Terms

These Terms represent the Agreement for Company’s products, services, and programs. Capitalised  terms used in the Agreement and not otherwise defined herein are defined at Annex A

The Terms apply to the commercial arrangements between Company and Customer listed below.

1. Applicability and SLA.

(a) Customer will be required to sign off on all campaign creative/copy provided by the Company who shall provide a proof sheet for Customer’s acceptance.

(b) Customer shall be permitted to make a maximum of two (2) amends for no additional fees. Additional amendments shall be charged at a rate of £250 GBP per set of amends.

(c) Service levels (“SLA”) shall be as follows;

(i)                   Proofs/assets [static creative]: Within 2 working days from the end of the Working Day [5pm] that they are requested e.g. if requested at midday on a Tuesday, they will be delivered by 5pm on the Thursday.

(ii)                  Proofs/assets [video creative]: Within 3 workings days from the end of the Working Day [5pm] that they are requested e.g. if you request at midday on a Tuesday, they will be delivered by 5pm on the Friday.

(iii)                 Amendments: Within 1 working day from the end of the Working Day [5pm] that they are requested.

(iv)                 Campaign live: Within 1 working day  from the end of the Working Day [5pm] that they are requested

(v)                  Dashboards: New link will be sent when a Campaign goes live as per above SLA

(vi)                 Reports: Within 2 working days from the end of the Working Day [5pm] that a campaign finished

2. License and Delivery.

a) Subject to Customer’s compliance with the terms of this Agreement, including payment of fees, for the Platform delivered to Customer, Company grants Customer a limited, non-transferable, non-sublicensable, non-exclusive license to access, run, and use the Platform stated in an Order Form for the Term solely for Customer’s internal business purposes.

b) Unless otherwise permitted under this Agreement, Customer shall not:

i. make copies of the Platform (except for archival purposes) or use any unlicensed versions of the Platform;

ii. provide access to the Platform to anyone other than Customer listed on the Order Form;

iii. sublicense, distribute or pledge the Platform or any of the rights herein;

iv. lease, rent or commercially share (including time-share) or use the Platform for purposes of providing processing services, including, providing third-party hosting, application integration, application service provider-type services, or service bureau;

v. use any third party software, including any open source software, in conjunction with the Platform, unless Customer ensures that such use does not cause the Platform to become subject to any third party license applicable to such third party software or require the public disclosure or distribution of the Platform or the licensing of any software for Materials or the purpose of making derivative works; and

c) Company shall deliver the Platform electronically and delivery is deemed complete when such Platform is made available to Customer.

3. Financial Terms.

a) Customer shall pay Company any fees or payments net 30 days from Company’s invoice. Company may charge Customer an additional 1.5% per month (or such lower amount as required by applicable law) for all fees that are not paid on time.

b) Fees stated in an Order Form are exclusive of all applicable sales, use, value-added, goods and services, consumption, withholding, excise and any other similar taxes or government charges (“Taxes”). Customer shall (i) pay Company such applicable Taxes (excluding Company’s income taxes) listed on the relevant invoice or (ii) withhold all applicable taxes according to the local rules, both of which may be in addition to the total fees due and listed on an Order Form..

c) Except as expressly stated in the “Indemnity” or "Warranties" section, all fees paid by Customer are non-refundable and no right of set off exists.

4. Ownership. Company and its licensor’s own all software, Materials, and the Platform and all derivatives thereof (collectively “Protected Materials”), which are protected by applicable U.K. and international patent, copyright, trademark and trade secret laws. Customer must duplicate unaltered copies of all proprietary notices incorporated in or affixed to any Protected Materials. Except as stated in the Agreement, Customer receives no other rights to use any of Company's Marks.

5. Confidentiality.

a) Neither party shall disclose Confidential Information to any third party without the disclosing party’s prior consent. Confidential Information may only be disclosed to individuals that need to know such information, and on the condition that the individual is subject to a written agreement to protect information with terms as protective as this Agreement. For the purposes of this section, the definition of Company and Customer includes Affiliates of either party. Company may use data collected during the Term in an aggregated, anonymized form, provided that such data is aggregated from more than one customer and does not identify Customer, Customer employees, or Customers’ customers.

b) The duty to protect Confidential Information does not apply to information that is shown to be:

i. available to the public other than by a breach of a confidentiality obligation;

ii. rightfully received from a third party not in breach of a confidentiality obligation;

iii. independently developed by one party without use of the Confidential Information of the other;

iv. known to the recipient at the time of disclosure (other than under a separate confidentiality obligation);

v. produced in compliance with applicable law or court order, provided the other party is given reasonable advance notice of the obligation to produce Confidential Information (to the extent legally permitted) and reasonable assistance, at the disclosing party’s cost, if the disclosing party wishes to contest the disclosure.

c) Each party shall indemnify the other for any damages (including reasonable expenses) the other may sustain resulting from a breach of this Section. Money damages may not be a sufficient remedy for a breach of confidentiality. If either party breaches the confidentiality obligations, the non-breaching party may seek injunctive or other equitable relief without the necessity of posting a bond even if otherwise normally required. Such injunctive or equitable relief is in addition to all other rights and remedies available at law or in equity.

d) Confidential Information remains the sole property of the disclosing party; except for rights explicitly granted in the Agreement, the receiving party does not acquire any rights to such Confidential Information.

6. Data Protection and Back-up.

a) If Customer exposes Company to an individual’s Protected Data, Company will process and store such information pursuant to Company’s Data Processing Terms that apply when Company processes Protected Data on behalf of Customer that is subject to  the European Union’s General Data Protection Regulation (EU/2016/679) (GDPR) found at Annex B

b) Customer is responsible for backing up its data and under no circumstances is Company responsible for the protection, loss, destruction, or maintenance of Customer’s data.

7. Indemnity.

a) Company shall, at its own expense, defend or at its option, settle, any claim or action brought against Customer to the extent it is based on a claim that the software or Platform, all as updated by Company and used in accordance with the Agreement, infringes any patent, copyright, or any trade secret of a third party. Furthermore, Company will indemnify and hold Customer harmless from and against damages, costs, and fees reasonably incurred (including reasonable attorneys' fees) that are attributable exclusively to such claim or action and which are assessed against Customer in a final judgment. Company’s obligations to defend, settle, or indemnify Customer are subject to (i) Customer promptly notifying Company in writing of such claim; (ii) Company having the exclusive right to control such defense and/or settlement; and (iii) Customer providing reasonable assistance (at Company's expense) in the defense thereof. Customer shall not settle any claim, action or proceeding without Company’s prior written approval.

b) COMPANY SHALL NOT DEFEND, INDEMNIFY, OR HOLD CUSTOMER HARMLESS FOR ANY CLAIM IF: (A) CUSTOMER MADE MODIFICATIONS TO THE SOFTWARE OR MATERIALS OR PORTIONS THEREOF; (B) SUCH CLAIM WOULD HAVE BEEN AVOIDED BY USE OF THE THEN CURRENT RELEASE OF THE SOFTWARE MADE AVAILABLE TO CUSTOMER; (C) CUSTOMER CONTINUED ITS ALLEGEDLY INFRINGING ACTIVITY AFTER BEING PROVIDED WITH MODIFICATIONS THAT WOULD HAVE AVOIDED THE ALLEGED INFRINGEMENT; OR (D) SUCH CLAIM IS BASED ON CUSTOMER’S OUTPUT.

c) IF COMPANY DEFENDS OR SETTLES AN INFRINGEMENT CLAIM ARISING UNDER SECTION 7.A ABOVE, COMPANY’S LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY (IN ADDITION TO THE “INDEMNITY”) SHALL BE FOR COMPANY AT ITS OWN EXPENSE, TO EITHER (A) REPAIR, REPLACE OR MODIFY THE AFFECTED SOFTWARE OR RE-PERFORM THE AFFECTED CONSULTING SERVICES OR (B) ALTERNATIVELY, PROCURE FOR CUSTOMER THE RIGHT TO CONTINUE TO USE THE AFFECTED SOFTWARE OR MATERIALS. IF THE FOREGOING REMEDIES ARE NOT COMMERCIALLY FEASIBLE (IN THE REASONABLE OPINION OF COMPANY), COMPANY MAY (I) CANCEL THE APPLICABLE ORDER FORM AND, AS APPLICABLE, FOR THE AFFECTED SOFTWARE REFUND THE LICENSE FEES AND ANY UNEARNED MAINTENANCE FEES PAID TO COMPANY BY CUSTOMER FOR THE AFFECTED SOFTWARE, OR (II) FOR CONSULTING SERVICES REFUND ALL AMOUNTS PAID TO COMPANY BY CUSTOMER FOR THE AFFECTED CONSULTING SERVICES.

8. Warranties.

a) Company warrants that for 90 days following the Delivery Date (“Warranty Period”), the Platform and its software, as updated and used in accordance with this Agreement, will operate in all material respects in conformity with the functional specifications described.

b) Company is not responsible for any claimed breach of any warranty caused by:

i. modifications made to the Company software or Platform by anyone other than Company;

ii. the combination, operation or use of the Company software or Platform with any items that are not permitted in the Agreement;

iii. Customer’s failure to use any new or corrected versions of the Company software or Platform made available by Company;

iv. Company’s adherence to Customer’s specifications or instructions;

c) If the Company Platform does not perform as warranted during the Warranty Period, Company shall use commercially reasonable efforts to correct Errors. Customer shall promptly notify Company in writing of its claim within the Warranty Period. Provided that such claim is determined by Company to be Company’s responsibility, as Customer’s exclusive remedy for any warranty claim, Company shall, within 30 days of its receipt of Customer’s written notice, (i) correct such Error; (ii) provide Customer with a plan reasonably acceptable to Customer for correcting the Error, or (iii) if neither (i) nor (ii) can be accomplished with reasonable commercial efforts from Company, then Company may terminate the service and issue Customer a refund of the fees paid for the affected Company Platform usage period. The preceding warranty cure constitutes Company’s entire liability and Customer’s exclusive remedy for Company’s breach of the warranty stated herein.

d) EXCEPT AS STATED ABOVE, COMPANY, ITS COMPANYS, WEBHOST, DATACENTER AND SUPPLIERS EXPRESSLY DISCLAIM, TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, ORAL OR WRITTEN, INCLUDING (i) ANY WARRANTY THAT ANY SOFTWARE, MATERIALS OR SERVICES ARE ERROR-FREE, ACCURATE OR RELIABLE OR WILL OPERATE WITHOUT INTERRUPTION OR THAT ALL ERRORS WILL BE CORRECTED OR WILL COMPLY WITH ANY LAW, RULE OR REGULATION (ii) ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT AND (iii) ANY AND ALL IMPLIED WARRANTIES ARISING FROM STATUTE, COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE. COMPANY CANNOT AND DOES NOT GUARANTEE THE PRIVACY, SECURITY OR AUTHENTICITY OF ANY INFORMATION SO TRANSMITTED OVER OR STORED IN ANY SYSTEM CONNECTED TO THE INTERNET.

9. Limitation of Liability. EXCEPT FOR (I) INFRINGEMENT OR MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, INCLUDING TRADE SECRETS; (II) DAMAGES FOR BODILY INJURY, DEATH, DAMAGE TO REAL OR TANGIBLE PERSONAL PROPERTY; (III) INTENTIONAL MISCONDUCT OR GROSS NEGLIGENCE; OR (IV) ANY OTHER LIABILITY THAT MAY NOT BE LIMITED UNDER APPLICABLE LAW (THE “EXCLUDED MATTERS”), IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY LOSS OR UNAVAILABILITY OF OR DAMAGE TO DATA, LOST REVENUE, LOST PROFITS, FAILURE TO REALIZE EXPECTED SAVINGS, DAMAGE TO REPUTATION, BUSINESS INTERRUPTION, DOWNTIME COSTS OR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, EXEMPLARY OR ANY SIMILAR TYPE OF DAMAGES ARISING OUT OF OR IN ANY WAY RELATED TO THE AGREEMENT, THE USE OR THE INABILITY TO USE THE PLATFORM OR ITS SOFTWARE OR SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CUSTOMER ASSUMES ALL RESPONSIBILITY FOR THE SELECTION OF THE PLATFORM AND OTHER PRODUCTS OR SERVICES PROVIDED HEREUNDER TO ACHIEVE CUSTOMER’S INTENDED RESULTS. EXCEPT FOR THE EXCLUDED MATTERS, IN NO EVENT SHALL EITHER PARTY’S TOTAL LIABILITY TO THE OTHER FOR ALL CLAIMS ARISING OUT OF OR AS A RESULT OF THE AGREEMENT EXCEED THE GREATER OF THE FEES PAID BY CUSTOMER TO COMPANY UNDER THE APPLICABLE ORDER FORM.

10. Term and Termination.

a) Except as otherwise stated below, this Agreement will remain in effect until terminated.

b) The Term for the use of the Platform starts on the effective date stated in an Order Form and continues as indicated on the Order Form.

c) Either party may terminate:

i. this Agreement and/or any applicable Order Forms upon 30 days prior written notice if the other party breaches a material provision of this Agreement and fails to cure such breach within the 30 day notice period;

ii. an Order Form upon 15 days prior written notice by Customer or 30 days prior written notice by  Company.

d) The Agreement automatically terminates if either party files for bankruptcy, goes into receivership, becomes insolvent, or makes an assignment for the benefit of creditors.

e) Upon termination of this Agreement or an Order Form, Customer must cease using, de-install and permanently delete all of the applicable software related to the Platform, whether modified or merged into other materials.

f) Termination of this Agreement or any Order Form does not (i) relieve Customer of its obligation to pay all fees that have accrued or are otherwise owed by Customer under this Agreement or (ii) limit either party from pursuing other remedies available to it, including injunctive relief.

g) The parties' rights and obligations under this section and sections entitled "Financial Terms", “Ownership”, "Confidentiality", “Warranties”, “Indemnity”, “Remedies”, “Limitation of Liability”, "General Provisions" and those surviving provisions of the Exhibits survive the termination of this Agreement and/or an Order Form.

11. General Provisions.

a) All notices must be in writing and will be effective if (i) delivered by facsimile, electronic mail, by hand, reliable overnight delivery service, or first-class, pre-paid mail and (ii) sent to the address for the intended recipient stated in an Order Form. Notices should be sent to the other party’s general counsel or legal department, unless another recipient is expressly identified.

b) The non-prevailing party shall pay all reasonable costs, including attorney’s fees, incurred by the prevailing party in any action brought to enforce the prevailing party’s rights under this Agreement.

c) This Agreement does not create an agency or consignment relationship, and neither party is a partner, employee, agent or joint venture partner of, or with, the other.

d) During the term of any Order Form and for a period of one year following termination of an Order Form, neither party shall actively solicit for employment any employee, contractor, consultant, or other representative of the other party who performed services in connection with the applicable Order Form, without the prior written consent of the other party.

e) Company may designate any agent or subcontractor to perform such tasks and functions to complete any services covered under this Agreement, provided, however, that Company shall remain responsible for performance of its duties under the terms of this Agreement.

f) A waiver by a party of any breach of any provision of this Agreement will not be construed as a waiver of continuing or succeeding breach.

g) Performance under the Agreement will be postponed automatically if a party is prevented from performing by any act of or failure to act by the other party. No delay or default in performance of any obligation by either party (except payment obligations) will constitute a breach of the Agreement if caused by force majeure or any other cause which is beyond its reasonable control, including, fires, strikes, accidents, government action or regulator changes, or acts of God.

h) Except for an assignment, in whole or part, by Company to an Affiliate, neither party may assign this Agreement, in whole or in part, and/or any of its rights and/or obligations without the prior written consent of the other party, which will not be unreasonably withheld. Any such attempted assignment is void. For the purposes of the foregoing, a change in control of Customer is deemed to cause or attempt to cause an assignment of the Agreement, in whole or part, and requires Company’s prior written consent.

i) This Agreement is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England.

j) If any sentence, clause, or other provision of this Agreement is held to be invalid, illegal, or unenforceable under applicable law, including, but not limited to, any limitation of liability, the validity, legality and enforceability of the remaining clauses and provisions are not affected or impaired. The parties shall interpret the affected provision in a manner that renders it enforceable while attempting to closely approximate the intent and the economic effect of the affected provision.

k) If any terms and conditions of the Terms conflict with the Platform documentation, then such license requirements or notices pertaining to third party software included with the Platform will control. Any conflict between the terms of the Agreement will be resolved in the following order for precedence: (i) Order Form; (ii) Terms.

l) The Agreement constitutes the parties’ entire agreement relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, agreements, or understandings between the parties relating to its subject matter. No modification to the Agreement will be binding unless in writing and signed by each party, except in the case of an Order Form where Company’s acceptance shall be deemed to have occurred on Company’s initial delivery of products or services under the Order Form. All pre-printed or standard terms of any Customer purchase order or other business processing document shall have no effect.

Annex A. – Definitions

"Documentation" means text material that accompanies the Platform, as updated by Company from time to time, describing how to make use of the Platform or any updates or changes to the Platform.

"Materials" means any tangible or intangible information, design, specification, instruction, or data (and any modifications, adaptations, derivative works or enhancements) provided by Company during the performance of services relating to the Platform which incorporates, reinforces or is used to apply Company’s configuration or implementation methodologies, processes and know-how to Customer’s use of  the software and/or the Platform.

"Order Form" means any written order, whether in physical or electronic format, for Platform use or services, including a Purchase Order, Work Order, statement of work, on-line orders, or other form of an ordering document delivered to or made available to Company through a medium or channel approved by Company, which is subject to, and incorporates by reference, the Agreement or other terms negotiated by the parties.

"Platform" means the Company’s system with its embedded software for the purposed of providing digital advertising recruitment campaigns using its own technology, serving clients on a hosted basis.

“Working Day” means Monday to Friday 9am to 5.30pm, excluding national bank holidays

Annex B - DPA

Preamble

These Data Processing terms apply to all activities relating to commissioned data Processing in the context of which employees of Company, or third parties retained by Company may have access to Personal Data of Customer during the term of the Agreement.

1. Definitions

For the purposes of these terms, the following terms shall have the meanings set out below.

a) “Agreement’’ shall have the same meaning as defined in the Terms, work order, order form or any other agreement between the Parties;

b) “Data Controller’’ shall mean the legal entity which determines the purposes and means of the Processing of Personal Data;

c) “Data Processor”, in relation to Personal Data, shall mean the legal entity who Processes the Personal Data on behalf of the Data Controller;

d) “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement, including the GDPR.

e) “GDPR” shall mean the General Data Protection Regulation of the European Union effective on May 25, 2018.

f) “Personal Data” shall mean any information relating to (i) an identified or identifiable natural person (“Data Subject”) and, (ii) an identified or identifiable legal entity (where protected under applicable Data Protection Laws and Regulations); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

g) “Processes”, “Processed” and “Processing” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

h) “Customer” and “Company”, jointly referred to as the “Parties”, shall have the same meaning as defined in the Agreement or other agreement between the parties;

i) “Member State” shall mean a state which is a member of the European Economic Area, that is, a member of the European Union or of the European Free Trade Area;

j) “Standard Contractual Clauses” means the agreement executed by and between Customer and COMPANY and attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

k) “Supervisor” shall mean an independent public authority established by the Member States pursuant to the GDPR.

l) “Sub-processor” means any Data Processor engaged by COMPANY or its Affiliates.

2. Data Controller and Data Processor

2.1. Where COMPANY is Processing Personal Data on behalf of Customer, COMPANY shall be a Data Processor.

2.2. Customer and COMPANY acknowledge that Customer and/or its Affiliate(s) qualify as Data Controllers with regard to the Processing of Personal Data.

2.3. In relation to the Processing of Personal Data, COMPANY will only act upon the instructions of Customer.

2.4. The provisions herein apply equally if other bodies are commissioned or employed to carry out the inspection or maintenance of automated procedures or data Processing systems, during which the possibility exists of accessing Personal Data.

3. Obligations of COMPANY

3.1. In relation to the Processing of Personal Data, COMPANY will only act on behalf of and upon the instructions of Customer and shall treat Personal Data as Confidential Information. Customer instructs COMPANY to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

3.2. COMPANY shall implement reasonable general and technical/organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of Personal Data over a network, and against all other unlawful forms of Processing.

3.3. COMPANY shall ensure that all its employees and contractors (a) are informed of the confidential nature of the Personal Data, (b) have undertaken training on their responsibilities, and (c) have executed confidentiality obligations survive the termination of the personnel engagement. COMPANY shall take commercially reasonable steps to ensure the reliability of any COMPANY personnel engaged in the Processing of Personal Data. COMPANY shall ensure that COMPANY’s access to Personal Data is limited to those personnel who require such access to perform the Agreement. A data protection officer has been appointed and may be reached at info@sociallyrecrutied.com

3.4. COMPANY will notify Customer without delay in the event of severe disruptions to operations or if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data. COMPANY will take reasonable measures to identify the cause of such event and secure the Personal Data and to mitigate any adverse consequences for the Data Subjects.

3.5. All Personal Data stored and Processed by COMPANY on behalf of Customer are and shall remain exclusively the property of Customer.

4. Obligations of Customer

4.1. With respect to the Processing of Personal Data, Customer alone shall be responsible for ensuring compliance with all applicable Data Protection Laws and Regulations. For the sake of clarity, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data

4.2. Customer shall respond in a reasonable time to enquiries from Supervisor on the Processing of the relevant Personal Data;

4.3. Customer shall fully inform COMPANY without undue delay if and when it identifies any mistakes or irregularities with respect to data protection and/or the Processing of Personal Data.

4.4. Customer shall decide 30 days prior to the end of the Agreement whether the Personal Data is to be surrendered to Customer or deleted. Should COMPANY not receive any instructions, the Personal Data will be deleted.

5. Enquiries from Data Subjects or Supervisor to Customer or COMPANY

5.1. Correction, Blocking and Deletion. To the extent Customer, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, COMPANY shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent COMPANY is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any costs arising from COMPANY’s provision of such assistance.

5.2. Data Subject Requests. COMPANY shall, to the extent legally permitted and required under the applicable Data Protection Laws and Regulations, promptly notify Customer if it receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (together the “Data Subject Rights”). COMPANY shall not respond to any such Data Subject Right request without Customer’s prior written consent except to confirm that the request relates to Customer. COMPANY shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject Right request, to the extent legally permitted and required under the applicable Data Protection Laws and Regulations and to the extent Customer does not have access to such Personal Data through its use of the Cloud Service. If legally permitted, Customer shall be responsible for any costs arising from COMPANY’s provision of such assistance.

6. Right to exercise control

6.1. In compliance with an obligation under the applicable Data Protection Laws and Regulations to exercise control, Customer can request the reports and certifications produced by COMPANY’s or its subcontractors’ third-party auditors which attest to the design and operating effectiveness of the technical and organisational measures described in article 3(2).

7. Subcontractors

7.1. Customer acknowledges and agrees that COMPANY may use subcontractors to fulfil its contractual obligations or provide certain services on its behalf.

7.2. COMPANY shall be liable for the acts and omissions of its subcontractors to the same extent COMPANY would be liable if performing the services of each subcontractor directly under the terms of these Data Processing terms, except as otherwise set forth in the Agreement.

8. Termination of the Agreement

8.1. The termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt COMPANY and Customer from the obligations and/or conditions as regards the Processing of Personal Data.

8.2. Subject to article 4(4), COMPANY shall, insofar as it is practicable, delete or render anonymous all copies of Customer’s Personal Data held and processed by COMPANY.

8.3. If Customer’s Personal Data, for reasons of practicality, cannot be so deleted or rendered anonymous, COMPANY shall take appropriate action to ensure that such Personal Data will not be further processed, disclosed, or in any way used, other than their later deletion should that become possible.

9. Additional Terms for Personal Data of EU residence

9.1. Application of Standard Contractual Clauses. The Standard Contractual Clauses in Attachment 1 and the additional terms in this Section 9 will apply to the Processing of Personal Data by COMPANY:

(a) The Standard Contractual Clauses apply only to Personal Data of EU residence that is transferred from the European Economic Area (EEA) and/or Switzerland to outside the EEA and Switzerland, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-US Privacy Shield framework or Binding Corporate Rules for Processors.

(b) The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) and Switzerland that have purchased Services on the basis of an Order Form. For the purpose of the Standard Contractual Clauses and this Section 9, the aforementioned entities shall be deemed “Data Exporters”.

9.2. Objective and Duration. The objective of Processing of Personal Data by COMPANY is the performance of the Services pursuant to the Agreement.

9.3. Instructions. These Data Protection terms and the Agreement are Data Exporter’s complete and final instructions to Data Importer for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Data Exporter to process Personal Data: (a) processing in accordance with the Agreement and applicable Order Form(s); and (b) processing initiated by users in their use of the Services.

10. Sub-processors.

10.1. Pursuant to Clause 5(h) of the Standard Contractual Clauses, the Data Exporter acknowledges and expressly agrees that: (a) COMPANY’s Affiliates may be retained as Sub-processors; and (b) COMPANY and COMPANY’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Service.

10.2. List of Current Sub-processors and Notification of New Sub-processors. Data Importer shall make available to Data Exporter a current list of Sub-processors for the respective Service with the identities of those Sub-processors (“Sub-processor List”). At least 30 days before COMPANY authorizes and permits any new Sub-processor to access Personal Data, COMPANY will update the applicable list.

10.3. In the event Data Exporter objects to a new Sub-processor(s) and that objection is not unreasonable Data Importer will use reasonable efforts to make available to Data Exporter a change in the affected Service or recommend a commercially reasonable change to Data Exporter’s configuration or use of the affected Service to avoid processing of Personal Data by the objected-to new Sub processor without unreasonably burdening Data Exporter. If Data Importer is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Data Exporter may terminate the applicable Order Form(s) in respect only to those Services which cannot be provided by Data Importer without the use of the objected-to new Sub-processor, by providing written notice to Data Importer. Data Exporter shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.

10.4. The parties agree that the copies of the Sub-processor agreements that must be sent by the Data Importer to the Data Exporter pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by the Data Importer beforehand; and, that such copies will be provided by Data Importer only upon reasonable request by Data Exporter.

5. Audits and Certifications.

5.1. The parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications:

Upon Data Exporter’s request, and subject to the confidentiality obligations set forth in the Agreement, Data Importer shall make available to Data Exporter (or Data Exporter’s independent, third-party auditor that is not a competitor of COMPANY) information regarding the COMPANY Group’s compliance with the obligations set forth in these Data Processing terms in the form of the third-party certifications and audits to the extent COMPANY makes them generally available to its customers. Data Exporter may contact Data Importer in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Data Exporter shall reimburse Data Importer for any time expended for any such on-site audit at COMPANY’s then-current professional services rates, which shall be made available to Data Exporter upon request. Before the commencement of any such on-site audit, Data Exporter and Data Importer shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Data Exporter shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Data Importer. Data Exporter shall promptly notify Data Importer with information regarding any non-compliance discovered during the course of an audit.

6. Certification of Deletion.

6.1. The Parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.

7. Conflict.

7.1. In the event of any conflict or inconsistency between these Data Protection terms and the Standard Contractual Clauses in Attachment 1, the Standard Contractual Clauses shall prevail.

8. Privacy Impact Assessment.

8.1. Upon Customer’s request, COMPANY will provide Customer with reasonable assistance with Customer’s obligations under the GDPR to conduct a privacy impact assessment to the extent Customer does not have access to the relevant information and to the extend COMPANY has access to that information.

9. Variation of these Terms

9.1. COMPANY and Customer undertake not to vary or modify the terms of these terms, other than by written instrument signed by both Parties. Customer may deliver an executed copy of this Order Form to COMPANY by facsimile or similar instantaneous electronic transmission device and such delivery shall be considered valid and effective for all purposes.

Customer:

Signature:

Print Name:

Title:

Date:

COMPANY:

Signature

Attachment 1

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

The Customer as the data exporter and COMPANY as the data importer each a ‘Party’ together the ‘Parties’

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub processor’ means any processor engaged by the data importer or by any other sub processor of the data importer who agrees to receive from the data importer or from any other sub processor of the data importer, personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and in particular their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established.

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5 (a) to (e), and (g) to (j), Clause 6 (1) and (2), Clause 7, Clause 8(2) and Clauses 9 to 12 as third party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause , Clause 8 (2) and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the sub processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause , Clause 8(2) and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.  Such third-party liability of the sub processor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, or the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State.

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 of this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to. A third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub processor pursuant to Clause 5 (b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects up on request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of  any contract for sub processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub processing, the processing activity is carried out in accordance with Clause 11 by a sub processor providing at least the same level of protection for the personal data and rights of data subjects as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4 (a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses.  If it cannot provide such compliance for whatever reasons it agrees to inform promptly the data exporter of its inability to comply in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all enquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter, to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject, upon request a copy of the clauses, or any existing contract for sub processing, unless the Clauses of contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11, by any party or sub processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter arising out of a breach by the data importer or his sub processor of any of their obligations referred to in Clause 3 or in Clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law in which case the data subject can enforce its right against such entity.

The data importer may not rely on a breach by a sub processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2 arising out of a breach by the sub processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub processor agrees that the data subject may issue a claim against the data sub processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law in which case the data subject can enforce its rights against such entity. The liability of the sub processor shall be limited to its own processing under the Clauses.

Clause 7

Mediation and Jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person, or where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub processor preventing the conduct or an audit of the data importer, or any sub processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without prior written consent of the data exporter.  Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub processor which imposes the same obligations on the sub processor as are imposed on the data importer under the Clauses. Where the sub processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub processor shall also provide for a third party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter of the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third party liability of the sub processor shall be limited to its own processing obligations under the Clauses.

3. The provisions relating to data protection aspects for sub processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of sub processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j) which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on termination of the provision of data processing services, the data importer and the sub processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the Parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data Exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter is the entity identified as “Customer” in the Agreement.

Data Importer

The data importer is (please specify briefly your activities relevant to the transfer):

Data Subjects

The personal data transferred concern the following categories of data (please specify):

The data subjects may include data exporters’ customers, employees, suppliers etc

Categories of data

The Personal data transferred concern the following categories of data (please specify):

Any data provided by the data exporter

Special categories of data

The personal data transferred concern the following special categories of data (please specify):

None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The subject matter of the processing is set out in the Agreement

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or documentation/legislation attached):

Data importer will maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data.