor” means any processor engaged by the Data Processor.

 

1.8. “Data Protection Laws” mean all laws and regulations, including laws and regulations of the European Union, the European Economic Area (“EEA”) and their member states, Switzerland, and the United Kingdom (“UK”), applicable to the Processing of Personal Data by EZ Web under the Agreement.

 

1.9. “Security Measures” means the security, privacy and architecture applicable to the Service, purchased by the Customer, as described under Annex II to the SCCs (Schedule 2) or otherwise reasonably made available by EZ Web to the Customer. 

 

1.10.   “Standard Contractual Clauses” or “SCCs” mean the agreement by and between the Customer and EZ Web attached hereto as Schedule 2 pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to GDPR.                  

 

1.11.   “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

 

1.12.   “Service” shall have such meaning as described in the Agreement.

2.          Processing of Personal Data by Customer

 

2.1. The Customer shall, in its use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws. In particular, the Customer shall be responsible for accuracy, quality and legality of the Personal Data and the means by which the Persona Data has been acquired by the Customer.

 

2.2. The Customer shall agree to comply with the provisions of the Data Protection laws so far as they apply to the Customer.

 

2.3. The Customer shall not feed in special categories of Personal Data including “sensitive information” as defined in the SSCs into the Service without prior information, and approval of EZ Web.

 

3.          Processing of Personal Data by EZ Web

 

3.1. EZ Web shall only Process Personal Data on documented instructions from the Customer for the following purposes: (i) Processing in accordance with the Agreement, the DPA and any applicable order forms, (ii) Processing initiated by the user authorized by the Customer to use the Service, (iii) Processing in accordance with the instructions provided by the Customer (e.g. via email) where such instructions do not conflict with the terms of the Agreement and this DPA. 

 

3.2. This DPA, the Agreement and the applicable order form shall be considered as a final set of instructions from the Customer in relation to the Processing of Personal Data. Any further instructions issued by the Customer regarding the Processing of Personal Data shall solely be documented in writing (e.g. via email) where such instructions are consistent with the terms of this DPA. 

 

3.3. The duration of Processing, the nature of Processing and the purpose of Processing, the types of Personal Data and the categories of Data Subjects Processed under this DPA are further described in Annex I to the SCCs (Schedule 2).

 

4.          Rights of Data Subjects

 

4.1. EZ Web shall if permitted by law, promptly notify the Customer if it receives a request from a Data Subject under any Data Protection law which relate to the Data Subject’s right of access, right to rectification, right to erase (the right to be forgotten), the right to restrict Processing, the right to data portability, right to object to Processing or its right not to be subject to automated individual decision making (collectively referred to as “Data Subject Requests”). All Data Subject Requests shall be handled by the Customer, unless EZ Web is otherwise authorized by the Customer or is required by the Data Protection Laws.

 

4.2.   Upon request of the Customer, EZ Web shall, taking into account the nature of the Processing, provide commercially reasonable assistance to the Customer in the form of appropriate technical and organizational measures, in the fulfilment of the Customer’s obligations to respond to requests for the exercise of the Data Subjects’ rights under the Data Protection Laws. To the extent legally permissible, the Customer shall be responsible for any costs arising from the assistance provided by EZ Web.

 

5.          Confidentiality 

 

5.1.   EZ Web shall ensure that only Authorized Persons are able to access Personal Data being Processed on behalf of the Customer. Access to the Personal Data shall without delay be denied if such authorization granted to an Authorized Person is removed or expires.

 

5.2.   EZ Web shall ensure that Authorized Persons have been given appropriate training regarding their responsibilities and the confidential nature of Personal Data. 

 

5.3.   EZ Web shall ensure that all Authorized Persons are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

 

6.          Use of Sub-Processors

 

6.1.   The Customer hereby confirms its consent that EZ Web may engage Sub-Processors which includes the use of Sub-Processors specified in Annex III of the SCCs (Schedule 2). 

 

6.2.   EZ Web shall ensure that the Sub-Processors are subject to data protection obligations under a written contract no less than those specified in this DPA or by way of other legal act under the Data Protection laws providing sufficient guarantees to implement appropriate measures that meet the requirements of the Data Protection laws.

 

6.3.   EZ Web shall inform the Customer of any planned changes with regard to additions to or replacement of Sub-Processors and give the Customer opportunity to object to such changes. If the Customer should object to the changes, the Customer shall notify EZ Web of its objection within seven (7) days of receipt of the notification by EZ Web. However, if the Customer does not raise an objection within such time, the change notified by EZ Web shall be deemed as accepted by the Customer. The Customer shall only object if the Customer has reasonable and specific grounds for such refusal.

 

6.4.   In the event a justifiable objection raised by the Customer, both parties shall act in good faith to a mutually acceptable resolution to address such objection within the scope of commercial viability for EZ Web. The provision of Service under the Agreement shall continue and remain unaffected so far as possible, except to the extent of the justifiable objection raised by the Customer. However, if EZ Web cannot accommodate the Customer with regard to the objections raised, the Customer may terminate the Service provided under the Agreement upon written notice to the EZ Web and as per the terms and conditions of termination provided in the Agreement. Any previously accrued rights and obligations between the parties shall survive such termination.

 

6.5.   If the Sub-Processor does not fulfil its data protection obligations, EZ Web shall remain fully liable to the Customer to the extent as if EZ Web was performing its obligations directly under the terms of this DPA.

 

7.          Security of Processing

 

7.1.   EZ Web shall implement technical and organizational measures for the protection of security, integrity, and confidentiality of Personal Data appropriate to the risk.

 

7.2.   EZ Web shall, during the term of the Agreement, implement at least the minimum level of security specified in the Annex II to the SCCs (Schedule 2) against unlawful Processing, accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to Personal Data.

 

7.3.   The Customer is solely responsible for reviewing the Security Measures set in place by EZ Web, if applicable, and evaluating for itself whether the Service, the Security Measures, and EZ Web’s security obligations under this DPA and the SCCs will meet the Customer’s needs, including with respect to any security obligations of the Customer under the Data Protection Laws. 

 

8.          Customer’s Security Obligations

 

Without prejudice to EZ Web’s obligation under section 9 (below), the Customer is solely responsible for the use of the Service including: (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices that EZ Web uses to access the Service; and (c) backing up account data including any Personal Data. 

 

9.          Notification of Personal Data Breach

 

9.1.   EZ Web will notify the Customer without undue delay after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in EZ Web’s custody, possession or control (“Personal Data Incident”). 

 

9.2.   EZ Web shall make reasonable efforts to identify and remediate the cause of a Personal Data Incident, and will provide sufficient information to the Customer to allow the Customer to meet any obligations to report or inform individuals or regulators of Personal Data Incident. 

 

9.3.   The obligations related to Personal Data Incident set out under this section 9 shall not apply with respect to incidents that are caused by the Customer or any user authorized by the Customer to use the Service. Further, EZ Web’s response to a Personal Data Incident will not be construed as an acknowledgement by EZ Web of any fault or liability with respect to the Personal Data Incident.

 

10.       Impact Assessment 

 

Upon Customer’s request, EZ Web shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the Data Protection Laws to carry out a data protection impact assessment related to the Customer’s use of the Service, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to EZ Web. 

 

11.       Transfer of Personal Data

 

If EZ Web transfers Personal Data from the EEA to outside the EEA, from UK to outside the UK, or from Switzerland to outside Switzerland in conjunction with the Customer’s use of the Service, either directly or onward transfer, the Standard Contractual Clauses apply subject to the provisions of Additional Data Transfer Terms provided under Schedule 1.

 

12.       Compliance audits and statements

 

12.1.   At the request of the Customer, EZ Web must within reasonable time provide such details related to its compliance obligations under the Data Protection Laws, as generally made available by EZ Web to its customers. If, however, the Customer is not satisfied, further questions may be asked by EZ Web in writing.

 

12.2.   In case the Customer is not satisfied with EZ Web’s responses as per section 12.1 (above), and GDPR allows a right to audit EZ Web’s Processing activities under this DPA, EZ Web will once each twelve (12) Months be obliged to cooperate in an audit of its obligation under this DPA.

 

12.3.   To exercise its audit rights under section 12.2, the Customer must:

 

12.3.1.   provide at least a thirty (30) days advance notice detailing dates and duration of the audit, qualifications and identity of the auditor; and

 

12.3.2.   mutually agree with EZ Web the scope of the audit, as wells as the security and confidentiality controls including non-disclosure agreements for access to EZ Web’s information, facilities or processes.

 

12.4.   Any auditor appointed by the Customer for conducting an audit pursuant to section 12.3 shall be independent, have appropriate security clearance, be qualified for conducting such an audit, and should not be a competitor of EZ Web. In case an auditor does not fulfill the foregoing criteria, EZ Web may raise an objection to the audit.

 

12.5.   The services rendered by EZ Web to cooperate in audit shall be subject to hourly rates quoted by EZ Web.

 

13.       Return, Deletion and Retention of Personal Data

 

EZ Web shall delete all Personal Data and copies thereof upon request of the Customer, unless otherwise required by the applicable Data Protection Laws, provided, however, backup data and operational or system log data will be deleted by EZ Web in the ordinary course of business. In the event that an applicable Data Protection Law does not permit EZ Web to delete the Personal Data, EZ Web shall ensure the confidentiality of Personal Data and shall not use or disclose any Personal Data after termination of the Agreement, except as required by law.

 

14.       Record Maintenance

 

GDPR requires EZ Web to maintain records related to certain information including names and contact details of each of its processors and controllers, and where applicable, of such processor’s or controller’s representatives and data protection officer. The Customer agrees that EZ Web may maintain such information, request up to date information from the Customer, and disclose such information to a supervisory authority upon a supervisory authority’s request.

 

15.       Limitation of Liability

 

Under no circumstances can EZ Web’s obligations towards the Customer exceed an amount equal to the total amount paid by the Customer under the Agreement during the last six (6) months of the incident giving rise to liability. All other limitations of EZ Web’s liability in damages under the Agreement apply.

 

16.       Termination

 

16.1.   This DPA takes effect on the Effective Date of the Agreement and will remain in effect until the Agreement is terminated or expires.

 

16.2.   Both Parties are entitled to terminate this DPA on the same terms as provided in the Agreement.

 

16.3.   The DPA applies as long as EZ Web is Processing Personal Data on behalf of the Customer.

 

16.4.   Termination of this DPA shall not be construed as either limiting or releasing either party of the rights and obligations accruing prior to such termination. 

 

17.       Miscellaneous

 

17.1.   In case of any inconsistency between this DPA and the Agreement, this DPA shall govern.

 

17.2.   This DPA replaces and supersedes all prior and contemporaneous agreements concerning its subject matter. 

 

17.3.   Regulation of other terms between the Parties shall be subject to the terms contained in the Agreement. 

 

 

Schedule 1

 

Additional terms to the Standard Contractual Clauses applicable to data transfers pursuant to section 11 of the DPA:

 

1. Instructions. For purposes of Clause 8.1 of the SCCs, parties agree that Section 3 of the DPA and Annex I of the SCCs contain instructions of the Customer for the Data Processor’s processing of Personal Data.

 

2. Certification of deletion. The Data Controller agrees that the certification of deletion of Personal Data that is described in Clauses 8.5 and 16(d) of the SCCs shall be provided by the Data Processor to the Data Controller only upon the Data Controller’s written request.

 

3. Audits and certifications. The Data Controller agrees that audits described under clauses 8.9 of SCCs shall be carried out in accordance with section 12 of the DPA.

 

4. Personal Data Breaches. Personal Data breaches under clause 8.6(c) of the SCCs will be handled in accordance with section 9 of the Agreement.

 

5. Notification of new Subprocessors. The Data Controller consents to the Data Processor’s transfer of Personal Data to Sub-processors as described in Section 6 of the DPA, and agrees that this consent of the Data Controller satisfies the requirements of Clauses 9(a) of the SCCs.

 

5. Data Exports from the United Kingdom. In case of any transfers of Personal Data from the United Kingdom, references in the SCCs to GDPR, EU, Member State Law will mean the equivalent in Data Protection Laws of United Kingdom.

 

6. Conflict. In the event of any conflict or inconsistency, the order of precedence shall be: (i) the SCCs (Schedule 2), (ii) Schedule 1, and (iii) the body of this DPA.

 

 

 

 

 

 

 

 

Schedule 2

Standard Contractual Clauses

 

MODULE TWO: CONTROLLER TO PROCESSOR

 

 

SECTION I

 

Clause 1

Purpose and scope

 

 

a.   The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

 

b.   The Parties:

i.  the  natural  or  legal  person(s),  public  authority/ies,  agency/ies  or  other  body/ies  (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

ii.  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

 

c.   These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

 

 

d.   The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

 

Clause 2

Effect and invariability of the Clauses

 

 

a.   These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, Standard Contractual Clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix.

This does not prevent the Parties from including the Standard Contractual Clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

 

b.   These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of

Regulation (EU) 2016/679.

 

 

Clause 3

Third-party beneficiaries

 

 

a.   Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

i. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

ii. Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e);

iii.   Clause 9 - Clause 9(a), (c), (d) and (e);

iv. Clause 12 - Clause 12(a), (d) and (f);

v. Clause 13;

vi. Clause 15.1(c), (d) and (e);

vii.   Clause 16(e);

viii.  Clause 18 - Clause 18(a) and (b).

 

 

b.   Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

 

 

Clause 4

Interpretation

 

 

a.   Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

 

b.   These Clauses shall be read and interpreted in light of the provisions of Regulation (EU) 2016/679.

 

 

c.   These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

 

Clause 5

Hierarchy

 

 

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

 

 

 

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

 

Clause 7 - Optional

Docking clause

 

 

a.   An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

 

b.   Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

 

c.   The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

 

SECTION II – OBLIGATIONS OF THE PARTIES

 

 

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

 

8.1    Instructions

a.   The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2    Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3    Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4    Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5    Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6    Security of processing

a.   The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

b.   The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

c.   In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

d.   The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7    Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8    Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

i.  the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

ii.  the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

iii.  the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

iv. the onward transfer is necessary in order to protect the vital interests of the data subjects or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

 

8.9    Documentation and compliance

 

 

a.   The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

 

b.   The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

 

c.   The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

 

d.   The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

 

e.   The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

 

Clause 9

Use of sub-processors

 

 

a.   GENERAL  WRITTEN  AUTHORISATION.  The  data  importer  has  the  data  exporter’s  general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

 

b.   Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.  The Parties agree that, by complying with this Clause, the data importer fulfills its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

 

c.   The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

 

d.   The data importer shall remain fully responsible to the data exporter for the performance of the sub- processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfill its obligations under that contract.

 

e.   The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub- processor to erase or return the personal data.

 

Clause 10

Data subject rights

 

 

a.   The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

 

b.   The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

 

c.   In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

 

Clause 11

Redress

 

 

a.   The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

 

 

b.   In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

 

c.   Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

i.  lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

ii.  refer the dispute to the competent courts within the meaning of Clause 18.

 

 

d.   The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

 

e.   The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

 

f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

 

Clause 12

Liability

 

 

a.   Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

 

b.   The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

 

c.   Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject  by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

 

d.   The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

 

e.   Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

 

f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

 

g.   The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

 

 

Clause 13

Supervision

 

 

a.   Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

 

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU)

2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

 

 

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

 

b.  The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

 

a.   The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

b.   The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

i.  the specific circumstances of the transfer, including the length of the processing chain, the number

of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

ii.  the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

iii.  any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

 

c.   The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

 

d.   The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

 

e.   The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that are not in line with the requirements in paragraph (a).

 

f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right of termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

 

 

15.1  Notification

 

 

a.   The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

i.  receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

ii.  becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the  country of destination; such notification shall include all information available to the importer.

b.   If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

c.   Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

d.   The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

e.   Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

 

 

15.2  Review of legality and data minimisation

 

 

a.   The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

 

 

b.   The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

 

c.   The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

 

Clause 16

Non-compliance with the Clauses and termination

 

 

a.   The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

 

b.   In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

 

c.   The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

i.  the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

ii.  the data importer is in substantial or persistent breach of these Clauses; or

iii.  the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

 

d.   Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

e.   Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

 

Clause 17

Governing law

 

 

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

 

Clause 18

Choice of forum and jurisdiction

 

 

a.   Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. 

b.   The Parties agree that those shall be the courts of the Republic of Ireland.

c.   A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

 

d.   The Parties agree to submit themselves to the jurisdiction of such courts.

 

APPENDIX

 

ANNEX I

 

 

A.  LIST OF PARTIES Data exporter(s):

1.     Customer (as set forth on the applicable Zendesk SOW)

 

Activities relevant to the data transferred under these Clauses: As set forth in the Agreement and the DPA.

 

Role (controller/processor): Controller

 

 

Data importer(s):

 

 

1.     Name: EZ Web Enterprises, Inc.

Address: 701 S Carson St STE 200, Carson City, NV 89701

Contact person’s:

Name: Legal Department

Position: Legal Department

Contact details: legal@ezofficeinventory.com

 

Activities relevant to the data transferred under these Clauses: As set forth in the Agreement and the DPA.

 

Role (controller/processor): Processor

 

 

 

B.  DESCRIPTION OF TRANSFER

 

Categories of data subjects whose personal data is transferred

 

The Customer controls the extent to which it may submit Personal Data into the Service which may include, but is not limited to Personal Data for the following:

 

●  Users authorised by the Customer to use the Service.

 

●  The Customer’s employees or the contacts of such employees.

 

●  The Customer’s customers, vendors, and business partners.

 

Categories of personal data transferred

 

The Customer controls the extent to which it may submit Personal Data into the Service, but is not limited to the following categories of Personal Data:

 

●  Name

●  Title

●  Email

●  Address

●  Telephone

●  Employer 

●  Online Identifiers such as IP Address

●  Any other information fed into the Service that may qualify as Personal Data under the Data Protection Laws.

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

 

●  EZ Web does not require special categories of data to provide the Service, but it may process such special categories of data as uploaded into the Service.

 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

 

●  Continuous for the duration of the provision of the Service.

 

Nature of the processing

 

●  EZ Web’s provision of the Service to the Customer.

 

Purpose(s) of the data transfer and further processing

 

EZ Web will Process Personal Data for the following purposes:

 

●  As necessary to perform the Service pursuant to the Agreement, this DPA and as further specified in the Zendesk SOW or similar order form for the Service 

 

●  Processing initiated by users authorised by the Customer to access the Service.

 

●  And as further instructed by EZ Web in its use of the Service in writing.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

 

●  Personal Data will be retained as agreed by the parties in the Agreement and the DPA.

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

 

●  The subject matter, nature and duration of the processing is set forth in the Agreement and the DPA.

 

 

C.  COMPETENT SUPERVISORY AUTHORITY

 

Identify the competent supervisory authority/ies in accordance with Clause 13.

 

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural

persons.

 

Measures of encryption of personal data; Measures for the protection of data during storage; Measures for the protection of data during transmission

 

●  EZ Web relies on industry standard encryption to secure Personal Data in transit over the internet and at rest at all locations where its stored.

 

●  TLS 1.2. or higher is used when transferring Personal Data over the internet.

 

●  AES-256 or AES-128 encryption is used to protect Personal Data at-rest.

 

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

 

●  A firewall is implemented at the server level by our third-party cloud hosting service provider to control and properly manage network traffic.

 

●  EZ Web implements tools for detecting incorrect, or unusual activity, and all system logs are monitored regularly for suspicious activity.

 

●  Commercially reasonable operational procedures are kept in place to mitigate a reasonably foreseeable or actual attack.

 

●  EZ Web maintains vulnerability and patch management processes which regularly assess software for security vulnerabilities and deploy software patches and updates.

 

●  Strict access controls are implemented and any information is shared on a need to know basis with EZ Web Personnel.

 

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

 

●  Backups on all data contained in accounts using the Service are taken at least once every twenty-four (24) hours.

 

●  Copies of backups in a location separate from the primary data location.

 

●  Disaster recovery drills for testing recovery points performed at least on an annual basis.

 

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

 

●  Self-Risk Assessments are performed as part of the Information Security Management against documented polices and guidelines.

 

●  Penetration Testing is conducted on at least an annual basis to detect vulnerabilities.

 

●  EZ Web maintains a certification of information security management system based on the ISO 27001 criteria.

 

Measures for user identification and authorization

 

●  All EZ Web personnel accessing Personal Data are identified by a unique user ID.

 

●  Any access to the underlying infrastructure of the Service, customer support functions, and any access to Personal Data requires a User ID and Password.

 

●  No passwords are recorded in logs for security.

 

Measures for ensuring physical security of locations at which personal data are processed

 

●  All EZ Web applications are hosted on Amazon’s Web Services (AWS) Cloud. The physical and environmental security controls of AWS are audited for SOC 2 and ISO 27001 compliance, amongst other certifications. EZ Web relies on contractual commits and security compliance programs maintained by AWS, for the physical security of AWS Data Centers.

 

●  All physical files that contain Personal Data are securely stored.

 

●  EZ Web Personnel handling Personal Data undergo training on safe security practices for maintain physical security of work devices during work from home.

 

Measures for ensuring events logging

 

●  All activity across the Service and systems including servers and the cloud is logged. Alerts are generated against any unusual and suspicious activity and information is sent to the information security team for investigation and resolution.

 

Measures for ensuring system configuration, including default configuration; Measures for certification/assurance of processes and products

 

●  All testing and development of software and applications is carried out on a separate network from production systems. No customer data is used in EZ Web’s development or testing environments.

 

●  Access to the production server is limited to separate Deployments/Configurations Team only.

 

●  Strict access controls, and multi factor authentication are deployed on production servers.

 

●  Alerts are set up to promptly detect any unusual behavior or unwanted changes, so that such changes can be reverted.

 

Measures for internal IT and IT security governance and management; Measures for ensuring accountability

 

●  EZ Web maintains a framework of Information Security Management Policies. A dedicated information security management team ensures implementation and compliance with these polices.

 

●  In addition to internal compliance audits conducted periodically, an external audit is performed annually for compliance and annual recertification against ISO 27001 Security Standards.

 

Measures for assisting the data exporter with data subject requests

 

●  All data subject requests received by EZ Web will be sent to the Customer. If the Customer requests, commercially reasonable assistance will be provided to the Customer as per section 4 of the DPA.

 

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

 

EZ Web maintains the following minimum requirements in terms of its third-party security management plan. According to EZ Web’s security management plan, each Sub-processor shall:

 

●  Have a data processing agreement including the appropriate Standard Contractual Clauses or other valid data transfer mechanism in compliance with GDPR.

 

●  Perform penetration tests.

 

●  Use encryption to secure Personal Data.

 

●  Have a risk management plan.

 

●  Have a disaster recovery plan.

 

●  Have a vulnerability management plan.

 

 

 

ANNEX III – LIST OF SUB-PROCESSORS

 

 

Exhibit B - Service Availability; Support Responsibilities and Procedures

1. Definitions

 

In this Exhibit B:

 

Unless otherwise defined, capitalized terms contained in this Exhibit B shall have the same meaning as provided in the Agreement.

         

“EZ Web Support Hours” means between 09:00 and 24:00 Eastern Time on a business day (Monday - Friday, every week of the year).

"Business Day" means weekdays excluding federal holidays in the U.S.  

 

2. EZ Web Support Obligations

 

2.1. EZ Web shall provide Customer with all support in relation to issues identified by the Reseller or Customer and reported to EZ Web, consistent with the commitments herein. All support requests need to be submitted via email to the designated EZ Web Solutions Consultant and by emailing support@assetsonar.com for AssetSonar or support@ezofficeinventory.com for EZOfficeInventory. Support Requests shall only be made by a technical contact designated by Customer. Unless Customer notifies EZ Web whenever a technical contact’s responsibility is transferred to another individual, all support communication by EZ Web will only be made with the technical contact only.     

 

EZ Web shall respond to requests for support:

 

(a) within one (1) Business Day;

 

(b) to resolve issues raised to it within a commercially reasonable timeframe; and

 

(c) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved. 

 

3. Exceptions

 

Notwithstanding anything to the contrary to this Exhibit B, EZ Web will have no obligation to fulfill any support obligations described under Section 2 above in connection with:

 

         (i) any issue or problem that EZ Web determines is not due to any error or deficiency in the Service (e.g. without limitation, issues or problems caused by stand-alone third party software products used in conjunction with the Service);

 

         (ii) in case of a Service Incident, the Response Time Objective shall not apply and instead EZ Web will implement its Service Incident communication process related to the availability/uptime of the Service. A “Service Incident” is an unplanned event affecting multiple EZ Web customers where the Service becomes unavailable or the performance of the Service is degraded as to render the Service unusable.

 

4. Disclaimers

    

EZ Web makes no representation, warranty or commitment as to the timing of resolution or ability to resolve any support request. Nothing in this Exhibit B shall be deemed to modify or limit the disclaimer of warranties set forth in the Agreement.

5. Availability Uptime

EZ Web represents and warrants that the Service will be available ninety-nine and nine-tenths percent (99.9%) measured monthly (i.e., max forty-three (43) minutes downtime per month) during the Subscription Term, excluding; (i) scheduled maintenances which shall not exceed four (4) hours in a given calendar month (“Scheduled Downtime”) and (ii) unavailability caused by circumstances beyond the reasonable control EZ Web such as an act of God, act of government, flood, fire, earthquake, pandemic, epidemic, civil unrest, act of terror, strike or other labor problem, or internet service provider’s failure or delay (“Force Majeure Downtime”); provided that EZ Web will provide Reseller and Customer with at least seven (7) day advance written notice of Scheduled Downtime and written notice of Force Majeure Downtime as soon as reasonably practicable. EZ Web may make exceptions in the provision of Service due to urgent security updates or issues that are causing critical problems in provision of the Service; provided that EZ Web will provide Reseller and Customer with advance written notice detailing such downtime as soon as reasonably practicable. Customer’s sole and exclusive remedy for breach of the above service availability warranty shall be additional periods of service, calculated at two (2) times the period of a properly reported downtime (“Down Time Service Credits”). In order to receive Down Time Service Credits, EZ Web must be notified in writing within seven (7) calendar days from the time of downtime.  In the event the Service Availability falls below 99% during three (3) consecutive months of the term of this Agreement, Customer may terminate this Agreement, in whole or in part, without penalty, cancellation, or early termination fee upon written notice to EZ Web, and EZ Web shall promptly refund amounts prepaid by Customer for service as of the effective date of termination. The foregoing represents Customer’s sole and exclusive remedy for breach of the performance warranty.  To receive the Down Time Service Credit, Customer must provide notice of the claim within sixty (60) days of the end of the month in which the incident that is the subject of the claim occurred. EZ Web will evaluate all information reasonably available and make a final, good faith determination as to whether a Down Time Service Credit is owed. The notice Customer provides in support of the request for a Down Time Service Credit must include all relevant information including the IP address, full description of the incident, and any logs. Failure to provide such notice will forfeit the right to receive Down Time Service Credits. Blocking of data communications or Service by EZ Web in accordance with this Agreement shall not be deemed to be a failure to provide adequate service availability.    

Customer understands that the above service availability warranties shall not apply if: (a) the Service is not used in accordance with the Agreement or other documentation; (b) any non-conformity is caused by Customer, or by any product or service not provided by EZ Web; or (c) the Service is provided for no fee.

To the extent that EZ Web provides Down Time Service Credits to Customer, EZ Web and Reseller will cooperate in good faith to facilitate the offer of such Down Time Service Credits to Customer.

 

Exhibit C - Information Security Measures

EZ Web warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by Customer to EZ Web through the use of the Service (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, EZ Web will act in good faith and diligence, using reasonable care and skill.

 

1. Definitions:

Unless otherwise defined, capitalized terms contained in this Exhibit C shall have the same meaning as provided in the Agreement.

 

●  “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.

●  “Breach” means any (a) unauthorized Processing of Data due to any act or omission that compromises or undermines the physical, technical, or organizational safeguards of the EZ Web’s security obligations listed in this security addendum regarding Processing of Data, or; (b) any act or omission impacting Data that violates applicable law. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer. A “Breach” shall not include: (a) breach of Data resulting from Customer’s or the Reseller’s negligence, bad faith, fraudulent acts or omissions, or intentional or willful misconduct; or (b) except for EZ Web’s subcontractors or subprocessors whose products or services are incorporated into the Service by EZ Web, a breach of Data resulting from any and all acts or omissions of any other third party that Customer integrates with the Service; or (c) breach of Data that was already available or known to the public through no fault or breach of security obligations by EZ Web.

 

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

●  EZ Web will utilize industry standard encryption algorithms and key strengths to encrypt the following:

●  Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 

●  Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”

●  Except where prohibited by law, EZ Web will promptly remove Data upon (a) completion of the Service; or (b) request by Customer or Reseller to be removed from EZ Web’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. EZ Web will provide upon Customer’s or Reseller’s written request a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

 

3. Measures: Malicious Code Protection.

●  All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. EZ Web will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or EZ Web’s computing environment.

●  EZ Web will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.

●  EZ Web will quarantine or remove files that have been identified as infected and will log the event.

 

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

●  EZ Web ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:

●  security and encryption of all personal computers or other mobile devices that may access Data;

●  limited access to employees and contractors except for authorized visitors; 

●  identification of the persons having access authority;

●  restriction on keys;

●  visitors books (including timekeeping); and

●  security alarm system or other appropriate security measures.

 

EZ Web will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such authorized agent’s need to access the system(s) or application(s).

 

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

EZ Web shall inform Customer upon its reasonable request which authorized persons are entrusted with access to Data.

 

User control shall include the following measures:

●  restricted VPN profile;

●  implementation of 2-factor authentication

 

Access control to Data shall include the following measures:

●  effective and measured disciplinary action against individuals who access data without authorization.

 

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by EZ Web.

 

All network controls shall include the following measures:

●  On a regular basis, EZ Web will run internal and external network vulnerability scans.  Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.

●  EZ Web will deploy reasonably appropriate firewall technology in operation of its networks.

●  At a minimum, EZ Web will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.

●  EZ Web will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.

●  EZ Web shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

 

Wireless network controls shall include the following additional measures:

 

●  Network access to wireless networks should be restricted only to those authorized.

●  Access points shall be segmented from an internal, wired LAN using a gateway device.

●  The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.

●  Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger.

 

7. Measures: EZ Web will maintain a Breach response function capable of identifying, mitigating the effects of, and preventing the recurrence of Breaches. If a Breach occurs, EZ Web will without undue delay after becoming aware of a Breach of Data make reasonable efforts to: (i) take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify Customer within twenty-four (24) hours of the Breach being identified and provide a written report within three (3) days thereafter; and (iii)  respond to any reasonable request from Customer for detailed information pertaining to the Breach. EZ Web’s notice and report will contain a description of the Breach that is reasonably available to EZ Web which may include the nature of the Breach, its impact, and any investigative, corrective, or remedial actions taken or planned. EZ Web’s response to a Breach shall not be construed as an acknowledgement by EZ Web of any fault or liability with respect to the Breach.

 

8. Measures: Business Continuity & Disaster Recovery. EZ Web shall on the request of Customer provide Customer commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”).  The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery.  EZ Web shall maintain such Continuity Plan throughout the term of all subscriptions; provided that EZ Web shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on EZ Web’s ability to maintain availability of the Service.

 

At Customer’s request, EZ Web shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to Customer’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time.  Customer shall provide EZ Web with documentation of such baselines, which shall be part of Customer’s confidential information under the Agreement.  EZ Web shall develop a written information security plan for Customer containing, at a minimum, the topics called for in this Agreement.

Exhibit D – EZ Web Implementation Terms

These EZ Web Implementation Terms for AssetSonar (“Implementation Terms”) are entered into by and between EZ Web and the Customer.

1. EZ Web will commence the following onboarding services for the Customer against the applicable implementation fees highlighted in the Zendesk SOW.

 

2. The AssetSonar team may fine-tune the implementation plan and timeline for You based on:

 

a. Level of IT proficiency

b. Knowledge of the system, starting from pre-sales interactions,

c. Readiness to deploy

d. Availability of IT and non-IT asset data

 

3. Time assigned for each of the above implementation and onboarding tasks performed by EZ Web depends on the subscription size of your account:

 

a. For subscription accounts less than 5,000 devices, the total number of hours devoted by EZ Web for implementation and onboarding under the Zendesk SOW shall not exceed 15 hrs.

 

b. For subscription accounts between 5,001 and 10,000 devices, the total number of hours devoted by EZ Web for implementation and onboarding under the Zendesk SOW shall not exceed 30 hrs.

 

c. For subscription accounts between 10,001 and 15,000 devices, the total number of hours devoted by EZ Web for implementation and onboarding under the Zendesk SOW shall not exceed 45 hrs.

 

d. For subscription accounts greater than 15,000 devices, the total number of hours devoted by EZ Web for implementation and onboarding under the Zendesk SOW shall not exceed 60 hrs.

 

For extended training time or individual support requests beyond the above limits, professional support services shall have additional charges.

Exhibit 1

Myndbend Terms of Service

TERMS OF SERVICE

These TERMS OF SERVICE (“Agreement”) are made and entered into as of the date specified on the applicable Zendesk SOW (the “Effective Date”) by and between you, (“Client”) and Billow Myndbend, Inc. (“Vendor”), a New York Corporation located at 33 Irving Place, New York, New York 10003.  Client and Vendor may each be referred to herein as a “party” or collectively as the “parties”.

1. Vendor is a provider of online applications (“Applications”) and Internet hosting services, as well as related technical support and consulting services, as described in Exhibit A, Exhibit B, and in Client’s applicable Zendesk SOW(s) (as defined below);

2. Client desires to have Vendor provide the Applications and the hosting services and related technical support and other services (together, the “Services” or “Cloud Service”); and

3. The parties desire to agree upon the terms and conditions upon which the Cloud Service and the related services are provided.

4. The parties agree that Zendesk, Inc., a Delaware corporation, and any of its applicable affiliates (“Zendesk”), will process billing to Client for the Vendor Cloud Service and Applications ordered by Client under this Agreement, pursuant to the applicable Zendesk SOW(s). “Zendesk SOW(s)” shall means the statement of work issued by Zendesk to Client that sets forth, without limitation, the service plan, fees, billing, and term of Client’s subscription to the Vendor Cloud Service and Applications under this Agreement.

NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the parties, the parties, intending to be legally bound, agree as follows:

1. Applications and Services

1.1. Applications.  Vendor hereby grants to Client a nonexclusive, limited, non-transferable, worldwide, royalty-free right and license to access, use, display and perform the Applications during the Term. Notwithstanding the foregoing, nothing in this Agreement shall be construed as giving Client, its Affiliates and its and their contractors, any right to, and Client, its Affiliates and its and their contractors shall not, and shall not permit or assist any other party to, modify any of the Applications or otherwise make copies of all or part of the Applications onto any media, except as may be expressly and clearly permitted by this Agreement.  Client, its Affiliates and its and their contractors agree that they shall not, and shall not permit or assist any other party to, disassemble, decompile or reverse engineer all or any part of the Applications.  Except as expressly set forth herein, Client, its Affiliates and its and their contractors shall not use, duplicate, transfer, sell, distribute or otherwise disclose the Applications to any other party.  Vendor shall own and retain all intellectual property rights in the Application and all back-end components and software code (both in compiled and source code form), that are proprietary to Vendor and/or incorporated by Vendor into the Applications; and any enhancements, modifications, or derivatives of any of the foregoing. 

1.2. Online Terms and SOW.  Client’s use of the Applications shall be subject to Vendor’s Privacy Policy, found on Vendor’s website - myndbend.com/privacy, respectively. Vendor’s Privacy Policy referenced hereunder shall be an integral part of this Agreement and is hereby incorporated thereto. The Zendesk SOW shall govern the applicable billing and payment terms between Client and Zendesk for Client’s subscription to the Vendor Cloud Service and Applications under this Agreement.

1.3. Cloud Service; Consulting Services.  Vendor shall provide Client and its Affiliates the Cloud Service and certain consulting services (the “Consulting Services”) during the Term, as described in Exhibit A and the applicable Zendesk SOW.

1.4. Client Data.  Client hereby authorizes Vendor to access, use and display Client Data (as defined below) as requested by Client solely for the purpose of providing the Cloud Service under the terms of this Agreement for the benefit of Client and its Affiliates and for no other purpose of Vendor or of any other party. To the extent that Client provides any Client Data to Zendesk, Client hereby authorizes Zendesk to access, use, and display such Client Data as necessary to process billing to Client for the Vendor Cloud Service under this Agreement or as otherwise requested by Client.  Nothing in this Agreement shall be construed as giving Vendor any right to, and Vendor shall not, and shall not permit or assist any other party to, modify any of the Client Data or otherwise make copies of all or part of the Client Data onto any media, except as may be expressly and clearly permitted by this Agreement. Except as expressly set forth herein, Vendor shall not use, duplicate, transfer, sell, distribute or otherwise disclose the Client Data to any other party.  “Client Data” means data provided by Client or its Affiliates in any form, and data used, generated or stored in connection with Client’s and its Affiliates’ use of the Cloud Service. Client Data shall include any information by which a Client may be personally identified, such as name, e-mail address, telephone number, credit card information and billing address (“Personal Information”).

1.5. Reservation of Rights.  Vendor shall be free at all times to use and employ its general skills, know-how, methodologies, algorithms, techniques and expertise relating to the Cloud Services, and the other activities undertaken by it in the course of this Agreement, provided that in doing so Vendor does not breach its obligations of confidentiality to Client under this Agreement. So long as the Vendor is in compliance with the provisions of this Agreement relating to the confidentiality of the Client Data, Client acknowledges and agrees that Vendor shall have the right to provide to third parties services that are the same or substantially similar to the Cloud Services, and to use or otherwise use any Vendor materials in providing such services.

1.6. Competitors.  Client may not use our Services if you are a direct competitor of the Vendor, except with Vendor's prior written consent. Client may not use the Services for the purposes of monitoring performance, availability, functionality, or for any benchmarking or competitive purposes.

2. Term and Termination

2.1. Term.  This Agreement shall commence upon the Effective Date hereof and, unless otherwise terminated in accordance with the terms of this Agreement and/or the applicable Zendesk SOW, shall remain in full force and effect for the term set forth on such Zendesk SOW (the “Term”).  

2.2. Non-Renewal.  Client may terminate this Agreement as of the end of Client’s then-current Term set forth on the applicable Zendesk SOW upon 30 days’ prior written notice to Vendor and Zendesk. 

2.3. Termination for Cause.  Either party may terminate this Agreement if the other party is in breach of this Agreement and fails to cure such breach within 15 days after the non-breaching party provides notice of the breach. Either party also may terminate this Agreement immediately upon notice if the other party (a) is liquidated, dissolved, or adjudged to be in a state of bankruptcy or receivership, (b) is insolvent, unable to pay its debts as they become due, makes an assignment to or for the benefit of its creditors or takes advantage of any law for the benefit of debtors, (c) ceases to conduct business for any reason on an ongoing basis leaving no successor in interest, or (d) enters into a contract for the sale of more than 50% of its business or assets or a contract related to a merger or consolidation of its business, or transfers control of any portion of its business or assets, and the party has reasonable grounds for insecurity with respect to such anticipated acquirer’s or successor’s performance or ability to perform or compliance or ability to comply with the other party’s obligations under this Agreement. 

3. Fees and Payment

3.1. Payment.  Client shall remit payment for the Cloud Service provided under this Agreement in accordance with the applicable Zendesk SOW. Client agrees to promptly update its account information with any changes that may occur.

3.4 No Refund for Downgrade; Plan Modifications. No refunds or credits for subscription charges or other fees or payments will be provided to Client if Client elects to downgrade its service plan. Downgrading a service plan may cause loss of content, features, or capacity of the Services as available to Client under its account, and Vendor does not accept any liability for such loss. Any modifications to Client’s subscription for Cloud Services under this Agreement, including without limitation a change to the licenses or number of agents authorized to use the Cloud Services, must be issued under a new Zendesk SOW.

4. Subcontractors

Vendor shall be entitled to use or engage consultants or independent contractors (“Subcontractors”) to provide any of the services hereunder.

5. Insurance

Insurance.  Vendor shall, at its sole expense, throughout the performance of its services pursuant to the Agreement, maintain commercial general liability insurance and applicable Technology, Cyber, Data Risk, and Media Insurance.

 

6. Confidentiality; Security; Privacy; 

6.1. Confidential Information.  Either party or any of its Affiliates may, during the course of its provision of the Cloud Service hereunder, have access to, and acquire knowledge (the “Receiving Party”) from discussions with the other party or any of its Affiliates (the “Disclosing Party”) and from material, data, systems and other information of or with respect to the Disclosing Party which may not be accessible or known to the general public, including, but not limited to, any Client Data, information concerning hardware, software, designs, drawings, specifications, techniques, processes, procedures, data, research, development, future projects, products or services, projects, products or services under consideration, content under development, business plans or opportunities, business strategies, contracts, relationships, finances, costs, vendors, customers or employees and other third party proprietary or confidential information that the Disclosing Party treats as confidential (“Confidential Information”).  The Receiving Party shall treat the existence of this Agreement and the provision of the Cloud Service hereunder as Confidential Information.  All Confidential Information and any knowledge acquired by the Receiving Party from any discussions, materials, data, systems, information or otherwise through its engagement hereunder shall be held in confidence and shall not be used by the Receiving Party other than for the limited purposes provided under this Agreement (including disclosure to third parties at the direction of the Disclosing Party of information specifically approved for disclosure to such parties by the Disclosing Party) or used, published or divulged by the Receiving Party in connection with any products sold or services rendered by the Receiving Party to any other person, firm or corporation, in any advertising or promotion regarding the Receiving Party or its products or services, or in any other manner or connection whatsoever without first having obtained the written permission of an officer of the Disclosing Party (Vice President or higher), which permission may be withheld by the Disclosing Party in its sole discretion.  

6.2. Limitation on Disclosure.  The Receiving Party further agrees to limit disclosure of the Confidential Information to those of its employees and Subcontractors who have a need to know the information to effect the use permitted herein.  The Receiving Party agrees to protect the Confidential Information with the same degree of care normally used to protect its own similar confidential information, but in no event less than that degree of care as may be reasonably necessary to prevent any Confidential Information from being disclosed or used for other than the purpose specified in this Agreement.

6.3. Ownership of Confidential Information.  All rights in and title to the Confidential Information supplied by the Disclosing Party or an Affiliate, shall remain in that party.  Neither the execution and delivery of this Agreement, nor the furnishing of any Confidential Information shall be construed as granting to the Receiving Party either expressly, by implication, estoppel or otherwise, any license under any invention, copyright, trade secret or patent now or hereafter owned or controlled by the party furnishing the same, nor any right to use, sell, develop, exploit or copy the Confidential Information made available to the Receiving Party, except to fulfill the purpose of this Agreement.

6.4. Return of Confidential Information.  The Receiving Party agrees that, unless earlier returned, any Confidential Information disclosed to it and all copies thereof shall be returned to the Disclosing Party promptly following the Disclosing Party’s written demand therefor or at the completion of the use by the Receiving Party permitted herein.  In the event of termination or expiration of this Agreement, the Receiving Party shall, within 14 days following the date of termination or expiration, provide to the Disclosing Party all Confidential Information in a commercially standard database export format, together with a certification by an officer of the Receiving Party that all Confidential Information has been removed from the Receiving Party’s systems.

6.5. Exclusions.  Confidential Information shall not include any information that: (a) has entered or subsequently enters the public domain without the Receiving Party’s breach of any obligation under this Agreement, (b) was known to the Receiving Party prior to the Disclosing Party’s or an Affiliate’s disclosure of such information to the Receiving Party, (c) is obtained from a third party without violation of an obligation of nondisclosure and without restrictions on its disclosure, or (d) is independently developed by the Receiving Party without reference to or use of the Disclosing Party’s or its Affiliates’ Confidential Information.  

6.6. Export Restriction.  The Receiving Party agrees not to export, directly or indirectly, any technical data acquired from the Disclosing Party or an Affiliate hereunder or any product utilizing any such data to any country for which the U.S. Government or any agency of the U.S. Government at the time of export requires an export license or other governmental approval, without first obtaining such license or approval.

6.7. Information Request.  Upon receipt by the Receiving Party of any request, demand, notice, subpoena, order or other legal information request relating to legal proceedings or investigations by third parties relating to Confidential Information (each a “Legal Information Request”), the Receiving Party shall immediately notify the Disclosing Party and provide the Disclosing Party with a copy of all documentation of such Legal Information Request, to the extent the Receiving Party may legally do so, and shall cooperate with the Disclosing Party in responding to such Legal Information Request. the Receiving Party and any Subcontractor shall not disclose any Confidential Information to any such third party without advance consent from the Disclosing Party, or until the Disclosing Party has had a reasonable opportunity to contest the Legal Information Request or, if the Receiving Party or such Subcontractor is legally prohibited from informing the Disclosing Party of such Legal Information Request prior to disclosure, the Receiving Party or such Subcontractor shall resist such Legal Information Request on behalf of the Disclosing Party to the extent it can reasonably do so.  In any event, the Receiving Party or any Subcontractor must notify the Disclosing Party of any such Legal Information Request at the earliest time it is not legally prohibited from doing so.

6.8. Security. In performing its services for Client, the Vendor will undertake commercially reasonable efforts to comply with the Vendor’s Information Security Program, as amended, which may be provided to Client upon written request to the Vendor. Furthermore, Vendor warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures set forth in Exhibit B.

6.9. Data Processing Agreement. The Parties agree to the Data Processing Agreement set forth in Exhibit C, which shall apply, as applicable, to the Parties’ processing of personal data (as defined therein) through the Cloud Services and Applications.

7. Indemnification; Disclaimer; Limitation of Liability

7.1. By Vendor.  Vendor, at its own expense, shall defend, indemnify and hold Client, its Affiliates and each of  their officers, directors, employees, agents, successors and assigns harmless from and against all suits, claims, demands, penalties, fines, charges, proceedings, causes of action, damages, losses, liabilities, costs and expenses of any nature whatsoever (including attorneys’ fees) (“Losses”), that result from or arise out of the actual or alleged misappropriation or infringement of any Intellectual Property Rights in connection with the Cloud Service. 

7.2. By Client.  Client agrees to indemnify, defend and hold harmless Vendor, its officers, directors, and employees, from and against any and all Losses, to the extent arising out of a third party claim that: (i) arises out of the gross negligence or willful misconduct of Client; (ii) results from breach by Client of this Agreement including without limitation, its representations, warranties or covenants; (iii) results from Client’s use of the services and Applications under this Agreement; and (iv) any violation of applicable foreign, provincial, federal, state or local laws, rules or regulations; and (v) any violation of any third party rights, contracts or licenses.

7.3. Disclaimer of Warranties. The Cloud Services and the Applications are provided to Client "as is."  Except as expressly set forth herein, including Exhibit A and Exhibit B, Vendor expressly disclaims all warranties, express, implied or statutory, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, and any warranties arising out of course of dealing, usage, or trade.  Vendor does not warrant that the Cloud Services will meet Client's requirements or that the operation of the Cloud Services will be error-free or uninterrupted.  Vendor shall not be liable to Client or any third party for any unavailability or inoperability of the Cloud Services, telecommunications systems or the Internet, third party subcontractors, technical malfunction, failure of third party software used to provide the Cloud Services, computer error, corruption or loss of information, or other injury, damage or disruption of any kind beyond the reasonable control of Vendor.  Vendor makes no representations or warranties with respect to any third party licensed products, services, or web sites.

 7.4 Limitation of Liability.  In no event will Vendor be liable to Client, its Affiliates and each of their officers, directors, employees, agents, successors and assigns, for (i) any special, indirect, incidental or consequential damages (including without limitation, loss of use, data, business or profits or costs of cover) arising out of or in connection with this Agreement whether such liability arises from any claim based upon contract, warranty, tort (including negligence), product liability or otherwise, and whether or not such party has been advised of the possibility of such loss or damage; (ii) any damages or Losses relating to the functioning of any applications provided by third parties, including, without limitation, such applications provided by Zendesk, Inc., Hootsuite, Inc. or their affiliates.  Vendor’s cumulative liability to Client or any third party, from all causes of action and all theories of liability, will be limited to and will not exceed the fees paid to Vendor under this Agreement in the twelve (12) months preceding the claim.

8. Assignment

This Agreement is not transferable or assignable by either party, whether in whole or in part, voluntarily or by merger, consolidation or sale, or otherwise by operation of law without the prior written consent of the other party; provided that Vendor may assign the Agreement to a parent, majority or minority owned affiliate, and provided further that Vendor may assign this Agreement to any entity that acquires all or substantially all of its assets or upon any other event of merger, consolidation or change of control.  Subject to the foregoing, this Agreement and each and every provision hereof, shall be binding upon and shall inure to the benefit of the parties and their respective permitted successors and assigns.

9. Promotion

If approved in writing by Client, Vendor may use the name of the Client or any of its Affiliates in any advertising, publicity or promotion or other disclosure. 

10. Miscellaneous

10.1. Notices.  Any notice or other communication required or permitted to be given hereunder shall be given in writing and delivered in person, mailed or delivered by recognized courier service, properly addressed and stamped with the required postage, to the intended recipient at its address specified below and shall be deemed effective upon receipt.  Either party may from time to time change its address by giving the other party notice of the change in accordance with this Section 13.1:

If to Client: To Client’s address, as provided to Vendor

If to Vendor: Billow Myndbend, Inc.

PO Box 150306

Brooklyn, New York  11215

Any notices between Client and Zendesk shall be made as set forth on the applicable Zendesk SOW.

10.2. Severability.  If any provision of this Agreement is held to be illegal, invalid or unenforceable under present or future law effective during the Term, such provision shall be fully severable and this Agreement shall be construed and enforced as if such illegal, invalid or unenforceable provision never comprised a part hereof, and the remaining provisions hereof shall remain in full force and effect and shall not be affected by the illegal, invalid or unenforceable provision or by its severance here from.

10.3. Waivers.  Waivers, to be binding, must be made by writing, referring to this Agreement and signed by the party whose right is waived.  No waiver of the terms of this Agreement or failure by either party to exercise any option, right or privilege on any occasion or through a course of dealing shall be construed to be a waiver of the same on any other occasion.

10.4. Headings.  The section headings used in this Agreement are provided solely for reference and the convenience of the parties, form no part of this Agreement and shall not affect its interpretation.

10.5. Disputes.  Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach hereof, shall be referred to senior management of the parties for good faith discussion and resolution.  If any dispute, controversy, or claim cannot be resolved by such good faith discussion between the parties, then each shall have all remedies available to them at law and in equity. 

10.6. Governing Law.  The laws of the State of New York and the laws of the United States shall govern the interpretation and enforcement of this Agreement, without giving effect to principles of conflicts of law.  The provisions of the United Nations Convention on the International Sale of Goods and the Uniform Computer Information Transactions Act, however designated, are excluded and shall not apply to this Agreement or any transactions hereunder.  Any action or proceeding brought by either party against the other party arising out of or related to this Agreement shall be brought exclusively in a state or federal court of competent jurisdiction located in New York City, New York. Notwithstanding any of the foregoing, the Parties will undertake reasonable efforts to solve any disputes in an amicable manner.  THE PARTIES HEREBY WAIVE TRIAL BY JURY WITH RESPECT TO ANY SUCH ACTION OR PROCEEDING.

10.7. Remedies.  No remedy herein conferred is intended to be exclusive of any other remedy, and each and every such remedy shall be cumulative and shall be in addition to every other remedy given hereunder or now or hereafter existing at law or in equity or by statute or otherwise.

10.8. Independence.  Vendor is an independent contractor and nothing herein shall be construed to create a partnership, employment, agency, or other joint venture relationship between Vendor and Client. 

10.9. Entire Agreement.  This Agreement, the Vendor’s online documents found at myndbend.com and the exhibits attached hereto constitute the entire agreement of the parties as to the subject matter covered herein and supersede all prior oral or written agreements, proposals, understandings, representations, conditions and promises relating thereto and any shrink-wrap, click license or web-posted terms and conditions (whether made available before, on or after the date hereof).  In the event of a conflict between the terms and conditions of this Agreement (without exhibits) and the terms of the exhibits, the terms and conditions of this Agreement (without exhibits) shall govern; provided, however, that any SOWs shall prevail over the Agreement and its exhibits. This Agreement may not be modified or amended except by a written instrument referring to this Agreement and signed on behalf of both parties.

10.10. Counterparts.  This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument.

10.11. Force Majeure/Failure of Suppliers.  Neither party shall be in breach of this Agreement or responsible for damages caused by delay or failure to perform, in full or in part, its obligations hereunder, provided that there is due diligence in attempted performance under the circumstances and that such delay or failure is due to fire, earthquake, unusually severe weather, strikes, government sanctioned embargo, flood, act of God, act of war or terrorism, act of any public authority or sovereign government, civil disorder, delay or destruction caused by public carrier, or any other circumstance reasonably beyond the control of the party to be charged.  Vendor shall endeavor to guard against any loss to Client as the result of the failure of third party suppliers to properly execute their commitments, but Vendor shall not be responsible for any such failure under any circumstance.

10.12. Exhibits.  Exhibit A, Exhibit B, and Exhibit C are incorporated into this Agreement wherever referenced.

10.13. Survival.  Sections 1.3, 2, 4, 5, 6, 7, 8, 9 and 10 shall survive termination or expiration of this Agreement.

EXHIBIT A

Applications and Hosting Services; Technical Support and Other Services

1. Description of Applications

1. Applications.  Myndbend Process Manager. 

Vendor will implement and configure the Application within Client’s Zendesk instance to enable Client to create and relate child tickets to parent tickets and enable the child tickets to be used to manage and track approvals for each request.

2. Documentation. The Application(s) shall perform all functions and include all features described in Vendor’s online documentation for the Applications, as described on the webpage https://support.myndbend.com  

2. Description of Hosting Services

2.1. Hosting Services.  Vendor will be responsible for installing, hosting, operating, maintaining and securing the Applications and the Client Data.  Hosting services shall include the following services:

(a) Ensure that Client has on-line access to the Applications.

(b) Provide reasonable routine monitoring and corrective action.

(c) Implement routine back-up procedures.

(d) Implement recovery procedures.

(e) Provide helpdesk support and other technical support as set forth in this Exhibit A to assist Client with the optimal operation of the Applications.

(f) Install and maintain appropriate IT security measures for the Applications.

(g) Maintain the Applications and network infrastructure in a manner that is designed to prevent unauthorized modification of Client Data or the Data Center and unauthorized disruption of the Applications, and designed to protect the privacy of Client Data.

(h) Implement a token-based access control system and/or other mutually agreed upon security mechanisms designed to prevent unauthorized access to the Client server environment, and evolve the environment as required to address ongoing security needs and threats as these may evolve from time to time.

3. End of Life Notice

 

3.1. Vendor will provide Client with at least six (6) months advance notice of any feature end of life or deprecation. Notice will be provided as described in the Agreement, or as otherwise agreed between the parties.

Consulting Services

1. Description of Consulting Services. Vendor shall provide the consulting services described in the applicable Zendesk SOW, which shall be subject to this Agreement.

Technical Support and Other Services

1. Technical Support Services

1.1. Definitions

In this Exhibit A:

a) “Level 1 Support” means the first level of support given to Client by the Vendor to collect customer input, verify symptoms, and escalate, if required, to Level 2 Support.

(b) “Level 2 Support” means the second level of support given by the Vendor to Client that addresses Cloud Service and Applications operational and infrastructure issues and resolutions.

(c) “Level 3 Support” means the third level of support given by the Vendor that covers the resolution of application code bugs or infrastructure code.

(d) “Vendor Support Hours” for non-Critical and non-Major Business Impact issues means between 03:00 and 18:00 Eastern Time on a business day (Monday - Friday, every week of the year). Support hours and response obligations for Critical and Major Business Impact issues are as described below.     

2. Vendor Support Obligations

The Vendor shall provide Client with all support in relation to issues identified by Zendesk or Client and reported to Vendor. These support services will be provided by means of the Zendesk help desk ticket system.

The Vendor shall respond to requests for support:

(a) with respect to Critical Business Impact issues, within thirty (30) minutes twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. Vendor shall provide Client (and Zendesk, if such Critical Business Impact issues relate to Client support requests forwarded to Vendor by Zendesk) updates on Critical Business Impact issues every thirty (30) minutes until the issue is resolved. Critical Business Impact shall be defined as an issue that disrupts material functionality within the production environment in the Cloud Service or Applications or compromises the security/integrity of data in the Cloud Service or Applications. Critical Business Impact issues will remain so long as the disruption is ongoing, the need for resolution is acutely time-sensitive, with no reasonable workaround available;

(b) with respect to Major Business Impact issues within one (1) hour, twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. Vendor shall provide Client (and Zendesk, if such Critical Business Impact issues relate to Client support requests forwarded to Vendor by Zendesk) updates on Major Business Impact issues every hour (1) until the issue is resolved. Major Business Impact shall be defined as an issue that degrades a material functionality or significantly disrupts or degrades an Client’s normal business operation. The issue is in Client’s production environment and is highly time-sensitive and/or a significant unplanned effort is required to workaround the issue to maintain normal business operations; 

(c) for other issues and enquiries, within six (6) Vendor Support Hours;

(d) to resolve issues raised to it within a commercially reasonable timeframe; and

(e) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved.

1.2. Telephone and E-Mail Support.  Throughout the term of this Agreement, Vendor shall provide the following minimum levels of telephone and e-mail support to Client:

1. Telephone and e-mail consultation services, including problem solving, bug reporting, documentation clarification and technical guidance for the Cloud Service.  Vendor will assist Client in identifying, verifying and attempting to resolve problems in the Cloud Service.  Telephone and e-mail consultations will be available during Vendor Support Hours in accordance with this Exhibit A.
2. Priority processing of technical assistance requests.

1.3. Back-Up and Recovery Requirements.  Vendor shall perform the regular back-up services with respect to all Client Data stored in connection with Client’s use of the Cloud Service.

1.4. Availability Uptime/SLA.  Vendor represents and warrants that the Applications and Cloud Service will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes of downtime per month) during the Term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and Vendor will provide at least seven (7) day advanced written (email acceptable) notice to Zendesk and Client of such unavailability (“Scheduled Downtime”). 

(End of Exhibit A)

 

EXHIBIT B – Information Security Measures

Vendor warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by Client (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, Vendor will act in good faith and diligence, using reasonable care and skill. 

A. Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Vendor regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any Vendor security policy, (ii) unplanned service disruption that prevents the normal operation of the Cloud Service or Applications, or (iii) Breach.

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• Vendor will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks.  
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, Vendor will promptly remove Data upon (a) completion of Cloud Service or Applications; or (b) request by Client or Zendesk to be removed from Vendor’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. Vendor will provide Client or Zendesk with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3. Measures: Malicious Code Protection. 

• All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server.   Virus definitions must be updated promptly upon release by the anti-virus software provider.  Vendor will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or Vendor’s computing environment.
• Vendor will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
• Vendor will quarantine or remove files that have been identified as infected and will log the event.

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

• Vendor ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
• security and encryption of all personal computers or other mobile devices that may access Data;
• limited access to employees and contractors except for authorized visitors;  
• identification of the persons having access authority;
• restriction on keys;
• visitors books (including timekeeping); and
• security alarm system or other appropriate security measures.

Vendor will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such Authorized Agent’s need to access the system(s) or application(s).

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:
   
   

The Vendor shall inform Client upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by Vendor.

All network controls shall include the following measures:

• On a regular basis, Vendor will run internal and external network vulnerability scans.  Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• Vendor will deploy reasonably appropriate firewall technology in operation of its networks. 
• At a minimum, Vendor will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• Vendor will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• Vendor shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized. 
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

7. Measures: Vendor will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, Vendor will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify Client within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii)  respond promptly to any reasonable request from Client for detailed information pertaining to the Incident. Vendor’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

8. Measures: Business Continuity & Disaster Recovery. Vendor has provided Client commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the “Continuity Plan”).  The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery.  Vendor shall maintain such Continuity Plan throughout the term of all subscriptions; provided that Vendor shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on Vendor ability to maintain availability of the Service.

9. At Client’s request Vendor shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to Client’s baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time.  Client shall provide Vendor with documentation of such baselines, which shall be part of the Client’s confidential information under the Agreement.  Vendor shall develop a written information security plan for the Client containing, at a minimum, the topics called for in this agreement.

 

EXHIBIT C – DATA PROCESSING AGREEMENT

RECITALS

This Data Processing Agreement (the “Data Processing Agreement”), dated as of Effective Date of the Services Agreement by and between Client, as provided on the Zendesk SOW (“Customer”), and Billow Myndbend, Inc., a New York corporation, having its principal place of business at 33 Irving Place, New York, NY 10003 (“Service Provider”). This Data Processing Agreement refers to Customer and Service Provider individually as a “Party” and collectively as the “Parties”. 

WHEREAS, Customer and Service Provider have entered into a separate agreement for Services (as defined below), as may have been amended, amended and restated, supplemented, or otherwise modified from time to time in accordance with its provisions (the “Services Agreement”), which defines Service Provider’s obligations with respect to the provision of Services to Customer; 

WHEREAS, the Service Provider may be processing personal data as part of delivering the Services; 

WHEREAS, it is therefore necessary for the Parties to enter into an appropriate data processing agreement which reflects the roles of the Parties and their obligations under applicable Data Protection Laws and the Parties wish to enter into such an agreement. 

AGREEMENT

NOW, THEREFORE, in consideration of the premises set out above and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows. 

1. DEFINITIONS. Capitalized terms used and not defined in this Data Processing Agreement have the respective meanings assigned to them in the Services Agreement. 

“Affiliate” shall mean any entity that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the Party. For purposes of this definition, the term “control” means the power (or, as applicable, the possession or exercise of the power) to direct, or cause the direction of, the management, governance, or policies of a given entity, directly or indirectly, through any applicable means (whether through the legal, beneficial, or equitable ownership, of more than fifty percent (50%) of the aggregate of all voting or equity interests or securities of such entity, through partnership, or through some other form of ownership interest, by contract, or other applicable legal document, or otherwise). 

“Applicable Law” shall mean all regional, national, and international laws, rules, regulations, and standards including those imposed by any governmental or regulatory authority which apply from time to time to the person or activity in the circumstances in question. 

“Cloud Service Provider” means any provider of network services, infrastructure, or business applications or services in the cloud (e.g. Amazon Web Services (AWS), Microsoft Azure, Google Cloud, or any other substantially similar service) 

“Controller” has the meaning set forth in the applicable Data Privacy Law. “Customer” has the meaning set forth in the Preamble. 

“Customer Data” shall mean any Personal Data that Service Provider processes as a Processor in providing the Services to a Customer pursuant to this Services Agreement. 

“Data Privacy Law” means, as the case may be, the EU Data Protection Directive 95/46/EC (the “Directive”) or, when applicable, EU General Data Protection Regulation 2016/679 (“GDPR”), the implementing acts of the foregoing by the Member States of the European Union and/or any other Applicable Law or regulation relating to the protection of Personal Data, personally identifiable information or protected health information. 

“Data Processing Agreement” has the meaning set forth in the Preamble. 

“Data Subject” has the meaning set forth in the applicable Data Privacy Law. 

“Effective Date” has the meaning set forth in the Preamble. 

“Member State” means a member state of the European Union and/or the European Economic Area, as may be amended from time to time. 

“Monitoring Service Provider” has the meaning set forth in Section 9.3(e). 

“Party” has the meaning set forth in the Preamble. 

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be defined, directly or indirectly, notably but not limited to by reference to a user identification such as a name, an identification number, geo-location data, an online user identification, or by reference to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural, or social identity, including, without limitation, “personal data” as that term is used in a Data Privacy Law (even if no Data Privacy Law applies to the Customer or provider), “protected health information” as that term is used under the Health Insurance Portability and Accountability Act (even if such act is not applicable to Customer or Provider), “nonpublic personal information” as that term is defined under the Gramm-Leach-Bliley Act (even if such act is not applicable to Customer or Provider), and all other personal information protected under any Applicable Law. 

“Process” has the meaning set forth in the applicable Data Privacy Law.

“Processing” has the correlative meaning to Process as set forth in the applicable Data Privacy Law.

“Processor” has the meaning set forth in the applicable Data Privacy Law.

“Security Incident” has the meaning set forth in Section 7.1.

“Service Provider” has the meaning set forth in the Preamble. 

“Services” means the provision of services or other work products by the Service Provider as described and set out in the Services Agreement, and such other services as the Parties may agree upon in writing from time to time. 

“Services Agreement” has the meaning set forth in the Preamble. 

“Subprocessor” means a third party engaged by Service Provider to assist with the provision of the Services which involves the processing of Customer Data, including, without limitation, Cloud Service Providers. 

“Term” is the term of the Services Agreement. 

2. RELATIONSHIP WITH SERVICES AGREEMENT. For the avoidance of doubt, unless there is any conflict or inconsistency between the provisions in the Services Agreement and this Data Processing Agreement (in which case, to the extent this Data Processing Agreement requires additional, more stringent, or more protective obligations, the provisions of this Data Processing Agreement take precedence), all other provisions of the Services Agreement apply.

3. STATUS OF PARTIES. Service Provider is the Processor of Customer Data and Customer is the Controller of Customer Data under this Data Processing Agreement. Service Provider shall not assume any responsibility for determining the purposes for which Customer Data shall be processed.

4. SCOPE OF DATA PROCESSING. 

4.1. All Parties shall comply with their applicable obligations under Data Privacy Laws. 

4.2.  The subject-matter of the data processing to be carried out by the Service Provider is: Myndbend Process Manager for Zendesk or any other Services or applications that may be provided by Service Provider under the Services Agreement. 

4.3.  The duration of the data processing to be carried out by the Service Provider shall be for the Term stated in the Services Agreement. 

4.4.  The nature of the data processing to be carried out by the Service Provider is: Service Provider will be accessing Customer’s Zendesk instance via the Zendesk API for the purposes of providing the Services. 

4.5.  The purpose of the data processing is: Service Provider will be retrieving ticket data, and related user data, from Customer’s Zendesk instance in order to create new tickets and post updates to tickets. 

4.6.  The type of personal data involved in the data processing is: Service Provider retrieves the full ticket data from a specific ticket request which may include personal information stored in custom fields. However, Service Provider does not use or store such personal information. 

4.7.  The categories of Data Subjects involved in the data processing are: the Data Subjects will ultimately depend on data stored in Zendesk, provided, however, that the normally-expected Data Subjects would be Customer’s end-users and customers that create tickets within Customer’s Zendesk instance. 

5. PROCESSOR OBLIGATIONS. 

5.1. The Service Provider shall process Customer Data on behalf of Customer exclusively and only in accordance with the instructions received from Customer.

5.2. In the event Service Provider is required under any Applicable Law to process Customer Data in excess of Customer’s documented instructions, Service Provider shall immediately notify Customer of such a requirement, unless such Applicable Law prohibits such notification on important grounds of public interest.  

5.3. Service Provider will not perform their obligations under the Services Agreement and this Data Processing Agreement in such a way as to cause Customer to breach any obligation under applicable Data Privacy Laws.

5.4. Service Provider shall co-operate in good faith with any third party that Customer engages to provide services to Customer where the third party is required to access Customer Data.

5.5. Upon Customer’s request, the Service Provider will promptly co-operate with Customer to enable Customer to: (a) comply with all requests of access, rectification, and/or deletion of Customer Data arising from a Data Subject; (b) enforce rights of Data Subjects under the Data Privacy Law; and/or (c) comply with all requests from a supervisory authority, including but not limited to in the event of an investigation.

5.6. Service Provider shall provide all reasonable assistance to Customer where Customer carries out a data privacy impact assessment relating to Customer Data.

5.7. The Service Provider shall promptly notify Customer and shall respond without unreasonable delay to all inquiries from Customer regarding: 

(a) the Service Provider’s Processing of the Customer Data; 

(b) any request Service Provider receives from a Data Subject regarding that Data Subject’s Personal Data where it is Customer Data, provided, however, that the Service Provider shall obtain specific prior written consent and instructions from Customer prior to responding to the Data Subject;

(c) any request, complaint, or communication relating to Customer’s obligations under Data Privacy Laws (including from data protection authorities and/or supervisory authorities) provided, however, that the Service Provider shall obtain specific written consent and instructions from Customer prior to responding to such request, complaint, or communication.

5.8. Any data collected pursuant to data analytics or monitoring carried out by Service Provider in connection with the provision of the Services or otherwise connected with Customer’s use of the Services may include Personal Data, which Customer hereby authorizes Service Provider to use solely in accordance with carrying out its obligations under the Services Agreement or this Data Processing Agreement.

6. SCOPE MODIFICATIONS. 

6.1.  In the event that changes in Data Privacy Laws require modifications to the Services, the Parties shall use commercially reasonable efforts to comply with such requirements. If such changes in Data Privacy Laws require structural changes to the Services such that the provision of the Services would otherwise be in breach of such Data Privacy Laws unless such changes are performed, the Parties will discuss in good faith Service Provider’s ability to comply and will negotiate and revise the Services accordingly. 

6.2.  In the event that a Party’s compliance with Data Privacy Laws requires the imposition of certain additional contractual obligations under this Data Processing Agreement, such Party shall notify the other Party and both Parties shall in good faith seek to amend this Data Processing Agreement in order to address the requirements under Data Privacy Laws. 

6.3.  Customer shall notify Service Provider of any faults or irregularities in relation to this Data Processing Agreement that it detects in the provision of the Services. If the notification provided by Customer under this Section 6.3 necessitates a change of the Services, Service Provider shall use all commercially reasonable efforts to coordinate such changes with Customer before they are implemented. 

7. SECURITY MEASURES.

7.1.  The Service Provider shall take and implement appropriate technical and organizational security and confidentiality measures and regularly update them to ensure a level of security appropriate to the risk to Customer Data. Service Provider shall undertake commercially-reasonable efforts to protect Customer Data against any actual or threatened unauthorized use, modification, loss, compromise, destruction, or disclosure of, or access to, Customer Data (“Security Incident”). 

7.2.  Such measures implemented in Section 7.1 shall require the Service Provider to have regard to industry standards and costs of implementation as well as taking into account the nature, scope, context, and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals. 

7.3.  The Parties agree and acknowledge that Customer is relying upon Service Provider’s skill and knowledge in order to assess what is “appropriate” to protect Customer Data against unauthorized or unlawful processing and against including, but not limited to, accidental loss, destruction, damage, alteration, or disclosure. 

7.4.  The Service Provider shall implement and maintain policies and procedures to detect and respond to Security Incidents. 

7.5.  The Service Provider shall protect all Customer Data that is likely to be transferred via the Internet by encryption measures reasonably designed to ensure confidentiality. 

8. CONFIDENTIALITY. 

8.1. Service Provider represents and warrants that: 

(a) all persons who have access to Customer Data shall maintain its confidentiality and keep current with any special data protection, data security, and confidentiality requirements arising from the Services Agreement or this Data Processing Agreement. Service Provider shall furthermore require their employees and contractors to adhere to the confidentiality obligations set out in the Services Agreement and shall document such employees’ and contractors’ obligation in writing; and 

(b) all persons involved in the processing of Customer Data shall, no less than once annually, and prior to exposure to Personal Data, attend adequate training in the care, protection, and handling of Personal Data. 

8.2. Service Provider shall require that the obligation of confidentiality on the respective persons shall continue beyond, and survive termination or expiration of, the Services Agreement or this Data Processing Agreement. Service Provider shall require that the obligation of confidentiality shall continue after the employment or contractual relationships with the respective person ends. 

8.3. Service Provider shall keep Customer Data logically separate, with adequate logical separate security controls, from other data and information held by Service Provider. 

8.4. The Service Provider shall, without undue delay, notify Customer in writing of any request received from a third party public authority including a law enforcement agency or government agency for disclosure of the Customer Data unless otherwise legally prohibited (such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). Such notification shall set out (a) the scope of the request, (b) the reason for the request, and (c) the form of the disclosure requested, in so far as Service Provider are able to describe such aspects. Where Service Provider is legally prohibited from notifying Customer, Service Provider shall use reasonable efforts to request the third party public authority to direct the request directly to Customer. Unless prohibited by law, Service Provider shall not respond to a request received under this Section 8.4 unless and until it receives written instructions from Customer. 

9. SECURITY INCIDENT NOTIFICATION OBLIGATIONS. 

9.1. In the event of a Security Incident arising during the performance of the Services by the Service Provider, the Service Provider shall, at its own cost: 

(a) notify Customer about the Security Incident without undue delay and at least within forty- eight (48) hours of Service Provider becoming aware of the Security Incident; 

(b) as part of the notification under Section 9.1(a) provide a description of the Security Incident including the nature of the Security Incident; 

(c) promptly begin a full investigation into the circumstances surrounding the Security Incident; 

(d) after investigating the causes of such Security Incident, take such actions as may be necessary or reasonably expected by Customer to minimize the effects of the Security Incident; and 

(e) take all actions as may be required by Data Privacy Laws; 

9.2. Service Provider shall make any information referred to under Section 9.1 available to Customer on request. All such information shall be considered the Confidential Information of Service Provider. 

9.3.  In the event of a Security Incident, each Party shall use all reasonable efforts in good faith to mitigate any reputational and brand damage to the other affected Party. 

9.4.  Subject to Applicable Law, Service Provider will promptly notify Customer in writing if any Customer Data stored or maintained by Service Provider are at risk due to third-party actions (such as attachment or seizure), due to insolvency proceedings or other occurrences. In such cases, subject to Applicable Law, Service Provider will also inform creditors without delay of the fact that the assets in question are the property of Customer and consist of Customer Data that are processed on behalf of Customer. 

10. INTERNATIONAL DATA TRANSFERS. Service Provider shall process Customer Data solely on servers belonging to Service Provider in the United States of America. Except as set out under this Data Processing Agreement or as authorized by Customer in writing, Service Provider shall not transfer or make Customer Data available or accessible in any other jurisdiction or to any other party. 

11. RETURN AND DESTRUCTION. 

11.1.  Without prejudice to any obligations under this Section 11, following termination or expiration of the Services Agreement for whatever reason, Service Provider shall cease processing Customer Data and shall require that all Subprocessors cease processing Customer Data. 

11.2.  Upon termination or expiration of the Services Agreement for whatever reason, Service Provider shall: (a) provide Customer with the opportunity to retrieve Customer Data; and/or (b) provide Customer on request with Customer Data including all copies and back-ups. 

11.3.  Following termination or expiration of the Services Agreement for whatever reason and having received written confirmation from Customer, Service Provider shall securely, irrevocably, and/or irretrievably sanitize the Customer Data in accordance with Appendix A of the National Institute of Science and Technology Special Publication 800-88, and Service Provider shall certify to Customer, in writing, that Service Provider has complied with their obligations to delete Customer Data especially from all production, testing, development, and backup systems and media. 

11.4.  To the extent feasible, Service Provider shall archive documentation that is evidence of proper Customer Data processing beyond termination or expiration of the Services Agreement and continuing for any period of time in which Service Provider retains Customer Data. 

11.5.  For the avoidance of doubt, Service Provider may retain Customer Data where strictly required to store such data under Applicable Law. 

12. TERMINATION. The rights of termination for cause as set out in the Services Agreement remain unaffected. The termination or expiration of the Services Agreement for any reason shall cause termination of this Data Processing Agreement. 

13. MISCELLANEOUS. 

13.1.  Amendment. This Data Processing Agreement may not be amended or modified except in writing signed by authorized representatives of both Parties. 

13.2.  Severability. If any provision in this Data Processing Agreement is determined to be ineffective or void by any court or body of competent jurisdiction or by virtue of any legislation to which it is subject, it shall be ineffective or void to that extent only and the validity and enforceability of the remaining provisions of the Data Processing Agreement and the Services Agreement shall not be affected. The Parties shall promptly and in good faith replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. The Parties shall similarly promptly and in good faith add any necessary appropriate provision where such a provision is found to be missing by any court or body of competent jurisdiction or by virtue of any legislation to which this Data Processing Agreement is subject. 

13.3.  Governing Law. Notwithstanding anything to the contrary in the Services Agreement, this Data Processing Agreement shall be governed by and construed in accordance with the national law that applies to the Service Provider. 

13.4.  Headings. The headings in this Data Processing Agreement are for reference only and shall not affect the interpretation of this Data Processing Agreement.

Exhibit 1 

Oomnitza SAAS Services Agreement 

This SaaS Subscription Agreement is between Oomnitza, Inc., a Delaware corporation with its principal place of business at 548 Market Street, PMB 18912, San Francisco, CA 94104-5401 (“Oomnitza”) and the Subscriber set forth on the Order Form to which this Agreement is attached or incorporated. This Agreement is effective as of the execution of the Order Form (the “Effective Date”).  The parties agree as follows:

1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement” means this SaaS Services Agreement and any exhibits, schedules and addenda hereto.

“Customer” means the customer named above together with its Affiliates (for so long as they remain Affiliates) which have entered into an Order Form.

“Customer Data” means electronic data and information submitted by or for Customer to the Services, excluding Third-Party Services.

“Customer Materials” means materials and resources that Customer makes available to Oomnitza in connection with Professional Services.

“Documentation” means all specifications, user manuals, and other materials relating to the Services and provided or made available by Oomnitza to Customer, as may be modified by Oomnitza from time to time.

“Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses.

“Third Party Service” means Web-based, mobile, offline or other software functionality that interoperates with a Service, that is provided by Customer or a third party. Third-Party Services, other than those obtained or provided by Customer, will be identifiable as such.

“Order Form” means the agreement, service order, or similar ordering document issued by Zendesk to Customer specifying the Services and/or Professional Services to be provided to Customer by Oomnitza hereunder and the Services subscription information, payment terms, and subscription term. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.

“Professional Services” means training, migration or other professional services that Oomnitza furnishes to Customer related to the Services.

“Services” means the products and services that are ordered by Customer under an Order Form and made available online by Oomnitza, including associated Oomnitza offline or mobile components, as described in the Documentation. “Services” exclude Professional Services and Third-Party Services.

“Statement of Work” means a statement of work for Professional Services that is executed by the parties and references this Agreement.

“User” means an individual who is authorized by Customer to use a Service, for whom Customer has purchased a subscription, and to whom Customer (or, when applicable, Oomnitza at Customer’s request) has supplied a user identification and password (for Services utilizing authentication). Users may include, for example, employees, consultants, contractors and agents of Customer, and third parties with which Customer transacts business.

“Zendesk” means Zendesk, Inc., and its applicable Affiliates, that will process billing for the Services ordered by Customer from Oomnitza under this Agreement pursuant to the Order Form.

2. OOMNITZA RESPONSIBILITIES

   1. Provision of Services. Oomnitza will (a) make the Services available to Customer pursuant to this Agreement, and the applicable Documentation, (b) provide applicable Oomnitza support for the Services as set forth in Attachment 2, (c) ensure the  Services achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e., max forty-three (43) minutes downtime per month) during the term except for: (i) planned downtime (of which Oomnitza shall give at least seven (7) days’ advance electronic notice and shall be limited to under four (4) hours in a given month), and (ii) any unavailability caused by circumstances beyond Oomnitza’s reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, act of terror, strike or other labor problem (other than one involving Oomnitza employees), Internet service provider failure or delay, Third-Party Service, or denial of service attack, and (d) provide the Services in accordance with laws and government regulations applicable to Oomnitza’s provision of its Services to its customers generally (i.e., without regard for Customer’s particular use of the Services), and subject to Customer’s and Users’ use of the Services in accordance with this Agreement and the Documentation.
   2. Protection of Customer Data. Oomnitza will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, as described in the Documentation. Those safeguards will include, but will not be limited to, measures designed to prevent unauthorized access to or disclosure of Customer Data (other than by Customer or Users). The terms of the data processing addendum (“DPA”) is attached as Attachment 1. To the extent Personal Data from the European Economic Area (EEA), the United Kingdom and Switzerland are processed by Oomnitza, the Standard Contractual Clauses shall apply, as further set forth in the DPA. For the purposes of the Standard Contractual Clauses, Customer and its applicable Affiliates are each the data exporter, and Customer's acceptance of this Agreement, and an applicable Affiliate's execution of an Order Form, shall be treated as its execution of the Standard Contractual Clauses and Appendices. Upon request by Customer made within 30 days after the effective date of termination or expiration of this Agreement, Oomnitza will make Customer Data available to Customer for export or download as provided in the Documentation. After such 30-day period, Oomnitza will have no obligation to maintain or provide any Customer Data, and as provided in the Documentation will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited.
   3. Oomnitza Personnel. Oomnitza will be responsible for the performance of its personnel (including its employees and contractors) and their compliance with Oomnitza’s obligations under this Agreement, except as otherwise specified in this Agreement.
   4. Beta Services. From time to time, Oomnitza may make Oomnitza services or functionality available to Customer to try at its option at no additional charge which is clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description. Customer may choose to try such services or functionality or not in its sole discretion. Customer acknowledges and agrees that such services and functionality are offered solely for experimental purposes and without any warranty or indemnity of any kind, and Oomnitza may modify or discontinue such services or functionality at any time in its sole discretion.

   5. Professional Services. Oomnitza will perform Professional Services as described in a Statement of Work, which may identify additional terms or milestones for the Professional Services. Customer will give Oomnitza timely access to Customer Materials reasonably needed for Professional Services, and Oomnitza will use the Customer Materials only for purposes of providing Professional Services. Subject to any limits in an Order or Statement of Work, Customer will reimburse Oomnitza’s reasonable travel and lodging expenses incurred in providing Professional Services. Customer may use code or other deliverables that Oomnitza furnishes as part of Professional Services only in connection with Customer’s authorized use of the Service under this Agreement.

3. USE OF SERVICES

   1. Subscriptions. Unless otherwise provided in the applicable Order Form or Documentation, Services are purchased as subscriptions for the term stated in the applicable Order Form, Customer agrees that its purchases are not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by Oomnitza regarding future functionality or features.
   2. Usage Limits. Services are subject to usage limits specified in Order Forms and Documentation. If Customer exceeds a contractual usage limit, Oomnitza may work with Customer to seek to reduce Customer’s usage so that it conforms to that limit. If, notwithstanding Oomnitza’s efforts, Customer is unable or unwilling to abide by a contractual usage limit, Customer will execute an Order Form for additional quantities of the applicable Services promptly upon Oomnitza’s request, and/or pay any invoice for excess usage in accordance with the “Invoicing and Payment” section below.
   3. Customer Responsibilities. Customer will (a) be responsible for Users’ compliance with this Agreement and the Documentation, (b) be responsible for the accuracy, quality and legality of Customer Data, the means by which Customer acquired Customer Data, Customer’s use of Customer Data with the Services, and the interoperation of any Third-Party Services with which Customer uses Services, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services, and notify Oomnitza promptly of any such unauthorized access or use, (d) use Services only in accordance with this Agreement, Documentation, and applicable laws and government regulations, and (e) comply with terms of service of any Third-Party Services with which Customer uses Services. Any use of the Services in breach of the foregoing by Customer or Users that in Oomnitza’s judgment threatens the security, integrity or availability of Oomnitza’s services, may result in Oomnitza’s immediate suspension of the Services, however Oomnitza will use commercially reasonable efforts under the circumstances to provide Customer with notice and an opportunity to remedy such violation or threat prior to any such suspension.
   4. Usage Restrictions. Customer will not (a) make any Service available to anyone other than Customer or Users, or use any Service for the benefit of anyone other than Customer or its Affiliates, unless expressly stated otherwise in the Documentation, (b) sell, resell, license, sublicense, distribute, rent or lease any Service, or include any Service in a service bureau or outsourcing offering, (c) use a Service or Third-Party Service to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use a Service or Third-Party Service to store or transmit Malicious Code, (e) interfere with or disrupt the integrity or performance of any Service or third-party data contained therein, (f) attempt to gain unauthorized access to any Service or its related systems or networks, (g) permit direct or indirect access to or use of any Services in a way that circumvents a contractual usage limit, or use any Services to access, copy or use any of Oomnitza intellectual property except as permitted under this Agreement or the Documentation, (h) modify, copy, or create derivative works of a Service or any part, feature, function or user interface thereof, (i) frame or mirror any part of any Service, other than framing on Customer's own intranets or otherwise for its own internal business purposes or as permitted in the Documentation, (j) except to the extent permitted by applicable law, disassemble, reverse engineer, or decompile a Service or access it to (1) build a competitive product or service, (2) build a product or service using similar ideas, features, functions or graphics of the Service, (3) copy any ideas, features, functions or graphics of the Service, or (4) determine whether the Services are within the scope of any patent.
   5. Removal of Third-Party Services. If Customer receives notice, including from Oomnitza, that a Third-Party Service may no longer be used or must be removed, modified and/or disabled to avoid violating applicable law, third-party rights, or the Acceptable Use and External Facing Services Policy, Customer will promptly do so. If Customer does not take required action in accordance with the above, or if in Oomnitza’s judgment continued violation is likely to reoccur, Oomnitza may disable the applicable Service and/or Third-Party Service. If requested by Oomnitza, Customer shall confirm deletion and discontinuance of use of such Third-Party Service in writing and Oomnitza shall be authorized to provide a copy of such confirmation to any such third-party claimant or governmental authority, as applicable.

4. THIRD-PARTY PRODUCTS AND SERVICES

   1. Third-Party Products and Services. Oomnitza or third parties may make available third-party products or services, including, for example, Third-Party Services and implementation and other consulting services. Any acquisition by Customer of such products or services, and any exchange of data between Customer and any third-party provider, product or service is solely between Customer and the applicable third-party provider. Oomnitza does not warrant or support Third-Party Services or other third-party products or services, whether or not they are designated by Oomnitza as “certified” or otherwise. Oomnitza is not responsible for any disclosure, modification or deletion of Customer Data resulting from access by such Third-Party Service or its provider.
   2. Integration with Third-Party Services. The Services may contain features designed to interoperate with Third-Party Services. Oomnitza cannot guarantee the continued availability of such Service features and may cease providing them without entitling Customer to any refund, credit, or other compensation, if for example and without limitation, the provider of a Third-Party Service ceases to make the Third-Party Service available for interoperation with the corresponding Service features in a manner acceptable to Oomnitza.

5. FEES AND PAYMENT

   1. Fees. Customer will pay all fees specified in the Order Form. Except as otherwise specified herein, (i) fees are based on Services subscriptions purchased and not actual usage, (ii) payment obligations are non-cancelable and fees paid are non-refundable, and (iii) quantities purchased cannot be decreased during the relevant subscription term.
   2. Invoicing and Payment. Zendesk, as the billing agent, will invoice Customer in accordance with the payment terms specified in the relevant Order Form. Customer is responsible for providing complete and accurate billing and contact information to Zendesk and notifying Zendesk of any changes to such information.
   3.  
   4.  
   5. Suspension of Service and Acceleration. If any charge owing by Customer under this or any other agreement for services is 30 days or more overdue, Oomnitza may, without limiting its other rights and remedies, suspend Services until such amounts are paid in full, provided that, Oomnitza will give Customer at least 10 days’ prior notice that its account is overdue before suspending services to Customer.
   6. Payment Disputes. Oomnitza will not exercise its rights under “Suspension of Service and Acceleration” section above if Customer is disputing the applicable charges reasonably and in good faith and is cooperating diligently to resolve the dispute.
   7.  

6. PROPRIETARY RIGHTS AND LICENSES

   1. Reservation of Rights. Subject to the limited rights expressly granted hereunder, Oomnitza, its Affiliates, its licensors reserve all of their right, title and interest in and to the Services, including all of their related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein.
   2. License by Customer to Oomnitza. Customer grants Oomnitza, its Affiliates and applicable contractors a worldwide, limited-term license to host, copy, use, transmit, and display any Third-Party Services and program code created by or for Customer using a Service or for use by Customer with the Services, and Customer Data, each as appropriate for Oomnitza to provide and ensure proper operation of the Services and Professional Services, and associated systems in accordance with this Agreement. If Customer chooses to use a Third-Party Service with a Service, Customer grants Oomnitza permission to allow the Third-Party Service and its provider to access Customer Data and information about Customer’s usage of the Third-Party Service as appropriate for the interoperation of that Third-Party Service with the Service. Subject to the limited licenses granted herein, Oomnitza acquires no right, title or interest from Customer or its licensors under this Agreement in or to any Customer Data, Third-Party Service or such program code.
   3. License by Customer to Use Feedback. Customer grants to Oomnitza and its Affiliates a worldwide, perpetual, irrevocable, royalty-free license to use, distribute, disclose, and make and incorporate into its services any suggestion, enhancement request, recommendation, correction or other feedback provided by Customer or Users relating to the operation of Oomnitza’s or its Affiliates’ services.
   4. Federal Government End Use Provisions. Oomnitza provides the Services, including related software and technology, for ultimate federal government end use in accordance with the following: The Services consist of “commercial items,” as defined at FAR 2.101. In accordance with FAR 12.211-12.212 and DFARS 227.7102-4 and 227.7202-4, as applicable, the rights of the

U.S. Government to use, modify, reproduce, release, perform, display, or disclose commercial computer software, commercial computer software documentation, and technical data furnished in connection with the Services shall be as provided in this Agreement, except that, for U.S. Department of Defense end users, technical data customarily provided to the public is furnished in accordance with DFARS 252.227-7015. If a government agency needs additional rights, it must negotiate a mutually acceptable written addendum to this Agreement specifically granting those rights.

7. CONFIDENTIALITY

   1. Definition of Confidential Information. “Confidential Information” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information of Customer includes Customer Data; Confidential Information of Oomnitza includes the Services, and the terms and conditions of this Agreement. Confidential Information of each party includes business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without knowledge of any breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party. For the avoidance of doubt, the non-disclosure obligations set forth in this “Confidentiality” section apply to Confidential Information exchanged between the parties in connection with the evaluation of additional Oomnitza services.
   2. Protection of Confidential Information. As between the parties, each party retains all ownership rights in and to its Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to (i) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement and (ii) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections not materially less protective of the Confidential Information than those herein. Neither party will disclose the terms of this Agreement to any third party other than to Zendesk, as necessary to serve as the billing agent for the Services ordered hereunder, its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes any such disclosure to its Affiliate, legal counsel or accountants will remain responsible for such Affiliate’s, legal counsel’s or accountant’s compliance with this “Confidentiality” section. Notwithstanding the foregoing, Oomnitza may disclose the terms of this Agreement and any applicable Order Form to a contractor or Third-Party Service Provider to the extent necessary to perform Oomnitza’s obligations under this Agreement, under terms of confidentiality materially as protective as set forth herein.
   3. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.

8. REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS

   1. Representations. Each party represents that it has validly entered into this Agreement and has the legal power to do so.
   2. Oomnitza Warranties and Remedies. Oomnitza warrants that during an applicable subscription term (a) this Agreement and the Documentation will accurately describe the applicable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, (b) Oomnitza will not materially decrease the overall security of the Services, (c) the Services will perform materially in accordance with the applicable Documentation, (d) subject to the “Integration with Third-Party Services” section above, Oomnitza will not materially decrease the overall functionality of the Services, and Oomnitza will provide Customer with at least six (6) months advance notice of any feature end of life or deprecation, and (e) any Professional Services will be provided in a professional and workmanlike manner. Oomnitza will use reasonable efforts to correct a verified breach of these warranties reported by Customer. If Oomnitza fails to do so within 30 days after Customer's warranty report, then either party may terminate the Order as relates to the non-conforming Service or Professional Services. These procedures are Customer’s exclusive remedies and Oomnitza’s sole liability for breach of these warranties.
   3. Disclaimers. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SERVICES PROVIDED FREE OF CHARGE AND BETA SERVICES ARE PROVIDED “AS IS,” AND AS AVAILABLE EXCLUSIVE OF ANY WARRANTY WHATSOEVER.

9. MUTUAL INDEMNIFICATION

   1. Indemnification by Oomnitza. Oomnitza will defend Customer against any claim, demand, suit or proceeding made or brought against Customer by a third party alleging that any Service infringes or misappropriates such third party’s intellectual property rights (each a “Claim Against Customer”), and will indemnify Customer from any damages, attorney fees and costs finally awarded against Customer as a result of, or for amounts paid by Customer under a settlement approved by Oomnitza in writing of, a Claim Against Customer, provided Customer (a) promptly gives Oomnitza written notice of the Claim Against Customer, (b) gives Oomnitza sole control of the defense and settlement of the Claim Against Customer (except that Oomnitza may not settle any Claim Against Customer unless it unconditionally releases Customer of all liability), and (c) gives Oomnitza all reasonable assistance, at Oomnitza’s expense. If Oomnitza receives information about an infringement or misappropriation claim related to a Service, Oomnitza may in its discretion and at no cost to Customer (i) modify the Services so that they are no longer claimed to infringe or misappropriate, without breaching Oomnitza’s warranties under “Oomnitza Warranties” above, (ii) obtain a license for Customer’s continued use of that Service in accordance with this Agreement, or (iii) terminate Customer’s subscriptions for that Service upon 30 days’ written notice. The above defense and indemnification obligations do not apply if (I) the allegation does not state with specificity that the Services are the basis of the Claim Against Customer; (II) a Claim Against Customer arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Oomnitza, if the Services or use thereof would not infringe without such combination; (III) a Claim Against Customer arises from Services under an Order Form for which there is no charge; or (IV) a Claim against Customer arises from a Third-Party Service or Customer’s breach of this Agreement, the Documentation or applicable Order Forms.
   2. Indemnification by Customer. Customer will defend Oomnitza and its Affiliates against any claim, demand, suit or proceeding made or brought against Oomnitza by a third party (a) alleging that the combination of a Third-Party Service or configuration provided by Customer and used with the Services, infringes or misappropriates such third party’s intellectual property rights, or (b) arising from (i) Customer’s use of the Services in an unlawful manner or in violation of the Agreement or the Documentation, (ii) any Customer Data or Customer’s use of Customer Data with the Services, or (iii) a Third-Party Service provided by Customer (each a “Claim Against Oomnitza”), and will indemnify Oomnitza from any damages, attorney fees and costs finally awarded against Oomnitza as a result of, or for any amounts paid by Oomnitza under a settlement approved by Customer in writing of, a Claim Against Oomnitza, provided Oomnitza (A) promptly gives Customer written notice of the Claim Against Oomnitza, (B) gives Customer sole control of the defense and settlement of the Claim Against Oomnitza (except that Customer may not settle any Claim Against Oomnitza unless it unconditionally releases Oomnitza of all liability), and (C) gives Customer all reasonable assistance, at Customer’s expense. The above defense and indemnification obligations do not apply if a Claim Against Oomnitza arises from Oomnitza’s breach of this Agreement or the Documentation.
   3. Exclusive Remedy. This “Mutual Indemnification” section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any third-party claim described in this section.

10. LIMITATION OF LIABILITY

    1. Limitation of Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER AND ITS AFFILIATES HEREUNDER FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY BUT WILL NOT LIMIT CUSTOMER'S AND ITS AFFILIATES’ PAYMENT OBLIGATIONS UNDER THE “FEES AND PAYMENT” SECTION ABOVE.
    2. Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, GOODWILL, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.

11. TERM AND TERMINATION

    1. Term of Agreement. This Agreement commences on the date Customer first accepts it and continues until all subscriptions hereunder have expired or have been terminated.
    2. Term of Subscriptions. The term of each subscription shall be as specified in the applicable Order Form. Except as otherwise specified in an Order Form, subscriptions will automatically renew for additional one-year terms, unless either party gives the other written notice (email acceptable) at least 30 days before the end of the relevant subscription term. Notwithstanding anything to the contrary, any renewal in which subscription volume or subscription length for any Services has decreased from the prior term will result in re-pricing at renewal without regard to the prior term’s per-unit pricing.
    3. Termination. A party may terminate this Agreement for cause (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
    4. Payment upon Termination. If this Agreement is terminated by Oomnitza in accordance with the “Termination” section above, Customer will pay any unpaid fees covering the remainder of the term of all Order Forms to the extent permitted by applicable law. In no event will termination relieve Customer of its obligation to pay any fees payable to Oomnitza for the period prior to the effective date of termination.
    5. Surviving Provisions. The sections titled “Fees and Payment,” “Proprietary Rights and Licenses,” “Confidentiality,” “Disclaimers,” “Mutual Indemnification,” “Limitation of Liability,” “Payment upon Termination,” “Removal of Third-Party Services,” “Surviving Provisions” and “General Provisions” will survive any termination or expiration of this Agreement, and the section titled “Protection of Customer Data” will survive any termination or expiration of this Agreement for so long as Oomnitza retains possession of Customer Data.

12. GENERAL PROVISIONS

    1. Export Compliance. The Services, other Oomnitza technology, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Oomnitza and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any User to access or use any Service in a U.S.-embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or in violation of any U.S. export law or regulation.
    2. Anti-Corruption. Neither party has received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from an employee or agent of the other party in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction.
    3. Entire Agreement and Order of Precedence. This Agreement is the entire agreement between Oomnitza and Customer regarding Customer’s use of Services and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. The parties agree that any term or condition stated in a Customer purchase order or in any other Customer order documentation is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) this Agreement and (2) the Documentation. Titles and headings of sections of this Agreement are for convenience only and shall not affect the construction of any provision of this Agreement.
    4. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes.
    5. Third-Party Beneficiaries. There are no third-party beneficiaries under this Agreement.
    6. Waiver. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.
    7. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.
    8. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety, without the other party’s consent to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Notwithstanding the foregoing, if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favor of, a direct competitor of the other party, then such other party may terminate this Agreement upon written notice. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.
    9. Notices. Except as otherwise specified in this Agreement, all notices related to this Agreement will be in writing and will be effective upon (a) personal delivery, (b) the second business day after mailing, or (c) except for notices of termination or an indemnifiable claim (“Legal Notices”), the day of sending by email. Notices to Oomnitza will be addressed to the attention of legal@oomnitza.com, with a copy to Oomnitza’s legal department, at Oomnitza, Inc., at the address set forth above; or as updated by Oomnitza via written notice to Customer. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer, and Legal Notices to Customer will be addressed to Customer and be clearly identifiable as Legal Notices. All other notices to Customer will be addressed to the relevant Services system administrator designated by Customer.
    10. Governing Law. This Agreement, and any disputes arising out of or related hereto, will be governed exclusively by the internal laws of the State of California, without regard to its conflicts of laws rules or the United Nations Convention on the International Sale of Goods.
    11. Venue. The state and federal courts located in San Francisco County, California will have exclusive jurisdiction over any dispute relating to this Agreement, and each party consents to the exclusive jurisdiction of those courts.  
    12. Counterparts. This Agreement may be executed electronically and in counterparts.

Attachment 1 – Oomnitza Data Processing Addendum

Oomnitza, Inc., a Delaware corporation with a principal place of business located at 548 Market Street, PMB 18912, San Francisco, CA 94104-5401 (“Company”) and Customer enter into this Data Processing Addendum (including the Exhibits attached hereto, together “DPA”) as of the date the Agreement is executed. This DPA forms part of the SaaS Services Agreement between Company and Customer for the purchase of online services from Company (identified as the “Services” in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) which involves the Processing of Personal Data subject to Applicable Data Protection Laws (each as defined below). The purpose of this DPA is to set forth the terms under which Company Processes Personal Data on behalf of Customer.

This DPA consists of the main body and Exhibits A and B.

1. Definitions. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the Applicable Data Protection Laws.

1. 1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
   2. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws, UK GDPR and the United States including the CCPA.
   3. “CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
   4. “EEA” means the European Economic Area.
   5. “European Data Protection Laws” means the GDPR and other data protection laws and regulations of the EEA and European Union, and the Member States of each of the foregoing, to the extent applicable to the Processing of Personal Data under the Agreement.
   6. "EU – US Data Privacy Framework” or “EU/US DPF” means the Commission Implementing Decision dated July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
   7. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) which includes the EU/US DPF.
   8. “Information Security Incident” means a confirmed breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Company’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
   9. “Personal Data” means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby,” provided that such data is electronic data and information submitted by or for Customer to the Services.
   10. “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   11. “Public Authority” means a government agency or law enforcement authority, including judicial authorities.
   12. “Security Measures” are Company’s security measures implemented and maintained as administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data and prevent Information Security Incidents, further described in Exhibit A hereto.
   13. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, currently located here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and as amended from time to time due to changes in Applicable Data Protection Law.
   14. “Subprocessors” or “Sub-processor” means any third-party processor that Company engages to Process Personal Data in relation to the Services. 
   15. “UK GDPR” means the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2019. 
   16. "US Data Privacy Framework” or “US DPF” collectively means the E.U.-US Privacy Shield as replaced by the Data Privacy Frameworks operated by the U.S. Department of Commerce.

2. Duration and Scope of DPA. This DPA will remain in effect so long as Company Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Exhibit B to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a “business” (as defined in CCPA) with respect to such Processing.
3. Customer Instructions. Company will Process Personal Data only in accordance with Customer’s instructions to Company. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Company only pursuant to an amendment to this DPA signed by both parties. Customer instructs Company to Process Personal Data via the Services and as authorized by the Agreement. Company shall inform Customer immediately: (a) if, in its opinion, an instruction from Customer constitutes a breach of any Applicable Data Protection Laws; (b) if Company is unable to follow Customer’s instructions for the Processing of Personal Data; or (c) if Company has reason to believe that Company is subject to changes in Applicable Data Protection Laws contrary to any Customer instructions or terms or requirements of this DPA.
4. Security of Personal Data.

1. Company Security Measures. Company may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
2. Information Security Incidents. Company will notify Customer without undue delay of any Information Security Incident of which Company becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Company recommends the Customer take to address the Information Security Incident. Company’s notification of or response to an Information Security Incident will not be construed as Company’s acknowledgement of any fault or liability with respect to the Information Security Incident.
3. Audits of Compliance DPIAs. Customer uses external auditors to verify the adequacy of its security measures, including the security of the physical facilities from which Customer provides the Services. This audit: (i) will be performed at least annually; (ii) will be performed by independent third-party security professionals at Company’s selection and expense; and (iii) will result in the generation of a SOC 2 audit report (“Audit Report”), which will be Company’s Confidential Information. At Customer’s written request, and provided that the parties have applicable confidentiality terms in place, Company will provide Customer with a copy of the Audit Report so that Customer can verify Company’s compliance with its obligations under this DPA. Customer agrees that the Audit Report, together with any third-party certification maintained by Company, will be used to satisfy any audit or inspection requests by or on behalf of Customer and to demonstrate compliance with this DPA (including the SCCs, where applicable). 
4. Data Protection Impact Assessments (DPIAs). Upon Customer’s written request, Company will provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Company.

5. Customer’s Responsibilities.

1. Customer Obligations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject, including those that have opted out from sales or other disclosures of personal data to the extent applicable under Applicable Data Protection Laws. Without limitation of Customer’s obligations under the Agreement, Customer: (a) agrees that Customer is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Customer uses to access the Services, (3) securing Customer’s systems and devices that Company uses to provide the Services, and (4) backing up Personal Data; and (b) has given all notices to, and has obtained all consents from, including where the Customer is a processor by ensuring that the ultimate controller does so, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Company to Process Personal Data as contemplated by the Agreement.
2. Prohibited Data. Customer represents and warrants to Company that Customer Data does not and will not, without Company’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

6. Compliance with Laws & Data Subject Rights.

1. Compliance with Laws. Each party will comply with all Applicable Data Protection Laws. In particular, Customer will comply with its obligations as controller (or on behalf of controller) and Company will comply with its obligations as processor.
2. Personal Data Disclosures & Government Requests. Company will not disclose Personal Data to any third party, including any Public Authority, except: (i) as otherwise permitted under the Agreement including this DPA; or (ii) as necessary to comply with Applicable Data Protection Laws including with respect to any valid and/or binding Public Authority court order (e.g., a law enforcement subpoena). If Company receives a binding order from a Public Authority requesting access to or disclosure of Personal Data, Company will notify Customer of the request unless otherwise legally prohibited.
3. Data Subject Request Assistance. Company will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Company’s possession or control. Where permitted under Applicable Data Protection Laws, Customer will compensate Company for any such assistance at Company’s then-current professional services rates, which will be made available to Customer upon request. 
4. Customer’s Responsibility for Requests. Company will not respond to a Data Subject Request itself, except where Customer authorizes Company to redirect the Data Subject Request as necessary to allow Customer to respond directly. If Company receives a Data Subject Request, Company will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request.

7. EU/US DPF; UK, Switzerland, Changes in Laws.
   1. EU/US DPF. As of the Effective Date, Company is registered with the United States for, and complies with, the EU/US DPF (see Company’s certification is located here: https://www.dataprivacyframework.gov/list). Customer may transfer Personal Data to Company, provided during the Term of this DPA Company: (i) maintains compliance with the EU/US DPF and US DPF; and (ii) will promptly notify Customer if at any time Company ceases to be EU/US DPF certified. If Company no longer complies with the EU/US DPF and/or the US DPF, or if changes in Applicable Law renders the EU/US DPF invalid, the parties agree to implement an alternative lawful transfer mechanism (e.g., the Standard Contractual Clauses) and if the parties cannot agree on such alternative mechanism, Customer may terminate this DPA.
   2. The United Kingdom, Switzerland. The United Kingdom and Switzerland each adopted the EU/US DPF; therefore, for the purposes of Applicable Data Protection Laws for such countries, including for clarity with respect to UK GDPR, Customer may transfer Personal Data to Company from each such country during the Term of this DPA subject to Section 7(a)(i) and (ii) above.
   3. Changes in Applicable Data Protection Laws. Company shall use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services, to facilitate compliance with changes in Applicable Data Protection Laws without unreasonably burdening Customer. If Company is unable to make available necessary changes promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by Company in accordance with the changes in Applicable Data Laws by providing written notice in accordance with the “Notices” section of the Agreement. 
8. Subprocessors.
   1. Consent to Subprocessor Engagement. Customer authorizes the following Subprocessors to Process Personal Data: (i) Company’s Affiliates;  and (ii) the Subprocessors set forth at  https://www.oomnitza.com/thirdpartyterms, as updated by Company from time to time, or such other website address as Company may provide to Customer from time to time) (“Subprocessor Site”).
   2. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Company will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Company shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
   3. Subprocessor Changes. When Company engages any new Subprocessor after the Effective Date of the Agreement, Company will update the Subprocessor Site (including the name and location of the relevant Subprocessor and the activities it will perform).
   4. Opportunity to Object to Subprocessor Changes. If Customer objects to such engagement in a written notice to Company on reasonable grounds relating to the protection of Personal Data, Customer and Company will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Company.
9. Return or Deletion of Personal Data. Upon request by Customer made within 60 days after the effective date of termination or expiration of this DPA, Company will delete or return Customer Data within a reasonable period of time. After such 60-day period, Company will have no obligation to maintain or provide any Customer Data, and as provided in the Documentation will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited.
10. Miscellaneous. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect.  In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Company’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Company to Customer under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to Company’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts.  Customer is solely responsible for ensuring that such email addresses are valid.

 

EXHIBIT A

SECURITY MEASURES

Company warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by Customer (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, Company will act in good faith and diligence, using reasonable care and skill. 

A. Definitions:

• “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
• “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Company regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
• “Incident” means any impairment to the security of Data including any (i) act that violates any law or any Company security policy, (ii) unplanned service disruption that prevents the normal operation of the Services, or (iii) Breach.

2. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

• Company will utilize industry standard encryption algorithms and key strengths to encrypt the following:
• Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 
• Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”
• Except where prohibited by law, Company will promptly remove Data upon (a) completion of the Services; or (b) request by Customer to be removed from Company’s environment, and destroy it within a reasonable timeframe, but in no case longer than sixty      (60     ) days after the date of request or cessation of services. Company will provide Customer with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

3. Measures: Malicious Code Protection. 

• All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. Company will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or Company’s computing environment.
• Company will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
• Company will quarantine or remove files that have been identified as infected and will log the event.

4. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

• Company ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
• security and encryption of all personal computers or other mobile devices that may access Data;
• limited access to employees and contractors except for authorized visitors; 
• identification of the persons having access authority;
• restriction on keys;
• visitors books (including timekeeping); and
• security alarm system or other appropriate security measures.

Company will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such authorized agent’s need to access the system(s) or application(s).

5. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:
   
   

Company shall inform Customer upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• Secure encrypted remote access technologies (e.g., VPN, SSH)     ;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

6. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by Company.

All network controls shall include the following measures:

• On a regular basis, Company will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• Company will deploy reasonably appropriate firewall technology in operation of its networks. 
• At a minimum, Company will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• Company will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• Company shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of ninety      (90     ) days     .

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized. 
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

8. Measures: Company will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, Company will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify Customer within seventy-two      (72     ) hours of the Incident being identified and provide regular updates      thereafter; and (iii) respond promptly to any reasonable request from Customer for detailed information pertaining to the Incident. Company’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.
9. Measures: Business Continuity & Disaster Recovery. Company will implement a commercially reasonable and industry standard business continuity plan to maintain availability of the Services (the “Continuity Plan”). The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery. Company shall maintain such Continuity Plan throughout the term of all subscriptions; provided that Company shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on Company ability to maintain availability of the Services.

EXHIBIT B

UNITED STATES EXHIBIT

1. The parties acknowledge that Customer discloses Personal Data to Company for the limited and specified purposes set forth in the Agreement and DPA, and as instructed by Customer. 
2. Customer shall have the right to take the reasonable and appropriate steps set forth in the Agreement designed to stop and remediate unauthorized use of Personal Data.
3. Company will not retain, use, disclose, sell, or share the Personal Data other than providing the Services specified by Customer’s documented instructions. Company will not combine Personal Data with information received from, or on behalf of other entities, except to perform the purpose of providing the Services specified by Customer’s documented instructions. Company shall Process Personal Data in accordance with Data Protection Laws applicable to Company’s provision of the Services to its customers generally (i.e., without regard for Customer’s particular use of the Services), when the Services are used according to this DPA, the Agreement, and the Documentation. Company shall inform Customer if Company determines it is unable to meet its obligations under the CCPA.
4. The parties acknowledge that Company’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Company’s provision of the Services and the business relationship between the parties. 

Attachment 2 – Support Responsibilities and Procedures

Definitions

In this Attachment 2:

(a) “Level 1 Support” means the first level of support given to Customer by Company to collect customer input, verify symptoms, and escalate, if required, to Level 2 Support.

(b) “Level 2 Support” means the second level of support given by Company to Customer that addresses Services operational and infrastructure issues and resolutions.

(c) “Level 3 Support” means the third level of support given by the Company that covers the resolution of application code bugs or infrastructure code.

(d) “Company Support Hours” for non-Critical and non-Major Business Impact issues means between 06:00 and 20:00 US Pacific Time Zone on a business day (Monday - Friday, every week of the year). Support hours and response obligations for Critical and Major Business Impact issues are as described below.

2. Vendor Support Obligations

Company shall provide Customer with all support in relation to issues identified by Customer and reported to Company.

Company shall respond to requests for support:

(a) with respect to Critical Business Impact issues, within sixty (60) minutes twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. Company shall provide Customer (and Zendesk, if such Critical Business Impact issues relate to Customer support requests forwarded to Company by Zendesk) updates on Critical Business Impact issues every sixty (60) minutes until the issue is resolved. Critical Business Impact shall be defined as an issue that disrupts material functionality within the production environment in the Services or compromises the security/integrity of data in the Services. Critical Business Impact issues will remain so long as the disruption is ongoing, the need for resolution is acutely time-sensitive, with no reasonable workaround available;

(b) with respect to Major Business Impact issues within eight (8) hours, twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. Company shall provide Customer (and Zendesk, if such Critical Business Impact issues relate to Customer support requests forwarded to Company by Zendesk) updates on Major Business Impact issues every twenty-four (24) hours until the issue is resolved. Major Business Impact shall be defined as an issue that degrades a material functionality or significantly disrupts or degrades Customer’s normal business operation, is in Customer’s production environment and is highly time-sensitive, and/or a significant unplanned effort is required to work around the issue to maintain normal business operations; 

(c) for other issues and enquiries, within twenty-four (24) Company Support Hours;

(d) to resolve issues raised to it within a commercially reasonable timeframe; and

(e) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved.

Exhibit 1 

SnapCall Services Terms and Conditions

Terms & Conditions

These terms and conditions of sale (“Terms and Conditions”), taken together with the special conditions (“Special Conditions”) that apply to each of the available services (the “Services”), form the full set of contractual conditions (hereinafter and jointly: the “Contract”) between, The PROVIDER ("SnapCall" as defined on the Zendesk SOW) and the CLIENT ("Subscriber" as defined on the Zendesk SOW) which are hereinafter individually designated as a “Party”, and collectively as the “Parties”. Zendesk will process billing to CLIENT pursuant to the Zendesk SOW to which this Contract is attached.

1. Terms and Conditions applicable to all services

1. Purpose of the Contract

The purpose of the Contract is to set out the terms and conditions of access and use of the services by CLIENT.

2. Date of application and duration of the Contract

This Contract comes into force on the date of subscription to the Service set forth on the Zendesk SOW to which this Contract is attached, and is concluded for the Subscription Term set forth on the Zendesk SOW.

Each Party can terminate the Contract at any time by sending an e-mail message that expressly requests the cessation thereof. In case of termination by the CLIENT, the e-mail message must be sent to support@snapcall.io. In case of termination by the PROVIDER, the e-mail message must be sent to the contact address completed by the CLIENT when setting up the account.

In case of termination by the CLIENT during the period of subscription, there shall be no reimbursement of any sum already paid by the CLIENT to Zendesk under the Zendesk SOW.

3. Conditions of use of the Services

The CLIENT undertakes to use the Service only for its professional activity as carried out on its website, as completed by the CLIENT when setting up the subscription, and to use it solely for its own needs. Under no circumstances can the Service be used in any manner whatsoever for and on behalf of third parties.

The CLIENT undertakes to use the Service for lawful purposes. The CLIENT shall under no circumstances use the Service for an activity that is against the law or the rights of third parties.

The CLIENT undertakes not to try to decrypt, decompile, or modify, in any way whatsoever, the computer programs upon which the Service relies.

4. Conditions of access to the Services

The Services will be provided by the PROVIDER to the CLIENT in accordance with the Special conditions.

A high speed Internet connection is required for proper transmission of the Services. You are responsible for procuring and maintaining the network connections that connect Your network to the Services, including, but not limited to, “browser” software that supports protocols used by the PROVIDER, including the Transport Layer Security (TLS) protocol or other protocols accepted by the PROVIDER, and to follow procedures for accessing services that support such protocols. We are not responsible for notifying You, Agents or End-Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Service Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by the PROVIDER. We assume no responsibility for the reliability or performance of any connections as described in this section.

Any use of the Services requires the prior opening of an account that, once it is approved by the PROVIDER, generates an access code enabling the Service to be activated.

In any case, the CLIENT undertakes to reserve access to and use of the Services solely for its authorised members of staff. Those persons must have acquainted themselves with the terms and conditions of use of the Services. The access codes provided to the CLIENT are confidential and fall entirely under the CLIENT’s responsibility; the CLIENT shall take any appropriate measures to guarantee the confidentiality of the codes and to prevent third parties from using them.

The CLIENT remains fully liable for any action taken through its account(s).

The PROVIDER must retain and archive all items relating to the use of the account. The PROVIDER can avail itself, especially for evidential purposes, of any file, act, recording, monitoring report, or statistics, on all supports, including the computer support set up, received, or retained by the PROVIDER. Those evidential terms and conditions form a presumption that can only be overturned based on proof that the PROVIDER’s means of recording and storage have effectively been defective.

5. Evolution of the Services

The PROVIDER may have to develop the Services to adapt to technological change or to meet market expectations, in particular by adding or deleting one or more features of the Services.

No additional price shall apply to any functional development that lies within the initial perimeter.

If the essential features of the Services are deleted or modified, the PROVIDER shall inform the CLIENT of the matter at least six (6) months before the aforesaid deletion or modification. If appropriate, the CLIENT can terminate the Contract by e-mail message. If the CLIENT does not terminate the Contract before the aforesaid deletion or modification, it shall be deemed to have accepted the deletion or modification concerned.

6. Commitments and guarantees

PROVIDER represents and warrants that the Services will achieve a monthly availability percentage of at least 99.9% in any calendar month (i.e. max forty-three (43) minutes downtime per month) during the Services subscription term. Planned maintenance/downtime shall be limited to under four (4) hours in a given month and PROVIDER will provide at least seven (7) days’ advanced written (email acceptable) notice to CLIENT of such unavailability (“Scheduled Downtime”). Notice will be provided as described in the Contract.

The CLIENT acknowledges that it is aware of the potential, purpose, and features of the Service to which it has subscribed and that it has been able to assess its suitability for its own needs.

The state of the art does not allow tests and checks to be carried out in respect of all possible ways of using the Services. Accordingly, the PROVIDER is not able to guarantee that the Services are free from anomalies.

However, the PROVIDER commits to doing everything to correct, as soon as possible, the reproducible anomalies that the CLIENT reported to it. This guarantee is only given by the PROVIDER to the CLIENT if the Services have been used in accordance with their description, and if all technical prerequisites have been complied with.

PROVIDER represents and warrants that the Services will meet the information security commitments set forth in Exhibit A, attached hereto.

PROVIDER shall provide CLIENT with all applicable customer support for the Services as described in Exhibit B, attached hereto.

7. Intellectual-property rights

Subject to third-party rights, the PROVIDER retains sole ownership of results, computer developments, studies, know-how, and other knowledge, whether patented or not, acquired before this Contract comes into force.

Subject to third-party rights, the PROVIDER is the sole owner of its trademarks, names, denominations, logos, colours, graphics, and other distinctive signs, as well as of those that may be produced or used as part of this Contract, unless expressly provided otherwise in this Contract.

Subject to third-party rights, the PROVIDER is the holder of copyright in the software used to provide the Services. In that regard, the PROVIDER guarantees the CLIENT the right to enjoy the Services quietly, provided the CLIENT complies with the conditions for using those Services.

If a third party brings legal action against the CLIENT because the latter has used one or more Services, the PROVIDER undertakes to defend the CLIENT if the action is based on an intellectual property right, and if the CLIENT has immediately given notice thereof to the PROVIDER. The PROVIDER shall have sole control of the procedure.

If, for the needs of the Services and the use thereof, the PROVIDER provides the CLIENT with items that come under the French intellectual property code, that shall not be considered a transfer, under the meaning of the said Code, of any intellectual-property right from the PROVIDER to the CLIENT.

To the extent required, the PROVIDER grants the CLIENT, for the duration of the Contract and for the needs of performing the Contract, a personal, non-exclusive, and non-transferable authorization to use any immaterial item made available to it (logo, software package, etc.), in particularly to the extent of rights held by the PROVIDER.

The provision of Services by the PROVIDER is based on the fact that the latter can access and process certain data contained in the CLIENT’s content-management system (CMS). To that end, the CLIENT authorises the PROVIDER to access and process the said data subject to the limits that are strictly needed to perform the Contract; in any case, those data remain the CLIENT’s property.

8. Personal data

For the purpose of this article:

“Personal Data” means any information relating to an identified or identifiable Person. A Person is deemed identifiable when she / he can be identified directly or indirectly, especially by reference to an identifier or to one or more specific items that are specific to the Person’s identity.

“EEA” means the European Economic Area, which, on the date of the Contract, includes the European Union, Norway, Iceland, and Liechtenstein.

“Guarantees” means the appropriate guarantees taken to maintain the security and confidentiality of Personal Data Transferred outside the EEA to a country with legislation that the European authorities have not deemed adequate, under the conditions set out in the Data Regulations.

“Person” means any physical person (client, employee, service provider, supplier, etc.) whose Personal Data are likely to be Processed as part of the Contract.

“Data Regulation” means the regulation applicable to the CLIENT in matters of using Personal Data, especially law no. 78-17 of 6 January 1978 on information technology, files, and freedoms, as well as any regulation that supplements it or that replaces it, especially Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Data Controller” means the Party that determines, alone or in conjunction with another Data Controller, the purposes and means of Processing that it may entrust, in full or in part, to one or more Subcontractors.

“Subcontractor” means any physical or legal person who Processes Personal Data for and on behalf of a Data Controller.

“Process” or “Processing” means carrying out any operation or series of operations covering Personal Data, such as collecting, recording, organising, storing, adapting, modifying extracting, consulting, using, communicating by transmission, circulation or any other means of provision, convergence, interconnection, locking, deletion, and destruction, regardless of whether or not that operation is carried out automatically.

“Transfer” or “Transferring” means transferring Personal Data or giving access thereto, including by provision, from the territory of an EEA Member State to a country outside the EEA.

0.1. Authorisation of the Processing carried out by the Service Provider acting as Subcontractor to the CLIENT

As part of carrying out the provisions of service set out in the Contract, the PROVIDER can, for the whole duration of the Contract and until expiry of the durations defined by the CLIENT, have access to Personal Data in the table set out below.

Purpose of subcontracting -> Providing Services in SaaS mode

Purpose of Processing put in place by the PROVIDER -> Establishing contact between final clients and the CLIENT, and drawing up statistics for and on behalf of the CLIENT

Categories of Personal Data Processed by the PROVIDER -> Final customers data who call the Service

Categories of Persons -> The CLIENT’s final customers

In that context, the PROVIDER acts as the CLIENT’s Subcontractor. The PROVIDER acknowledges that it has no right to the Personal Data that it Processes for and on behalf of the CLIENT.

For as long as the PROVIDER has access to the aforesaid Personal Data, it undertakes to comply with the CLIENT’s written instructions regarding the use that can be made of the Personal Data. The said instructions shall be documented as part of the system of monitoring incident tickets managed by the PROVIDER.

The PROVIDER shall immediately inform the CLIENT if, in the opinion of the PROVIDER, one of the CLIENT’s instructions is likely to violate the Data Regulations.

In addition, if the PROVIDER is required to carry out Processing under the law of the European Union or under the law of one of the European countries to which it is subject, it must inform the CLIENT of that legal requirement before Processing, except if the right concerned prohibits the giving of such information due to significant reasons of public interest.

The PROVIDER undertakes to:

• Implement the appropriate technical and organisational measures to protect Personal Data from any foreseeable risk of destruction, loss, alteration, disclosure, or unauthorised access, as well as to ensure the availability and integrity of those Personal Data. In that regard, the PROVIDER can be required, in order to take account of risks that may exist for the security of Personal Data and for persons’ privacy, to pseudonymise and / or encrypt Personal Data and / or supports;

• Take all security measures to ensure compliance with the Data Regulation, and, in particular, at the end of the Contract and at the CLIENT’s choice, destroy all files that include Personal Data, or return in full all supports that include such Personal Data, and not to retain any copy or original thereof;

•In the event of a security failure causing a violation of Personal Data, inform the CLIENT thereof in writing as soon as possible after having learnt of the event, and carry out an investigation that enables a gradual series of reports to be sent, as the investigation progresses, to the CLIENT containing information on the nature and extent of the Personal Data that may already be affected and the corrective measures that have been taken or that are envisaged.

The PROVIDER undertakes to provide the CLIENT with all necessary assistance to enable the latter to comply with all its obligations under the Data Regulation, in

 

particular enabling it to carry out the analyses and other consultations required, and to enable Persons to exercise their rights in relation to their Data. In the latter case, if Persons make requests directly to the PROVIDER, the latter undertakes to use all means to pass them on to the CLIENT. The PROVIDER also undertakes to cooperate with the competent control authority, doing so in conjunction with the CLIENT.

The PROVIDER shall make available to the CLIENT, and shall provide the latter on first request from it, all evidence to prove compliance with the PROVIDER’s obligations under the Data Regulation, and shall make available to the CLIENT all the information needed to enable audits, including inspections, to be carried out by the CLIENT or by an auditor appointed by it, at the CLIENT’s expense, and shall contribute in a reasonable manner to those audits.

The PROVIDER undertakes not to use the documents and Personal Data for purposes other than those specified in the Contract. In addition, the PROVIDER undertakes to make its staff subject to a duty of confidentiality and to ensure compliance therewith.

The PROVIDER is authorised to entrust the performance of certain services set out in the Contract to Subcontractors subject to having previously ensured, on the basis of contracts, that those Subcontractors offer security guarantees and are subject to obligations that are at least as binding as those applicable by virtue of the Contract.

The CLIENT guarantees that it has taken the precautions needed to comply with the Data Regulation, in particular regarding its obligations relating to informing its own clients. In that regard, the CLIENT guarantees to the PROVIDER that the CLIENT’s subscription to the Services and the performance of the Contract by the Parties shall not, under any circumstances, constitute a breach of the Data Regulation.

 

0.2. Personal Data exchanged between the Parties

Each Party can give the other Party access to Personal Data concerning the first Party’s staff for the purposes of monitoring the Contract (invoicing, committee meetings, etc.). The Party that receives those Personal Data shall act as Data Controller in relation to those data, and shall comply with its obligations under of the Data Regulation.

In that context, each Party shall make it its business, acting for and on behalf of the other Party, to provide its members of staff concerned with all information relating to the Processing implemented by the other Party, and that is based on performing the Contract as well as each Party’s legitimate needs in relation to managing the commercial relationship. To that end:

- The CLIENT is hereby informed that the Persons concerned by such Processing can exercise their rights under the Data Regulation, and do so at the following address: support@snapcall.io;

- The PROVIDER is hereby informed that the Persons concerned by such Processing can exercise their rights under the Data Regulation, and do so at the following address: support@snapcall.io.

9. Financial conditions

The prices and related payment terms of the Services are set out in the Zendesk SOW. Zendesk will act as the billing agent for the Services to CLIENT as set forth on the Zendesk SOW.

 Non-payment in full or in part of any sums due shall have the effect of allowing the PROVIDER to suspend the provision of all Services subscribed to, notwithstanding the right to claim an indemnity in respect of the loss suffered. The CLIENT shall, in any case, bear sole liability for the consequences of that suspension.

10. Termination of the Contract

If a Party is in serious breach of its essential obligations, the other Party shall, thirty (30) days after notice being given in the form of a registered letter sent with acknowledgement of receipt has remained without effect, or immediately in the case of an irreparable breach, be authorised to automatically terminate as of right (“de plein droit”) the Contract by sending a registered letter with acknowledgement of receipt, notwithstanding the right to claim an indemnity in respect of the loss suffered.

Unless otherwise provided by the Contract, in all cases of full or partial termination of the Contract, the provisions of service already made by the PROVIDER under the Service on the date of termination of the Contract cannot be brought into question, and the corresponding sums remain owing to Zendesk.

11. The PROVIDER’s liability

The CLIENT bears sole liability for the use it makes of the Services and for non-compliance with the instructions for use, as well as any handling that fails to comply with the requirements, whether contractual or not, linked to its professional activity.

The PROVIDER and the CLIENT shall be liable, each in respect of the matters that concern it, for all the direct or indirect pecuniary consequences of the civil liability that they incur under common law, by reason of losses caused to third parties on the occasion of or under this Contract.

Under no circumstances shall the PROVIDER be held liable towards the CLIENT for any indirect damage suffered by the latter. It has been agreed by the Parties that indirect damage shall be taken as any commercial loss, deterioration of brand image, or loss of profits, income, productivity, turnover, clientele, orders, or data. Any action taken against the CLIENT by a third party shall be deemed to constitute an indirect loss, and, consequently, it does not give entitlement to compensation payable by the PROVIDER.

In the event of proven negligence on the part of the PROVIDER leading to damage suffered by the CLIENT, the CLIENT’s right to compensation in relation to direct damage shall be limited, for each contractual year, to three (3) months of average invoicing during the course of the year, up to a maximum of twelve (12) months of average invoicing for the entire duration of the Contract. If the damage should occur during the first twelve (12) months, the entitlement to compensation shall be limited to one third of the invoice amount relating to the Services on the day of the fault that gave rise to the damage.

By express agreement between the Parties, no legal proceedings, other action, or claim, of whatever type, can be brought by the CLIENT more than twelve (12) months after the occurrence of the fact that gave rise to it.

12. Force majeure

No Party can be held liable towards the Party for non-performance or delayed performance of its obligations under the Contract, and that may be due to a case of force majeure, arising from any event or circumstance that lies outside its control, and that is of an irresistible and unforeseeable nature.

Cases of force majeure shall be those deemed such by the jurisprudence handed down by the Cour de Cassation.

The Party that relies on a case of force majeure shall be required to prove it and to give notice thereof to the other Party, indicating to the latter the duration and foreseeable consequences of the case of force majeure within eight (8) days of that case occurring.

For the said Party to benefit from that case of exemption from liability, it must also provide evidence that it has unsuccessfully made all reasonable efforts to ensure the performance of its obligations, including by using replacements.

In any case, the said Party must do its best to limit the consequences of a case of force majeure.

For the entire duration of the Contract, any case of force majeure, as defined above, shall suspend the obligations arising from the said Contract for the duration of the event or circumstance.

However, if the suspension of obligations arising from the Contract lasts more than one (1) month, the CLIENT shall be entitled to terminate this Contract by registered letter with acknowledgement of receipt, after the expiry of that period of suspension of one (1) month, and subject to fifteen (15) days’ notice being given.

13. Insurance

The PROVIDER declares that it is the holder of an insurance policy that covers its professional liability and the risks linked to its activity.

14. Confidentiality

Each of the Parties undertakes to comply with a general obligation of confidentiality in relation to information obtained from the other Party.

In consequence, neither Party shall make known to anyone, whether directly or indirectly, all or any part of the confidential information, which is expressly defined between the Parties as being any information of a commercial, personal, financial, or organisational nature, which relates to a Party, and which has been communicated by the other Party (“Confidential Information”).

That commitment applies throughout the term of the Contract, and for five (5) years after the expiry or termination of the Contract.

Except for personal details provided when performing the Contract, this confidentiality undertaking does not apply:

- When on request from one Party, the other Party gives written authorisation for the use or circulation of confidential information;

- When that information and those confidential data enter the public domain, without the other Party having placed them there;

- When one Party can establish that it held the information before the performance of the Contract.

15. Assignment of the Contract

The CLIENT shall not assign, in whole or in part, its rights and obligations under this Contract.

The PROVIDER can assign all or part of the Contract, or delegate all or part of its obligations arising from the said Contract, on notification sent to the CLIENT (and Zendesk, where applicable), and it can do so at any time, to any current or future company that belongs to the same group as the PROVIDER, a matter to which the CLIENT hereby gives its express agreement. If the PROVIDER assigns the Contract, the latter shall be validly discharged therefrom.

16. General provisions

Unless expressly provided otherwise in this Contract, the Parties acknowledge, in their relationships, the validity and probative force of electronic correspondence and digital documents exchanged between them in the context of this Contract.

For the performance of this Contract and its consequences, the Parties elect domicile at their respective registered offices.

The provisions of this Contract express the entirety of the Contract concluded between the Parties. They take precedence over any other previous proposal or provision or agreement, as well as over any other communication between the Parties relating to the purpose of the Contract.

The nullity, for any reason whatsoever, of any one of the obligations arising from this Contract shall not affect the validity of the other obligations arising from this Contract for any reason whatsoever.

Failure by one of the Parties to enforce the application of any of the clauses of this Contract, whether on a temporary or permanent basis, shall not in any case be deemed a waiver of that Party’s rights under the said clause.

No document subsequent to the Contract being signed shall give rise to obligations under the said Contract if it is not the subject of an amendment signed by both Parties.

Except in a case of manifest error, the data contained in the CLIENT’s information system have probative force with respect to the relationships between the Parties.

The CLIENT authorises the PROVIDER to quote its name as a commercial reference. For more detailed communication, the PROVIDER undertakes to have the said communication given prior validation by the CLIENT’s communication department.

17. Applicable law and attribution of competence

Any dispute between the Parties arising from this Contract, relating to the existence, validity, interpretation, performance, and termination of this Contract (or to any of its clauses) and that the Parties are not able to resolve by mutual agreement, shall be submitted to the sole jurisdiction of the Paris Commercial Court.2. Special conditions applicable to each service

Emergency calls:

You understand and agree that The Services are not intended to support or carry emergency calls to any emergency services, such as public safety answering points; (b) We will not be held liable for any claim, damages or loss (and You hereby waive any and all such claims or causes of action), arising from or relating to Your (or Agents’ or End-Users’) inability to use The Services to make such emergency calls; (c) You are solely responsible for Your operation of The Services in compliance with all applicable laws in all jurisdictions, including, but not limited to, telephone recording and wiretapping laws and laws related to telemarketing and spam, such as the Telephone Consumer Protection Act; and (d) You will defend, hold harmless and indemnify Us from and against any third party claim arising from any of the foregoing. 

 Provider APIs:

If the PROVIDER makes access to any APIs available as part of the Services, the PROVIDER reserves the right to place limits on access to such APIs (e.g., limits on numbers of calls or requests). Further, the PROVIDER may monitor Customer's usage of such APIs and limit the number of calls or requests Customer may make if the PROVIDER believes that Customer's usage is in breach of this Agreement or may negatively affect the Services (or otherwise impose liability on the PROVIDER).

Fair Use Policy:

In any case, all Plans:

May only be used for normal business use;

Are provided only for live dialog between two individuals; and

May only be used for some specific international numbers;

The PROVIDER reserves the right with or without prior notice to disconnect or suspend your Service and terminate the Agreement if The PROVIDER determines that your use of the Service violates any point of the Agreement, including the Fair Use Policy above.

Call definition:

By call, we designate all human interactions initiated by the end-customer with The Services. 

Custom integration:

In case of custom integration using our JavaScript API, the CLIENT has to display The PROVIDER logo during the call, with a clickable link being forwarded to the website of The PROVIDER.

Exhibit A

Information Security Measures

 

PROVIDER warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by CLIENT (collectively, “Data”) secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, PROVIDER will act in good faith and diligence, using reasonable care and skill.

 

A. Definitions:

●  “Process” means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.

●  “Breach” means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by PROVIDER regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.

●  “Incident” means any impairment to the security of Data including any (i) act that violates any law or any PROVIDER security policy, (ii) unplanned service disruption that prevents the normal operation of the Services, or (iii) Breach.

B. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

●  PROVIDER will utilize industry standard encryption algorithms and key strengths to encrypt the following:

●  Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks. 

●  Encrypt all Data while in storage. “In Storage” means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as “at rest.”

●  Except where prohibited by law, PROVIDER will promptly remove Data upon (a) completion of Services; or (b) request by CLIENT or Zendesk to be removed from PROVIDER’s environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. PROVIDER will provide CLIENT and Zendesk with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

 

C.   Measures: Malicious Code Protection.

●  All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server.   Virus definitions must be updated promptly upon release by the anti-virus software provider.  PROVIDER will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or PROVIDER’s computing environment.

●  PROVIDER will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.

●  PROVIDER will quarantine or remove files that have been identified as infected and will log the event.

 

D.   Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

●  PROVIDER ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:

●  security and encryption of all personal computers or other mobile devices that may access Data;

●  limited access to employees and contractors except for authorized visitors; 

●  identification of the persons having access authority;

●  restriction on keys;

●  visitors books (including timekeeping); and

●  security alarm system or other appropriate security measures.

 

PROVIDER will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such Authorized Agent’s need to access the system(s) or application(s).

 

E. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

PROVIDER shall inform the CLIENT upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

• restricted VPN profile;
• implementation of 2-factor authentication

Access control to Data shall include the following measures:

• effective and measured disciplinary action against individuals who access data without authorization.

F. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by PROVIDER.

All network controls shall include the following measures:

• On a regular basis, PROVIDER will run internal and external network vulnerability scans.  Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.
• PROVIDER will deploy reasonably appropriate firewall technology in operation of its networks.
• At a minimum, PROVIDER will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
• PROVIDER will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
• PROVIDER shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year. 

Wireless network controls shall include the following additional measures:

• Network access to wireless networks should be restricted only to those authorized.
• Access points shall be segmented from an internal, wired LAN using a gateway device.
• The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
• Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on “Wireless Protected Access” (WPA2) or stronger. 

G.   Measures: PROVIDER will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, PROVIDER will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify the CLIENT within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii)  respond promptly to any reasonable request from the CLIENT for detailed information pertaining to the Incident. PROVIDER’s notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

 

H.   Measures: Business Continuity & Disaster Recovery. PROVIDER has provided the CLIENT commercially reasonable and industry standard business continuity plan to maintain availability of the Services (the “Continuity Plan”).  The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery.  PROVIDER shall maintain such Continuity Plan throughout the term of all subscriptions; provided that PROVIDER shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on PROVIDER ability to maintain availability of the Services.

 

I.  At the CLIENT’s request PROVIDER shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to the CLIENT’s baseline security requirements as outlined in all applicable exhibits to the Contract and as they exist from time to time.  The CLIENT shall provide PROVIDER with documentation of such baselines, which shall be part of the CLIENT’s confidential information under the Contract.  PROVIDER shall develop a written information security plan for the CLIENT containing, at a minimum, the topics called for in this Contract.

Exhibit B 

Support Responsibilities and Procedures

1. Definitions

In this Exhibit B:

a) “Level 1 Support” means the first level of support given to CLIENT by the PROVIDER to collect customer input, verify symptoms, and escalate, if required, to Level 2 Support.

(b) “Level 2 Support” means the second level of support given by PROVIDER to CLIENT that addresses Services operational and infrastructure issues and resolutions.

(c) “Level 3 Support” means the third level of support given by PROVIDER that covers the resolution of application code bugs or infrastructure code.

(d) “Vendor Support Hours” for non-Critical and non-Major Business Impact issues means between 09:00 and 24:00 [CET : GMT +2] on a business day (Monday - Friday, every week of the year). Support hours and response obligations for Critical and Major Business Impact issues are as described below.    

2. PROVIDER Support Obligations

The PROVIDER shall provide CLIENT with all support in relation to issues identified by Zendesk or CLIENT and reported to PROVIDER. These support services will be provided by means of the Zendesk help desk ticket system.

PROVIDER shall respond to requests for support

(a) with respect to Critical Business Impact issues, within thirty (30) minutes twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. PROVIDER shall provide CLIENT (and Zendesk, if such Critical Business Impact issues relate to CLIENT support requests forwarded to PROVIDER by Zendesk) updates on Critical Business Impact issues every thirty (30) minutes until the issue is resolved. Critical Business Impact shall be defined as an issue that disrupts material functionality within the production environment in the Services or compromises the security/integrity of data in the Services. Critical Business Impact issues will remain so long as the disruption is ongoing, the need for resolution is acutely time-sensitive, with no reasonable workaround available;

(b) with respect to Major Business Impact issues within one (1) hour, twenty-four (24) hours a day, three hundred and sixty-five (365) days a year. PROVIDER shall provide CLIENT (and Zendesk, if such Critical Business Impact issues relate to CLIENT support requests forwarded to PROVIDER by Zendesk) updates on Major Business Impact issues every hour (1) until the issue is resolved. Major Business Impact shall be defined as an issue that degrades a material functionality or significantly disrupts or degrades CLIENT’s normal business operation, is in CLIENT’s production environment and is highly time-sensitive, and/or a significant unplanned effort is required to work around the issue to maintain normal business operations;

(c) for other issues and enquiries, within six (6) Vendor Support Hours;

(d) to resolve issues raised to it within a commercially reasonable timeframe; and

(e) by providing ongoing updates on unresolved issues at least once a week until the issue is successfully resolved.