Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide Customer the Services [in accordance with the Service Level Terms attached hereto as Exhibit B]. As part of the registration process, Customer will identify an administrative user name and password for Customer’s Company account. Company reserves the right to refuse registration of, or cancel passwords it deems inappropriate.
RESTRICTIONS AND RESPONSIBILITIES
Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services (“Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third; or remove any proprietary notices or labels.
Further, Customer may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.
Customer represents, covenants, and warrants that Customer will use the Services only in compliance with Company’s standard published policies then in effect (the “Policy”) and all applicable laws and regulations. [Customer hereby agrees to indemnify and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services.]Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.
Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.
CONFIDENTIALITY; PROPRIETARY RIGHTS
Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service. Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services (“Customer Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.
Customer shall own all right, title and interest in and to the Customer Data [,as well as any data that is based on or derived from the Customer Data and provided to Customer as part of the Services] Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.
[Notwithstanding anything to the contrary, Company shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business.] No rights or licenses are granted except as expressly set forth herein.
PAYMENT OF FEES
Customer will pay Company the then applicable fees described in the Order Form for the Services and Implementation Services in accordance with the terms therein (the “Fees”). If Customer’s use of the Services exceeds the Service Capacity set forth on the Order Form or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein. Company reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Service Term or thencurrent renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email). If Customer believes that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to Company’s customer support department.
Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after the mailing date of the invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. Customer shall be responsible for all taxes associated with Services other than U.S. taxes based on Company’s net income.
TERM AND TERMINATION
Subject to earlier termination as provided below, this Agreement is for the Initial Service Term as specified in the Order Form, and shall be automatically renewed for additional periods of the same duration as the Initial Service Term (collectively, the “Term”), unless either party requests termination at least thirty (30) days prior to the end of the then-current term.
In addition to any other remedies it may have, either party may also terminate this Agreement upon thirty (30) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement. Customer will pay in full for the Services up to and including the last day on which the Services are provided. [Upon any termination, Company will make all Customer Data available to Customer for electronic retrieval for a period of thirty (90) days, but thereafter Company may, but is not obligated to, delete stored Customer Data.] All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.
WARRANTY AND DISCLAIMER
Company shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Implementation Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. HOWEVER, COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES.EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND IMPLEMENTATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
INDEMNITY
Company shall hold Customer harmless from liability to third parties resulting from infringement by the Service of any United States patent or any copyright or misappropriation of any trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; Company will not be responsible for any settlement it does not approve in writing. The foregoing obligations do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Service is not strictly in accordance with this Agreement. If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Service.
LIMITATION OF LIABILITY
NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT FOR BODILY INJURY OF A PERSON, COMPANY AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND COMPANY’S REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO COMPANY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
MISCELLANEOUS
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Customer except with Company’s prior written consent. Company may transfer and assign any of its rights and obligations under this Agreement without consent. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the State of [Delaware] without regard to its conflict of laws provisions.
The parties will work together in good faith to issue at least one mutually agreed upon press release within (ninety) 90 days of Effective Date, and Customer otherwise agrees to reasonably cooperate with Company to serve as a reference account upon request. Customer agrees to allow Company to use its logo on Company homepage as a reference.
EXHIBIT A
Statement of Work
EXHIBIT B
Service Level Terms
The Services shall be available 99%, measured monthly, excluding holidays and weekends and scheduled maintenance. If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance. Further, any downtime resulting from outages of third party connections or utilities or other reasons beyond Company’s control will also be excluded from any such calculation. Customer's sole and exclusive remedy, and Company's entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than [12 hours], Company will credit Customer 1% of Service fees for each period of 12 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day. Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place, and continues until the availability of the Services is restored. In order to receive downtime credit, Customer must notify Company in writing within 24 hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit. Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service Fees in any one (1) calendar month in any event. Company will only apply a credit to the month in which the incident occurred. Company’s blocking of data communications or other Service in accordance with its policies shall not be deemed to be a failure of Company to provide adequate service levels under this Agreement.
EXHIBIT C
Support Terms
Company will provide Technical Support to Customer via both telephone and electronic mail on weekdays during the hours of 9:00 am through 5:00 pm Eastern time, with the exclusion of Federal Holidays (“Support Hours”).
Customer may initiate a helpdesk ticket during Support Hours by emailing support@chezie.co.
Company will use commercially reasonable efforts to respond to all Helpdesk tickets within one (1) business day.
EXHIBIT D
PRIVACY AND DATA PROTECTION AGREEMENT
This Privacy and Data Protection Addendum (“Addendum”) between <insert company name> (“Customer”) and Dyversifi Inc. (“Company”) sets forth the terms and conditions relating to the privacy, confidentiality and security of Agency Data (as defined below) that Vendor may obtain, access or otherwise Process to perform the Services pursuant tothe Agreement.
DEFINED TERMS
Unless otherwise defined herein, capitalized terms have the meanings contained in the Agreement.
“Adequacy Decision” means a decision adopted by a relevant authority declaring that a jurisdiction meets an adequate level of protection of Personal Data.
“Data Protection Laws”means all national, foreign, state or local laws, regulations or, ordinances, guidelines or other government standards or industry best practices relating to the data protection, privacy, confidentiality or security of Agency Data, including, as applicable (i) the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq. (“CCPA”); (ii) the UK Data Protection Act 2018; and (iii) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
“Industry Standards” include, but are not limited to, National Institute of Standards and Technology (NIST) 800 Series, NIST Cybersecurity Framework and ISO 27001, or their equivalents.
“Agency Data” means any data or information that Vendor creates, obtains, accesses, receives from or on behalf of Agency, hosts or uses in the course of its performance of the Agreement. Agency Data may include Personal Data (defined below).
“Personal Data” means any Agency Data that (i) identifies, directly or indirectly, an individual; or (ii) relates to an identifiable individual. Personal Data may include Sensitive Personal Data.
“Process” or “Processing” means the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, augmentation or other use of Agency Data, whether by automated means or otherwise.
“Security Incident” means (i) any actual or suspected accidental or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of or damage to Agency Data or any other unauthorized Processing of Agency Data; (ii) any event that creates a substantial risk to the confidentiality, integrity or availability of Agency Data; (iii) any breach of any of Vendor’s security obligations under this Addendum; or (iv) any other event requiring notification under applicable Data Protection Laws.
“Sensitive Personal Data” means any of the following types of Personal Data: (i) Social Security or identity card number, taxpayer identification number, passport number, driver’s license number or other government-issued identification number; (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account; or (iii) information on race, religion, ethnicity, sex life or practices or sexual orientation, medical information, health information, genetic or biometric information, biometric templates, political, religious or philosophical beliefs, political party or trade union membership, background check information or judicial data such as criminal records (including alleged commission of an offense), information on other judicial or administrative proceedings, or any information defined as sensitive under applicable Data Protection Laws.
“Vendor Personnel” means the employees, agents, consultants or contractors of Vendor that are authorized to Process Agency Data.
“Transfer” means the access by, transfer or delivery to or disclosure of Agency Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from which the Agency Data originated.
“Ancillary Use” means the anonymized aggregation and analysis of Agency Data by Vendor for the purposes of providing data trending, reports, and analysis to Agency and similarly situated customers of Vendor.
PRIVACY, DATA PROTECTION AND DATA SECURITY
Relationship of the Parties. Agency shall have sole and exclusive authority to determine the purposes and means of any Processing of Agency Data in the context of the Agreement. Vendor shall Process Agency Data only on behalf of and for the benefit of Agency and to carry out its obligations pursuant to the Agreement and Agency’s reasonable and lawful written instructions, as they may be issued from time to time. Ancillary Use of Agency Data by Vendor shall be subject to approval by Agency on a case-by-case basis. The scope, classification and details of Personal Data Processing are described in the applicable Statement of Work.
Compliance with Laws. Vendor shall comply with all Data Protection Laws to the extent applicable to its provision of Services. Vendor shall enforce and be responsible for compliance by all Vendor Personnel with the provisions of this Addendum and all other confidentiality obligations owed to Agency.
Data Integrity. Vendor will ensure all Agency Data created by Vendor on Agency’s behalf is accurate and, where appropriate, kept up to date, and ensure any Agency Data that is inaccurate or incomplete is erased or rectified in accordance with Agency’s instructions.
Confidentiality. Vendor will hold Agency Data in strict confidence and impose confidentiality obligations on Vendor Personnel who will be provided access to, or will otherwise Process, Agency Data, including to protect all Agency Data in accordance with the requirements of this Addendum (including during the term of their employment or engagement and thereafter).
Authorized Subcontractors. Vendor will not disclose or transfer Agency Data to, or allow access to Agency Data by (each, a “Disclosure”) any third party without Agency’s express prior written consent; provided, however, Vendor may Disclose Agency Data to its affiliates and subcontractors for purposes of providing the Services to Agency, subject to the following conditions: (a) Vendor will maintain a list of the affiliates and subcontractors (with contact information) and the processing activities to be performed in connection with such Disclosures and will provide this list to Agency upon Agency’s request; (b) Vendor will provide Agency with at least 30 days’ prior notice of the addition of any affiliate or subcontractor to this list and the opportunity to object to such addition(s); and (c) if Agency makes such an objection on reasonable grounds and Vendor is unable to modify the Services to prevent Disclosure of Agency Data to the additional affiliate or subcontractor, Agency will have the right to terminate the relevant Processing. Any subcontractor that Agency has not objected to within 30 days will be an “Authorized Subcontractor”. Vendor shall remain fully liable to Agency for losses, uses or disclosures of, activities involving, or access or acquisition of Agency Data by Authorized Subcontractors.
Individual Rights Requests. Vendor will promptly notify Agency in writing, and in any case within two days of receipt, unless specifically prohibited by laws applicable to Vendor, if Vendor receives: (i) any requests from an individual with respect to Personal Data Processed, including, but not limited, to opt-out requests; requests for access and/or rectification, erasure or restriction; requests for data portability and all similar requests; or (ii) any complaint relating to the Processing of Personal Data, including allegations that the Processing infringes on an individual’s rights. Vendor will not respond to any such request or complaint, except to redirect individual to Agency, unless expressly authorized to do so by Agency, will cooperate with Agency with respect to any action taken relating to such request or complaint, and will seek to implement appropriate processes (including technical and organizational measures) to assist Agency in responding to requests or complaints from individuals.
Disclosure Requests. If Vendor receives any order, demand, warrant or any other document requesting or purporting to compel the production of Agency Data (including, for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil or criminal investigative demands or other similar processes) by any competent authority (“Disclosure Request”), Vendor will immediately notify Agency (except to the extent prohibited by laws applicable to Vendor). If the Disclosure Request is not legally valid and binding, Vendor will not respond. If a Disclosure Request is legally valid and binding, Vendor will provide Agency with at least 48 hours’ notice prior to the required disclosure, so Agency may, at its own expense, exercise such rights as it may have under applicable law to prevent or limit such disclosure. Notwithstanding the foregoing, Vendor will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Agency Data and will reasonably cooperate with Agency with respect to any action taken relating to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Agency Data.
Regulatory Investigations. Upon notice to Vendor, Vendor will assist and support Agency in the event of an investigation by any law enforcement body or regulator, including a data protection or similar authority, if and to the extent such investigation relates to Agency Data handled by Vendor on behalf of Agency in accordance with this Addendum.
Information Security Program. Vendor shall develop, implement, maintain, monitor and, where necessary, update a comprehensive written information security program that contains appropriate administrative, technical and physical safeguards to protect Agency Data (“Information Security Program”). The Information Security Program shall include appropriate technical and organizational security measures and procedures, appropriate to the nature of the Agency Data that conform to generally recognized Industry Standards and are designed to (i) ensure the security, integrity, availability and confidentiality of Agency Data; (ii) protect against any anticipatable threats or hazards to the security and integrity of Agency Data; and (iii) protect against any Security Incident. Any changes to or additional technical, administrative and organizational measures shall be subject to further written agreement between Agency and Vendor.
Security Incidents. Vendor shall promptly, but in no case later than 24 hours, notify Agency of any Security Incident of which Vendor becomes aware by contacting Company IT contact. Such notice shall summarize in reasonable detail the effect of the Security Incident on Agency and the affected individuals, if known, and the corrective action taken or to be taken by Vendor. some text
Investigation & Assistance. In the event of a Security Incident, Vendor agrees to undertake a thorough forensic investigation of the Security Incident, take all necessary and advisable steps to eliminate or contain the exposure of the Agency Data, preserve forensic evidence and keep Agency informed of the status and cause of the Security Incident and all related matters. Vendor further agrees to provide reasonable assistance and cooperation requested by Agency and/or Agency’s designated representatives in the furtherance of any correction, remediation, investigation or recording of any Security Incident and/or the mitigation of any potential damage, including any notification that Agency may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service Agency deems appropriate to provide to affected individuals. To the extent that the Security Incident was Vendor’s fault, Vendor will assume the cost of informing all affected individuals, regulators or third parties in accordance with applicable law.
Vendor will provide the name and contact information, of at least two security contacts who will respond to Agency in a timely manner, dependent on criticality, in the event that Agency must investigate a Security Incident. In addition, within 30 days of identifying or being informed of any Security Incident arising from any act or omission by Vendor, Vendor will develop and execute a plan, which reduces the likelihood of a recurrence of a Security Incident.
Notification. Unless required by law applicable to Vendor, Vendor will not notify any individual or any third party other than law enforcement of any potential Security Incident involving Agency Data in any manner that would identify, or is reasonably likely to identify or reveal the identity of, Agency, without first obtaining Agency’s written permission.
Termination. In the event of a Security Incident, Agency may terminate the Agreement, this Addendum or any Order Forms or Statements of Work without liability by giving notice of termination to Vendor.
Other Assistance.Vendor will provide relevant information and assistance requested by Agency to demonstrate Vendor’s compliance with its obligations under this Addendum and assist Agency in meeting Agency’s obligations under data protection or privacy laws, including: (i) registration and notification obligations; (ii) accountability; (iii) ensuring the security of Personal Data; (iv) if required by applicable law, establishment and maintenance of a record of Personal Data Processing; and (v) the carrying out of privacy and data protection impact assessments and related consultations of data protection authorities. In addition, when Vendor is responding to an Agency-mandated audit or inspection of Vendor’s compliance with its obligations, Vendor will inform Agency if Vendor believes that any Agency instructions regarding the Processing of Personal Data would violate applicable law.
CROSS-BORDER DATA TRANSFERS
Vendor shall not transfer Personal Data to any third party located outside the country to which Agency originally delivered such Personal Data to Vendor for Processing except in compliance with this Addendum and all applicable Data Protection Laws.
Restricted Transfers from the EEA (including Switzerland). When Agency or an Agency affiliate in the European Economic Area or Switzerland (for purposes of this Addendum, together, “EEA”) Transfers Personal Data to Vendor or an Authorized Subcontractor that is (i) located outside the EEA and (ii) not covered by an Adequacy Decision, the relevant Transfer will be governed by the EU Commission-approved version of the Controller to Processor form of the Standard Contractual Clauses (without optional clauses) (as set out in https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en) or any successor clauses that have been approved by the European Commission (the “EU Standard Contractual Clauses”).
For avoidance of doubt, Vendor must continue to comply with its general obligations under Sections 1-8 of this Addendum, in addition to Sections 3.1-3.3, where applicable.
TRAINING
Vendor shall exercise the necessary and appropriate supervision over its relevant Vendor Personnel to maintain appropriate privacy, confidentiality and security of Agency Data. Vendor shall ensure training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum is provided to relevant Vendor Personnel who have access to Agency Data.
PRIVACY AUDIT
Notwithstanding any other Agency audit rights in the Agreement, Vendor will provide to Agency, its authorized representatives and such independent inspection body as Agency may appoint, on at least thirty (30) days notice: (i) access to Vendor’s information, processing premises and records; (ii) reasonable assistance and cooperation of Vendor’s relevant staff; and (iii) reasonable facilities at Vendor’s premises for the purpose of auditing Vendor’s compliance with its obligations under this Addendum. Vendor shall cause any Authorized Subcontractor to contractually agree to participate in any such audit of its sub-Processing of Personal Data including an audit conducted by Agency. Vendor and its Authorized Subcontractor(s) agree to fully cooperate with such audit and implement all commercially reasonable changes to their information security programs and data processing facilities that result from the audit. Agency may suspend Vendor’s performance in part or in whole under the Agreement and/or terminate the Agreement or any Order Form or Statement of Work relating to Vendor’s further Processing of Personal Data, to the extent either suspension or termination is required in Agency’s sole judgment to comply with applicable Data Protection Laws.
CCPA
Vendor: (i) will not sell Personal Data (as “sell” is defined under the CCPA); (ii) will not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services; (iii) will not retain, use, or disclose Personal Data for a commercial purpose other than providing the Services; (iv) will not retain, use, or disclose Personal Data outside of the direct business relationship between Vendor and Agency; and (v) certifies that it understands these restrictions and will comply with them. To the extent “sell” under the CCPA is interpreted to include any advertising technology activities explicitly set out in the Agreement, Vendor will: (i) ensure its activities are compliant with the CCPA; (ii) where Vendor receives a “Do Not Sell” or opt-out of sale request from a consumer (whether directly or indirectly), promptly cease any further use or sale of the applicable consumer’s Personal Data upon its receipt of such request and inform Agency of the same; and (iii) provide Agency with all assistance reasonably required by Agency to address Agency’s obligations under the CCPA.
RETURN OR DISPOSAL
Vendor will, as appropriate and as directed by Agency, regularly dispose of Agency Data that is maintained by Vendor but is no longer necessary to provide the Services. Upon termination or expiration of this Addendum for any reason or upon Agency’s request, Vendor will immediately cease handling Agency Data and will return such Agency Data in a manner and format reasonably requested by Agency or, if specifically directed by Agency, will destroy, any or all Agency Data in Vendor’s possession, power or control. If Vendor disposes of any paper, electronic or other record containing Agency Data, Vendor will do so by taking all reasonable steps (based on the sensitivity of Agency Data) to destroy Agency Data by: (a) shredding; (b) permanently erasing and deleting; (c) degaussing; or (d) otherwise modifying Agency Data in such records to make it unreadable, unreconstructable and indecipherable. Upon request, Vendor will provide a written certification that Agency Data has been returned or securely destroyed in accordance with this Addendum.
GENERAL
Adverse Changes. Vendor will notify Agency promptly if Vendor: (i) has reason to believe that it is unable to comply with any of its obligations under this Addendum and cannot cure this inability to comply within a reasonable time frame; or (ii) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this Addendum. If this Addendum, or any actions to be taken or contemplated to be taken in performance of this Addendum, do not or would not satisfy either party’s obligations under the laws applicable to each party, the parties will negotiate in good faith upon an appropriate amendment to this Addendum.
Conflicts. To the extent there is any conflict between this Addendum and the Agreement, the Addendum will prevail. To the extent there is any conflict between Sections 1 to 8 of this Addendum and the terms of the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will prevail.
Survival. The obligations of Vendor under this Addendum will continue for as long as Vendor continues to have access to, is in possession or control of, or acquires Agency Data.
ERG insights straight to your inbox
Subscribe to get weekly emails with new ERG content.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.