Definitions
Capitalized terms defined in this Section 1 or as otherwise set forth throughout this Agreement will have the meanings set forth herein.
1.1 “Admin Console” if applicable, means the online console(s) and tool(s) provided by Company to Customer for administering the Services.
1.2 “Administrators” if applicable, mean the Customer-designated technical personnel who administer the Services on Customer’s behalf.
1.3 “Affiliate” means an entity that controls, is controlled by, or is under common control with a Party. For the purposes of this definition, “control” and its cognates mean direct or indirect ownership of more than 50% of the voting interests of the applicable Party.
1.4 “Claim” means any claim, action, proceeding, or suit.
1.5 “Customer Content” means any material, such as audio, video, text, or images, that is imported into the Services by or on behalf of Customer in connection with Customer’s use of the Services, including for collaboration, content delivery, digital publishing, targeted advertising, or indexing.
1.6 “Customer Data” means any data that is imported by or on behalf of Customer into the Services from Customer’s internal data stores or other third-party data providers in connection with Customer’s use of the Services.
1.7 “Initial Order” means the initial or first Order for Offerings that is executed by Company and Customer.
1.8 “Law” means all laws and regulations, including state and federal laws and regulations, binding orders, and ordinances, applicable to such Party in its performance of this Agreement, including privacy laws and regulations governing such Party and its data privacy practices.
1.9 “Offerings” means the Services and any Professional Services.
1.10 “Order” means any ordering document for Offerings (that either references this Agreement or to which this Agreement is attached) that is accepted and executed by Company and executed by the Customer identified in such ordering document.
1.11 “Reports” means any graphical or numerical display of Customer Data that contains Company’s proprietary design, look and feel, and is generated by the Services.
1.12 “Sensitive Data” means an individual’s financial information, sexual preferences, medical or health information protected under any health data protection Laws, biometric data (for purposes of uniquely identifying an individual), personal information of children protected under any child protection Laws (such as the personal information defined under the US Children’s Online Privacy Protection Act and any additional types of information included within this term or any similar term (such as “sensitive personal information” or “special categories of personal information”) as used in applicable data protection or privacy Laws).
1.13 “Services” means the services specified in the Order, any Reports, and any Deliverables, excluding Professional Services.
1.14 “SLA” means the service level agreement referenced in or attached to an Order.
1.15 “User” means individuals who are authorized to use the Services under Customer’s account, including employees, contractors, agents of Customer and Customer’s end-users.
Company Services
2.1 Access to Services and Reports. Subject to Customer’s continuing compliance with its obligations set forth in this Agreement, and while an Order under this Agreement remains in effect: (a) Company will use commercially reasonable efforts to provide access to the Services to: (i) each User authorized under an applicable Order pursuant to (and subject to such User complying with) this Agreement; and (ii) if applicable, access to the Admin Console for the Administrator(s) to manage Customer’s use of the Services (and each User’s ability to access the Services, if applicable); and, (b) Customer may download and use, solely for its internal business purposes, any Reports that are made available to Customer via the Service from time to time; in each case, in accordance with the provisions of this Agreement (including the applicable Order).
2.2 Eligibility. Customer may designate a User as being eligible to access the Services by: (a) providing Company with a monthly report (in a format acceptable to Company) identifying such Users; (b) uploading the User information directly via the Admin Console (if applicable); (c) enabling single sign-on functionality for such User; or (d) such other methods as agreed upon by the Parties. Customer will provide all notices and obtain all consents as required by Law to share the Customer Data with Company for Company’s processing in accordance with the Agreement.
2.3 Service Level Agreement. Company will use commercially reasonable efforts to provide the support and service levels set forth in the SLA. The SLA sets forth Customer’s sole and exclusive remedy and Company’s sole and exclusive obligations for any failure to meet any obligations set forth in the SLA.
2.4 Professional Services. Company will use reasonable efforts to perform the professional services (“Professional Services”) specified in each statement of work (each, a “SOW”) or Order to this Agreement. Company may perform such Professional Services by using its personnel or by retaining contractors to perform such Professional Services. Any SOW will become effective when signed by both Parties. Each SOW is hereby incorporated into this Agreement by this reference. Company solely and exclusively owns throughout the world all materials (including software, prototypes, drawings, artwork, documentation and any other deliverables), ideas, designs, techniques, formulas, know-how, inventions (whether or not patentable), improvements, information, creative works and any other works created, conceived, reduced to practice or otherwise developed by or on behalf of Company in the course of or resulting from the provision of Professional Services (including all intellectual property rights therein or thereto) (collectively, “Work Product”). “Deliverables” means the Work Product that Company delivers to Customer.
Proof of Concept
If an Order includes a proof of concept (“POC”), Company will make the applicable Offerings identified in such Order available to Customer on a trial basis in accordance with such Order. ANY DATA ENTERED INTO THE SERVICES, AND ANY CUSTOMIZATIONS MADE TO THE SERVICES BY OR FOR CUSTOMER, DURING THE POC WILL BE PERMANENTLY LOST UNLESS CUSTOMER PURCHASES THE APPLICABLE SERVICES IDENTIFIED IN AND IN ACCORDANCE WITH SUCH ORDER BEFORE THE END OF THE POC. CUSTOMER WILL REVIEW THE APPLICABLE DOCUMENTATION FOR SERVICES DURING THE POC TO BECOME FAMILIAR WITH THE FEATURES AND FUNCTIONS OF THE SERVICES BEFORE MAKING A PURCHASE. NOTWITHSTANDING SECTIONS 10, 11, AND, 12.1, DURING THE POC THE OFFERINGS ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND COMPANY WILL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE OFFERINGS DURING THE POC, UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE COMPANY’S LIABILITY WITH RESPECT TO THE OFFERINGS PROVIDED DURING THE POC WILL NOT EXCEED $1,000.00. WITHOUT LIMITING THE FOREGOING, COMPANY, ITS AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO CUSTOMER THAT: (A) THE OFFERINGS WILL MEET CUSTOMER’S REQUIREMENTS DURING THE POC; (B) CUSTOMER’S USE OF THE SERVICES DURING THE POC WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR; AND (C) OFFERINGS OR DATA PROVIDED DURING THE POC WILL BE ACCURATE. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN SECTION 11, CUSTOMER WILL BE FULLY LIABLE UNDER THIS AGREEMENT TO COMPANY AND ITS AFFILIATES FOR ANY DAMAGES ARISING OUT OF CUSTOMER’S USE OF THE SERVICES DURING THE POC, ANY BREACH BY CUSTOMER OF THIS AGREEMENT, AND ANY OF CUSTOMER’S INDEMNIFICATION OBLIGATIONS HEREUNDER.
Customer's Obligations
4.1 Use and Access Restrictions. Customer will not: (a) make the Services available to, or use the Services for the benefit of, anyone other than Company; (b) sublicense, resell, time share, or similarly exploit the Services; (c) reverse engineer, disassemble, reverse compile, decompile, translate, modify, translate, create derivative works of, adapt, or hack the Services, or otherwise attempt to gain unauthorized access to the Services or its related systems or networks, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, know-how, or algorithms relevant to the Services; (d) access or use the Services (including any output) to build a competitive product or service or train any models; (e) use the Services in any manner that interferes with or disrupts the integrity or performance of the Services or the components of the Services; (f) use any automated or programmatic method to extract data or output from the Services; (g) represent that output from the Services was human-generated; or (h) introduce any viruses, Trojan horses, worms, logic bombs, or other material that is malicious or technologically harmful to the Services.
4.2 Account Information. Customer will (and will cause all Users to) protect the usernames and passwords used to access and use the Services (“Account Information”) from unauthorized access, use, or disclosure. Customer is solely responsible for all activities in the Services performed using such Account Information. Company’s responsibilities do not extend to the internal management or administration of the Services for Customer. To the extent applicable, Customer may use the Admin Console to specify one or more Administrators who will have the right to access the Admin Console and to manage the Services.
4.3 Consents and Third-Party Materials. Customer represents, warrants, and covenants that it has obtained and will maintain all licenses, approvals, rights and consents (and provided proper notices) required by: (a) Law or any agreement with a third-party, to provide the Customer Data to Company for Company’s provision of the Offerings and processing of such Customer Data in accordance with this Agreement, including all data subject consents; and (b) any third-party to access, use, or integrate with such third-party’s products, services, software, information, and materials for Company’s provision of the Offerings in accordance with this Agreement.
4.4 Sensitive Data. Except as expressly permitted in an Order, Customer will not: (a) collect, process, or store any Sensitive Data using the Services; or (b) transmit, disclose, or make available Sensitive Data to Company or its Affiliates or third-party providers.
Compensation & Payment
5.1 Fees and Usage Limits. Customer will pay Company all costs, fees, expenses, and other charges specified in each Order or SOW, or on or through the Services (collectively, “Fees”) within thirty (30) days of the date of the invoice issued by Company, unless a different period is specified in the applicable Order. Payment obligations are non-cancelable, and Fees paid to Company are non-refundable. The Fees do not include taxes. Customer will pay all applicable taxes, levies, and duties associated with its purchase under this Agreement. Following the Initial Order Term (defined below), Company may on an annual basis change the Fees charged under an Order by providing Customer with at least thirty (30) days prior notice thereof. Company may establish, limit, revoke, and otherwise change credit and credit User, service capacity, usage limits and terms at any time, in Company’s sole discretion, with or without notice to Customer. If Customer exceeds any credit, User, usage or other limits, Company may, in its sole discretion: (a) charge Customer for such excess usage at Company’s then-current fees and rates; (b) upgrade Customer’s plan or increase the limits to address such excess usage, subject to Company’s then-current fees; or (c) suspend Customer’s access to and use of the Services.
5.2 Late Payment. Any amount due under this Agreement that remains unpaid after its due date will bear interest from the date that such payment became delinquent until the date such amount is paid in full at the lower of one and one-half percent (1.5%) per month or the maximum rate permitted by Law, calculated from the date such amount was due until the date that payment is received. Customer will pay Company such interest and all costs and expenses of collection (including attorneys’ fees) incurred by Company for collecting any such past due amounts.
Intellectual Property; Feedback
6.1 Company IP. As between Company and Customer, Company owns all right, title, and interest, including all intellectual property rights, in and to the Offerings, Work Product, usage and other information collected through engagement with the Services (excluding any Customer Data), and any other information, Reports, program, or marketing materials provided by Company to Customer, including via the Services (collectively, “Company IP”). All rights in the Company IP not expressly granted to Customer in this Agreement are reserved by Company. Company may develop, modify, improve, support, customize, and operate its Offerings based on Customer’s or its Users’ access or use, as applicable, of any Offerings in such a manner that neither Customer nor any individual can be identified from such information.
6.2 Feedback. Customer and Users may (but is not obligated to) provide Company with suggestions, ideas, enhancement requests, or other feedback (“Feedback”). If Customer provides any such Feedback to Company, Customer hereby grants Company a nonexclusive, worldwide, perpetual, irrevocable, transferable, sublicensable, royalty-free, fully paid-up license to use and otherwise practice such Feedback.
Data
7.1 Customer Data. Customer owns all Customer Data and Customer Content. Customer hereby grants Company and its Affiliates a nonexclusive, worldwide, royalty-free license during the Term (defined below) to use and access Customer Data and Customer Content and provide necessary access to third-party service providers acting on its behalf only to: (a) provide the Offerings and perform Company’s obligations under this Agreement; (b) to prevent or address service or technical problems, or at Customer’s request in connection with customer support matters; or (c) to operate, improve, and support the Offerings. Customer will provide necessary access to third-party service providers acting on Company’s behalf (such as Amazon Web Services, Azure, Salesforce, and Google Cloud).
7.2 Protection of Customer Data. Company will maintain reasonable administrative, physical, and technical safeguards to protect Customer Data at a level not materially less protective than the Data Processing Addendum set forth in Exhibit A attached hereto (“DPA”). Company may update such security protections from time-to-time, except that Company will not update or modify any security protections in a manner that materially decreases the security controls described in the DPA.
Term & Termination
8.1 Agreement Term. Unless terminated earlier as provided in the Agreement, this Agreement commences on the Effective Date and continues until no Orders remain in effect for ninety (90) consecutive days (the “Term”).
8.2 Order Term. Unless provided otherwise in an Order, each Order will remain in effect for the initial term specified in such Order (or, if no such initial term is specified, for one year) (“Initial Order Term”) and will automatically renew for consecutive one-year terms after the Initial Order Term unless a Party provides written notice of non-renewal at least thirty (30) days prior to any renewal of each such Order. All User subscriptions under an applicable Order will terminate when the Order terminates or expires. For clarity, a new Order does not constitute a renewal of any prior Order.
8.3 Termination for Cause. A Party may terminate this Agreement (including any Orders) if the other Party materially breaches this Agreement, and such breach is not cured within thirty (30) days after the non-breaching Party has provided the breaching Party written notice thereof.
8.4 Effects of Termination. Upon the termination or expiration of this Agreement, the Offerings and all of Customer’s rights under this Agreement (including all Orders) will immediately terminate. Company will destroy or anonymize all Customer Data, in the manner and on the schedule as required by Law, and in accordance with Company’s then-current data deletion practices. Termination or expiration will not relieve either Party of obligations incurred prior to the effective date of the termination or expiration. The following Sections survive the expiration or termination of this Agreement: 1, 3, 4.3, 5 (with respect to amounts accrued prior to expiration or termination), 6, 7.1, 8.4, 9, 10.3, 11, 12, and 13.
8.5 Suspension. Company may suspend, disable, or terminate access to or the provision of all or any part of the Offerings: (a) under an Order immediately when the Order terminates or expires; (b) under all Orders with thirty (30) days’ written notice, if Customer fails to make any payments when due; and Fees will continue to accrue during any such suspension; or (c) under all Orders if Customer breaches this Agreement, and such breach is not cured within thirty (30) days after Company has provided Customer written notice thereof.
Confidential Information
9.1 Definition of Confidential Information. As used herein, “Confidential Information” means any nonpublic or proprietary information disclosed by a Party (“Discloser”) to the other Party (“Recipient”), whether orally or in writing, that: (a) is marked or declared “Confidential” or “Proprietary” or in some other manner to indicate its confidential nature; or (b) based upon the facts and circumstances of the disclosure, information that a reasonable person would consider confidential. For clarity, Customer Data is the Confidential Information of Customer, and the terms of this Agreement, and all pricing information under this Agreement or an applicable Order, is Confidential Information of Company. Confidential Information does not include any information that: (i) was publicly available prior to the time of disclosure by the Discloser; (ii) becomes publicly available after disclosure by the Discloser to the Recipient through no action or inaction of the Recipient; (iii) is already in the lawful possession of the Recipient at the time of disclosure; (iv) is obtained by the Recipient from a third party without a breach of such third party’s obligations of confidentiality; or (v) is independently developed by the Recipient without use of or reference to the Discloser’s Confidential Information.
9.2 Protection of Confidential Information. Recipient will: (a) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care); (b) not use any Confidential Information for any purpose outside the scope of this Agreement; and (c) only disclose Confidential Information of the Discloser to those of its and its Affiliates’ employees, contractors, and agents (“Representative(s)”) who are bound in writing by confidentiality obligations at least as protective as this Agreement and need such access for purposes consistent with this Agreement. If any Representative discloses or uses Confidential Information other than as authorized in this Agreement, Recipient will be liable to Discloser for such disclosure or use to the same extent that Recipient would have been liable had Recipient performed such unauthorized disclosure or use.
9.3 Compelled Access or Disclosure. Notwithstanding any language to the contrary, Recipient may disclose Confidential Information if it is compelled by Law to do so, if Recipient gives the Discloser prior notice of such compelled disclosure (to the extent legally permitted) and provides reasonable assistance, at the Discloser’s cost, if Discloser wishes to contest such disclosure.
Warranty; Disclaimer
10.1 Warranty. Each Party represents and warrants that: (a) it has full power and authority to enter into this Agreement; and (b) the person signing this Agreement on its behalf has the authority to do so.
10.2 Compliance. In the performance of this Agreement, each Party will comply with the Law applicable to it.
10.3 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE OFFERINGS AND ANY OTHER INFORMATION (INCLUDING THE REPORTS) ARE PROVIDED BY COMPANY “AS IS” AND ON AN “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND; AND, COMPANY EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER (INCLUDING WITH RESPECT TO THE USE OF, OR THE RESULTS FROM THE USE OF, THE OFFERINGS), INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE OR USE, SATISFACTORY QUALITY, WARRANTIES IMPLIED FROM A COURSE OF DEALING OR COURSE OF PERFORMANCE OR USAGE OF TRADE, OR THAT THE OFFERINGS AND ANY OTHER INFORMATION PROVIDED BY COMPANY ARE OR WILL BE ACCURATE, RELIABLE, ERROR-FREE OR UNINTERRUPTED. CUSTOMER HAS NO RIGHT TO MAKE OR PASS ON ANY REPRESENTATION OR WARRANTY ON BEHALF OF COMPANY TO ANY PERSON.
Limitation of Liability
11.1 Limitation of Liability. EXCEPT AS SET FORTH IN SECTION 11.2, TO THE GREATEST EXTENT PERMITTED BY LAW, EVEN IF SUCH DAMAGES COULD HAVE BEEN FORESEEN OR IF A PARTY HAS BEEN APPRISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF WHETHER SUCH DAMAGES ARE ARISING IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, BREACH OF ANY STATUTORY DUTY, OR OTHERWISE: (A) NEITHER PARTY WILL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR PERTAINING TO THIS AGREEMENT SUFFERED BY CUSTOMER OR OTHERS (INCLUDING ANY LOST PROFITS, LOST REVENUE OR LOSS OF GOODWILL); AND (B) EACH PARTY’S TOTAL AND CUMULATIVE LIABILITY FOR ALL CLAIMS OF ANY NATURE ARISING OUT OF OR PERTAINING TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO COMPANY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE OCCURRENCE OF THE FIRST EVENT GIVING RISE TO A CLAIM UNDER THIS AGREEMENT.
11.2 Exceptions. THE LIMITATIONS SET FORTH IN SECTION 11.1 DO NOT APPLY TO: (A) COMPANY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 12.1; (B) CUSTOMER’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 12.2; OR (C) DAMAGES ARISING OUT OF EITHER PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OR ANY UNAUTHORIZED ACCESS, USE OR DISCLOSURE OF COMPANY IP OR CUSTOMER’S FAILURE TO PAY ANY AMOUNTS DUE UNDER THIS AGREEMENT.
11.3 Independent Allocations of Risk. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE AGREED UPON COMPENSATION AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS WILL APPLY EVEN IF THE WARRANTIES IN THIS AGREEMENT HAVE FAILED OF THEIR ESSENTIAL PURPOSE.
Indemnification
12.1 Company Indemnification. Company will defend Customer and its directors, officers, and employees against any third-party Claim and will pay for the resulting costs and damages finally awarded against Customer to such third party by a court of competent jurisdiction or agreed to in settlement by Company (such agreement not to be unreasonably, withheld, conditioned, or delayed), to the extent arising from the actual or alleged infringement of such third party’s intellectual property rights by the Services. Company will have no indemnification obligations arising from this Section 12.1, to the extent such Claim arises from: (a) the use or combination of the Services with any hardware, software, products, processes, data, or other materials not provided by Company, including Customer’s own systems and data; (b) modification or alteration of the Services by anyone other than Company;, (c) Customer’s or any User’s misuse of the Services or use of the Services in excess of the rights granted in the Agreement; (d) the Offerings compliance with or modifications made to the Offerings by Company pursuant to designs, instructions, or specifications provided by or on behalf of Customer. The remedies in this Section 12.1are Customer’s sole and exclusive remedies and Company’s sole liability regarding the subject matter giving rise to any Claim in this Section 12.1.
12.2 Customer Indemnification. Customer will defend Company and its directors, officers, and employees against any third-party Claim and will pay for the resulting costs and damages finally awarded against Company to such third party by a court of competent jurisdiction or agreed to in settlement by Customer (such agreement not to be unreasonably, withheld, conditioned, or delayed), arising from any allegation that: (a) the Customer Data, Customer Content, or other content or information provided by Customer to Company infringes, misappropriates, or violates the rights of a third party; or (b) Customer’s use of the Services in violation of Law.
12.3 Indemnity Obligations. The indemnifying Party’s (the “Indemnitor”) obligations under this Section 12 are conditioned upon the person(s) seeking indemnification under this Section 12 (the “Indemnitee(s)”): (a) promptly notifying the Indemnitor in writing of the Claim (so as to avoid prejudicing the Indemnitor); (b) granting the Indemnitor sole control of the defense and settlement of the Claim provided that any such settlement does not bind any Indemnitee to pay any monetary amounts or admit to any wrongdoing; and, (c) providing the Indemnitor, at the Indemnitor’s expense, with all assistance, information, and authority reasonably required for the defense and settlement of the Claim.
General
13.1 Independent Contractors. The Parties are independent contractors; and nothing contained in this Agreement gives either Party the power to act as an agent of the other or to direct or control the day-to-day activities of the other.
13.2 Assignment. Customer may not assign its rights or delegate its obligations under this Agreement, by operation of law or otherwise, without the prior written consent of Company. Any amalgamation or merger of Customer with any third party, or the purchase of all or substantially all of the assets or equity of Customer, will be deemed an assignment requiring consent. Any attempted transfer in violation of this Section is void. Company may, without the prior written consent of Customer, assign or delegate all or any part of its obligations under this Agreement.
13.3 Notices. Any notice must be in writing and will be effective upon delivery as follows: (a) if to Customer, when (i) delivered via registered mail, return receipt requested, or overnight delivery service to the address specified in an Order; or (ii) when sent via email to the email address specified in an Order or otherwise on record for Customer; and (b) if to Company, when sent via email to [EMAIL FOR NOTICES], with a duplicate copy sent via registered mail, return receipt requested, to the address identified in the preamble of this Agreement. Either Party may change its address for receipt of notices by providing notice to the other Party in accordance with this Section.
13.4 Force Majeure. Neither Party will be liable to the other Party for the nonperformance of any obligation under this Agreement (other than any payment obligation) arising from any cause beyond such Party’s or its suppliers’ reasonable control, regardless of whether such cause is foreseeable, including any: (a) act of God; (b) flood, fire, explosion, earthquake, or natural disaster; (c) act of terrorism, war, revolution, invasion, riot, or other civil or military disturbances or acts of public enemies; (d) act, regulation, order, or Law of any government, civil or military authority, or any injunction of any nature; (e) embargo, blockade, tariff, or other trade restriction in effect on or after the Effective Date; (f) national or regional emergency; (g) epidemic, pandemic, or other contagion, including COVID-19; (h) strike, lockout, labor dispute, stoppage or slowdown, or other industrial disturbance; (i) casualty or accident; (j) denial of service attacks and other malicious conduct; or (k) inability to procure, or any interruption, loss, malfunction, or shortage of, any supplies, services, products, equipment, transportation, utilities, communications, or computer software, hardware, or services.
13.5 Governing Law. This Agreement and all proceedings arising hereunder will be governed by and construed in accordance with the Laws of the State of California without reference to its principles of conflicts of law. The Parties expressly exclude the application of the U.N. Convention on Contracts for the International Sale of Goods (1980) to this Agreement.
13.6 Arbitration. Any dispute arising between the Parties out of or in connection with this Agreement will be finally resolved by arbitration conducted by one arbitrator (who is a licensed attorney) in San Francisco County, California in accordance with the Commercial Arbitration Rules of the American Arbitration Association. The arbitrator’s award will be final and binding and may be entered in any court having jurisdiction thereof. Each Party will bear its own costs and attorneys’ fees and will share equally in the fees and expenses of the arbitrator. The arbitration will be conducted in English, the governing language of this Agreement. Nothing contained herein will prevent a Party from obtaining injunctive relief from any court of competent jurisdiction.
13.7 Severability. Each provision contained in this Agreement constitutes a separate and distinct provision severable from all other provisions. If any provision (or any part thereof) is unenforceable under or prohibited by any present or future Law, then such provision (or part thereof) will be amended, and is hereby amended, so as to be in compliance with such Law, while preserving to the maximum extent possible the intent of the original provision. Any provision (or part thereof) that cannot be so amended will be severed from this Agreement; and all the remaining provisions of this Agreement will remain unimpaired.
13.8 No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
13.9 Publicity. Neither Party will issue any press releases or make any social media posts referencing the other Party except with the prior written permission of the other Party or as required by Law. Without limiting the foregoing, Company may use Customer’s name, logo, or marks for the purpose of marketing the Offerings without prior approval.
13.10 Amendment and Waiver. No modification, amendment, or waiver of any provision of this Agreement will be effective unless it exists in writing and is signed by the Party against whom the modification, amendment, or waiver is to be asserted. The delay or failure of a Party at any time to require performance of any obligations of the other Party will not be deemed to be a waiver and will not affect its right to enforce any provision of this Agreement at a subsequent time. One waiver will not imply or be construed to be a waiver of any future breach.
13.11 Entire Agreement. This Agreement, along with each applicable Order, SOW, and the SLA, constitutes the complete and exclusive statement of all mutual understandings between Company and Customer with respect to the subject matter hereof, superseding all prior or contemporaneous proposals, communications, and understandings, oral or written. Nothing contained in any purchase order, acknowledgment, or invoice will in any way modify or add to the terms or conditions of this Agreement; provided that if a conflict exists between the Agreement, an Order, an SOW, the DPA, or the SLA, the conflict will be resolved by giving precedence in the following order: (a) the Agreement; (b) the SOW; (c) the Order, (d) the DPA, and (e) the SLA.
13.12 Interpretation. In this Agreement: (a) the headings are for convenience only and will not affect the meaning or interpretation of this Agreement; (b) the words “herein,” “hereunder,” “hereby,” and similar words refer to this Agreement as a whole (and not to the particular sentence, paragraph, or Section where they appear); (c) terms used in the plural include the singular, and vice versa, unless the context clearly requires otherwise; (d) “or” is used in the sense of “and/or”; (e) “any” is used in the sense of “any or all”; and (f) the words “include,” “includes,” or “including” are to be construed as if they are immediately followed by the words “without limitation.” If an ambiguity or question of intent or interpretation arises, then this Agreement will be construed as if drafted jointly by the Parties and no presumption or burden of proof will arise favoring or disfavoring any Party by virtue of the authorship of any of the terms hereof or thereof.
13.13 Counterparts. This Agreement (including any Order) may be executed in two or more counterparts, each of which will be deemed an original, but which together constitute one and the same instrument. The execution of this Agreement may be evidenced by way of a facsimile, portable document format (.pdf) transmission, or electronic production or reproduction, photostatic or otherwise, of such Party’s or person’s signature, and such portable document format (.pdf), or electronic production or reproduction signature is deemed to constitute the original signature of such Party or person.
Data Processing Addendum
This Data Processing Addendum (“DPA”) is between Company and Customer. This DPA amends and forms part of the Master Services Agreement (the “Agreement”). This DPA applies where Company Processes Customer Personal Data as a Processor on behalf of Customer, the Controller, in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA.
Data Processing & Protection
1.1 Limitations on Use. Company will Process Customer Personal Data for the Purpose and otherwise only: (a) pursuant to Customer’s documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Customer Personal Data to a third country; and (b) as otherwise required by applicable laws, provided that Company will inform Customer (unless prohibited by law) of the applicable legal requirement before such Processing. Company will not otherwise: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the Purpose; (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Company receives from individuals or other sources, except as permitted by Data Protection Law.
1.2 Instructions. Customer instructs Company to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Company are Customer’s documented instructions regarding Company’s Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and Company. Customer will not instruct Company to Process Customer Personal Data in violation of any Data Protection Law. Company may suspend Processing based upon any Customer instructions that Company reasonably suspects violate Data Protection Law, provided Company will promptly inform Customer if Company believes an instruction infringes Data Protection Law.
1.3 Compliance. Each party will comply with its obligations under Data Protection Law. Company shall promptly notify Customer if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Company has Processed Customer Personal Data without authorization, Company will take reasonable and appropriate steps to stop and remediate such Processing.
1.4 Confidentiality. Company will ensure that persons authorized by Company to Process any Customer Personal Data are subject to appropriate confidentiality obligations.
1.5 Security. Company will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law in accordance with Attachment 3 (Data Security Exhibit). Company may amend the technical and organizational measures, provided the new measures do not reduce the level of security provided by Attachment 3 (Data Security Exhibit).
1.6 Disposal. At the choice of Customer, Company will (or will enable Customer via the Services to) delete (and will delete existing copies of) all Customer Personal Data after termination of the Agreement (unless Data Protection Law requires the storage of such Customer Personal Data by Company, in which case Company will only further retain and Process such Customer Personal Data for the limited duration and purposes required by such Data Protection Law). The certification of deletion contemplated by Section 8.5 of the SCCs shall be provided on Customers’ written request.
1.7 Deidentified Data. Company may Process Deidentified Data to improve the Services. Company will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with an individual and (b) publicly commit to maintain and use Deidentified Data in deidentified form and not attempt to reidentify Deidentified Data except as permitted by Data Protection Law.
Data Processing Assistance
2.1 Data Subject Rights Assistance. Customer shall be responsible for responding to requests from individuals to exercise rights under Data Protection Law relating to Customer Personal Data (each a “Data Subject Request”). Customer will inform Company of any Data Subject Request to which Company must comply and provide the information necessary for Company to comply with the request. Company will, to the extent permitted by Data Protection Law, notify Customer if Company receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Company will, on Customer’s request, provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law.
2.2 Security Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable efforts to assist Customer in Customer’s efforts to comply with Customer’s obligations to secure Customer Personal Data by providing the information and assistance described in Section 3 (Audits).
2.3 Security Incident Notice and Assistance. Company will notify Customer without undue delay after becoming aware of a Security Incident. Company will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and assist Customer in complying with any related notification obligations under Data Protection Law.
2.4 Data Protection Impact Assessment (“DPIA”) and Prior Consultation Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable assistance to Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities.
Audits
3.1 Company Audits. Company may procure audits by third parties to assess Company’s security practices, and will provide other documentation at Aampe’s discretion evidencing compliance with industry security standards (collectively, “Audits”). Subject to the confidentiality obligations set forth in the Agreement, Company will provide Customer with summaries of Company’s then-current Audit reports (“Reports”) on Customer’s request. If the Agreement does not include a provision protecting Company’s confidential information, then the Reports will be made available to Customer subject to a mutually agreed upon non-disclosure agreement covering the Reports.
3.2 Customer Audits. Customer agrees to exercise its audit rights by first requesting the Reports as described in Section 3.1 (Company Audits). Customer will only request additional information or an on-site audit of Company to the extent the information provided by Company is not reasonably sufficient to enable Customer to evaluate Company’s compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Customer will provide no less than 30 days’ advance notice of its request for an on-site audit and will cooperate in good faith with Company to schedule any such audit on a mutually agreeable date and time. Any such on-site audit must occur during Company’s normal business hours and be conducted by Customer or a nationally recognized independent auditor that has agreed to confidentiality provisions reasonably acceptable to Company. Customer is responsible for ensuring that the audit will comply with Company’s applicable on-site policies and procedures and will not unreasonably interfere with Company’s business activities. Customer will provide a written summary of any audit findings to Company, and the results of the audit will be the confidential information of Company.
Subprocessors
4.1 Appointment of Subprocessors. Customer authorizes Company to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a “Subprocessor”). Customer specifically consents to Company’s appointment of the Subprocessors identified on Attachment 4 (the “Subprocessor List”).
4.2 Objection Right for New Subprocessors.
4.2.1 Company will notify Customer of its intent to update the Subprocessor List at least 15 days prior to engaging a new Subprocessor. Customer may object to Company’s use of a new Subprocessor within 10 days of receiving such notice by sending an e-mail to privacy@aampe.com clearly indicating its desire to object to any such change.4.2.2 If Customer objects to the change in Subprocessors, Company and Customer will cooperate in good faith to resolve Customer’s objection. If the parties are unable to resolve Customer’s objection within 10 days, then either party may terminate the Agreement only with respect to those Services that Company indicates cannot be provided without the objected-to Subprocessor.
4.3 Liability. Company will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Company will be liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.
Data Transfers
5.1 Overview. The parties will conduct any transfers of European Economic Area, the UK, and Swiss residents’ Customer Personal Data to a country not subject to an adequacy decision (a “Data Transfer”) pursuant to the SCCs, which are incorporated and deemed executed by this reference. If Company notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to an alternative transfer mechanism, such as the Data Privacy Framework, the parties will rely on the alternative mechanism to legitimize Data Transfers instead of the provisions that follow.
5.2 SCCs. The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs with Customer as the “data exporter” and Company as the “data importer.”
5.3 Transfers Subject to Swiss Data Protection Law. If any Customer Personal Data subject to the Swiss Federal Act on Data Protection of September 25, 2020 (the “FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; references to a “Member State” and “EU Member State” will not prevent individuals in Switzerland from suing for their rights in Switzerland; and references to “GDPR” in the SCCs will be understood as references to the FADP.
5.4 Transfers Subject to the UK GDPR. Any Customer Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated and deemed executed by this reference.
Limitation of Liability
Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 6 is intended to restrict the rights of individuals under Data Protection Law.
Miscellaneous
To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or the UK IDTA, on the other hand, the SCCs or the UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law and forum selection provisions of the Agreement will apply to any disputes arising out of this DPA. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.
Attachment 1: Definitions
For purposes of this DPA, the following terms will have the meaning ascribed below:
“CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
“Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.
“Customer Personal Data” means Personal Data that Company Processes on behalf of Customer in connection with providing the Services as described in Attachment 2.
“Data Protection Law” means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Company’s Processing of Customer Personal Data.
“Deidentified Data” means information that cannot reasonably be linked to or associated with Customer or any Data Subject.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.
“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.
“Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.
“Purpose” means to provide, maintain, secure, and improve the Services.
“SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:
In Clause 7, the optional docking clause will apply.
The audits contemplated by Section 8.9 shall be conducted according to the audit provisions of this DPA.
In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in this DPA.
In Clause 11 the optional language will not apply to the SCCs or the UK IDTA.
In Clause 17, the SCCs shall be governed by the laws of Ireland.
In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland.
The information needed to complete Annex I of the SCCs is included in Attachment 2 to this DPA.
The information needed to complete Annex II of the SCCs is included in Attachment 3 to this DPA.
The information needed to complete Annex III of the SCCs is included in Attachment 4 to this DPA.
“Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law.
“Services” means the services provided by Company pursuant to the Agreement.
“UK GDPR” means the GDPR as incorporated into the United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.
Attachment 2: Scope of Processing
Data exporter
Customer
Data importer
Company
Subject-Matter and Duration of Processing
Company Processes Customer Personal Data if and when provided by Customer in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires.
Nature and Purpose of Processing
Processing of Customer Personal Data in connection with and for the purpose of Company providing the Services to Customer pursuant to the Agreement. Specifically, the Customer Personal Data will, if and to the extent Customer provides it, be subject to storage and analysis, among other Processing activities.
Types of Customer Personal Data
Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to, the following categories of data:
Direct identifying information (e.g., name, email address, telephone)
Device identification data and usage data (e.g., device identifiers, IP addresses, and app usage events)
Communication data (e.g., information about how customers and end users interact with Customer communications)
Categories of Data Subjects
The data subjects will include Customer’s customers and end-users.
Sensitive Personal Data (as applicable)
The Services are not designed for special categories of Personal Data. Company does not anticipate that Customer will submit special categories to the Services. To the extent that such data is submitted to the Services, it is determined and controlled by Customer in its sole discretion.
Frequency of Transfers
Company will import Customer Personal Data on a continuous basis.
Period of Data Retention
Company will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.
Attachment 3: Data Security Exhibit
Program. Company will implement and maintain a written information security program containing administrative, technical, and organizational safeguards appropriate to the risks posed that comply with this Attachment 3 and that: (a) are designed to protect against any Security Incident; and (b) meet or exceed prevailing industry standards and requirements under Data Protection Law.
Access Controls. Company will: (a) abide by the “principle of least privilege,” pursuant to which Company will permit access to Personal Data by its personnel solely on a need-to-know basis; and (b) promptly terminate its personnel’s access to Personal Data when such access is no longer required for performance under the Agreement.
Account Management. Company will effectively manage the creation, use, and deletion of all account credentials used to access the Company systems, including by implementing: (a) a segregated account with unique credentials for each User; and (b) strict management of administrative accounts.
Vulnerability Management. Company will: (a) use automated vulnerability scanning tools to scan its systems; (b) log vulnerability scan reports; (c) use patch management and software update tools for the Company systems; and (d) prioritize and remediate vulnerabilities by severity.
Security Segmentation. Company will monitor, detect and restrict the flow of information on a multilayered basis within its systems using tools such as firewalls, proxies, and network-based intrusion detection systems.
Data Loss Prevention. Company will use data loss prevention measures designed to identify, monitor and protect Personal Data in use, in transit, and at rest. Such data loss prevention processes and tools will include: (a) automated tools to identify attempts of data exfiltration; and (b) the secure and managed use of portable devices.
Encryption. Company will encrypt, using industry standard encryption tools, all Personal Data that Company: (a) transmits or sends wirelessly across public networks or within the Company systems; and (b) stores on laptops, portable devices or otherwise within the Company systems. Company will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Data.
Physical Safeguards. Company will maintain physical access controls designed to secure its systems.
Attachment 4: Subprocessor List
Subprocessor Name | Services Performed | Countries where Subprocessor will Process Customer Personal Data |
|---|---|---|
Google Cloud Platform | Web-hosting | United States |
Clickhouse, Inc. | Data warehouse | United States, Netherlands |