Arelios Terms of Use and Conditions
Arelios Terms of Use and Conditions
Effective as of June 1st, 2019, AGILOS-SOLUTIONS CVBA., (“Arelios”) and its subsidiaries (collectively, “Arelios” or “we” or “us” or “our”) have updated our Terms of Service (“Terms”).
THESE TERMS OF SERVICE (“TERMS”) CONSTITUTE A CONTRACT BETWEEN YOU AND ARELIOS AND GOVERN USE OF AND ACCESS TO THE SERVICE AND WEBSITE BY YOU, USERS, AND END-USERS WHETHER IN CONNECTION WITH A PAID SUBSCRIPTION TO THE SERVICE OR A FREE TRIAL OF THE SERVICE.
By accepting these Terms, or by accessing or using the Service or Website, or authorizing or permitting any User or End-User to access or use the Service, You agree to be bound by these Terms. If You are entering into these Terms on behalf of a company, organisation or another legal entity (an “Entity”), You are agreeing to these Terms for that Entity and representing to Arelios that You have the authority to bind such Entity and its affiliates to these Terms, in such case the terms “Subscriber,” “You,” “Your” or related capitalized terms herein shall refer to such Entity and its affiliates. If You do not have such authority, or if You do not agree with these Terms, You must not accept these Terms and may not use the Service.
The terms and Conditions of this Agreement apply to all Arelios Services provided to End User by Arelios directly or via one of its partners.
"Arelios", "we", "us" or “our” means the applicable contracting entity providing the Service to the User or End-User as specified in the ‘Contracting Entity and Applicable Law’ section. Arelios is a brand of Agilos-Solutions CVBA.
"You", "your" or “Customer” means the person or entity using the Service and identified in the applicable account record, billing statement, or Order Form as the customer.
"Agreement" means the Terms of Use and Conditions for Agilos Solutions, Services and all materials referred or linked to in here.
“Paid Users” means those types of Users (defined below) for which Arelios charge fees as set forth in its subscription catalog.
"Billing Period" means the period for which you agree to prepay fees under an Order Form, which will be the same as or shorter than the Managed Service Subscription Term. For example, if you subscribe to the Managed service for a three (3) year Subscription Term, with a twelve (12) month upfront payment, the Billing Period will be twelve (12) months.
“Confidential Information” means all information provided by you or us ("Discloser") to the other (“Receiver”), whether orally or in writing that is designated as confidential. Confidential Information will include Customer Data and information about the Discloser’s business plans, technical data, and the terms of the Order. Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Discloser or (ii) was known to the Receiver before receipt from the Discloser.
"Contact" means a single individual (other than a User) whose Contact Information is stored by you in the Service.
"Contact Information" means the name, email address, phone number, online user name(s), telephone number, and similar information uploaded by you to the Managed Service.
"Order" or "Order Form" means any Arelios generated service order form executed or approved by You with respect to Your subscription to the Service, which form may detail, among other things, the number of Users authorized to use the Service under Your subscription to the Service and the Service Plan applicable to Your subscription to the Service.
"Subscription Fee" means the amount you pay for subscribing to the Service.
" Service" means all of our web-based solutions, tools, platforms, and services that you have subscribed to by an Order Form or that we otherwise make available to you, and are developed, operated, and maintained by us, and any ancillary products and services, including website hosting, that we provide to you.
“Other Services”: means third party products, applications, services, software, products, networks, systems, directories, websites, databases and information which the Service links to, or which You may connect to or enable in conjunction with the Service, including, without limitation, Other Services which may be integrated directly into Your Arelios Service.
"Subscription Term" means the initial term of your subscription to the applicable Service, as specified on your Order Form(s), and each subsequent renewal term (if any).
"Users" means your employees, representatives, consultants, contractors or agents who are authorized to use the Service for your benefit and have unique user identifications and passwords for the Services.
“Personal Data”: means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“Processing/To Process”: means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Service Plan(s)”: means the packaged service plan(s) and the functionality and services associated therewith (as detailed on the Website applicable to the Service) for the Services to which You subscribe.
“Website”: means www.arelios.com and other websites that Arelios operates
“Software”: means software provided by Arelios (either by download or access through the internet) that allows Users and End-Users to use any functionality in connection with the Service.
2.1. Access. During the Services Subscription Term, we will provide you access to use our solutions and services as described in this Agreement and the applicable Order (consistent with the Service Plan You subscribe to) for Your internal business purposes.
2.2. Availability. We try to make the Service available 24 hours a day, 7 days a week, except for planned down-time for maintenance and updates and unplanned circumstances.
2.3. Changes to Services.
We regularly change and improve our Services. We may add, alter, or remove functionality from a Service at any time without prior notice. We may also limit, suspend, or discontinue a Service at our discretion. If we discontinue a Service, we will give you reasonable advance notice to provide you with an opportunity to export a copy of your Content from that Service. We may remove content from the Services at any time in our sole discretion, although we will endeavour to notify you before we do that if it materially impacts you and if practicable under the circumstances.
2.4. Downgrades.
Downgrading your account plan may cause the loss of content, features, functionality, or capacity of your account.
3.1. Services Subscription Fees. The monthly subscription fee is calculated on your subscription plan rate and your usage of the Service in case of a quantity-based plan (number of users, number of business units, number of surveys or any other measurable usage as per description of you plan). The plan subscription rate will remain fixed during the Subscription Term unless you: (i) subscribe for additional Services (ii) upgrade products or base packages or (iii) subscribe to additional features.
3.2. Fee Adjustments During a Billing Period.: In any of the above cases, you will be invoiced for the additional Subscription Fee pro-rated the remaining Billing Period.
3.3. Next Billing Period. upon renewal, your subscription will be adjusted to match the new usage quantity of your plan at the end of your then-current Subscription Term. For more detail on renewal pricing, see the ‘Term and Renewal’ section below.
3.4. Payment against invoice. Unless otherwise indicated on a Form referencing these Terms and subject to Section 6.2, all charges associated with Your access to and use of the Service (“Subscription Charges”) are due in full upon commencement of Your Subscription Term. If You fail to pay Your Subscription Charges or charges for other services indicated on any Form referencing these Terms within five (5) business days of Our notice to You that payment is due or delinquent, or if You do not update payment information upon Our request, in addition to Our other remedies, We may suspend or terminate access to and use of the Service by You, Users and End-Users.
3.5. Service plan upgrade. If You choose to upgrade Your Service Plan or increase the quantity during Your Subscription Term (a “Subscription Upgrade”), any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Your then-current Subscription Term, charged to Your Account and due and payable upon implementation of such Subscription Upgrade. In any future Subscription Term, Your Subscription Charges will reflect any such Subscription Upgrades.
3.6. Refunds. No refunds or credits for Subscription Charges or other fees or payments will be provided to You if You elect to downgrade Your Service Plan. Downgrading Your Service Plan may cause loss of content, features, or capacity of the Service as available to You under Your Account, and Arelios does not accept any liability for such loss. Arelios reserves the right to contact You about special pricing if You maintain an exceptionally high number of Users, End-Users or other excessive stress on the Service.
3.7. Tax. Unless otherwise stated, all Our fees do not include any taxes, levies, duties or similar governmental assessments, including value-added, sales, use or withholding taxes assessable by any local, state, provincial or foreign jurisdiction (collectively “Taxes”). You are responsible for paying Taxes except those assessable against Arelios based on its income. We will invoice You for such Taxes if We believe We have a legal obligation to do so and You agree to pay such Taxes if so invoiced.
3.8. Credit card. If You pay by credit card, the Service provides an interface for the account owner to change credit card information (e.g. upon card renewal). The Account owner will receive a receipt upon each receipt of payment by Arelios, or they may obtain a receipt from within the Service to track subscription status. You hereby authorize Arelios to bill Your credit card or another payment instrument in advance on a periodic basis in accordance with the terms of the Service Plan until you terminate your Subscription, and you further agree to pay any Subscription Charges so incurred. Arelios uses a third-party intermediary to manage credit card processing and this intermediary is not permitted to store, retain or use Your billing information except to process Your credit card information for Arelios.
4.1 Permission to Use
Subject to your complete and ongoing compliance with these Terms, we grant you limited, non-transferable, non-sublicensable, revocable permission to access and use the Services for your personal, internal use during the Term at the level of service for which you have paid all applicable Fees.
4.2 Conditions of service performance
A high-speed Internet connection is required for proper transmission of the Service. You are responsible for procuring and maintaining the network connections that connect Your network to the Service, including, but not limited to, “browser” software that supports protocols used by Arelios, including Secure Socket Layer (SSL) protocol or other protocols accepted by Arelios, and to follow procedures for accessing services that support such protocols. We are not responsible for notifying You, Users or End-Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Your Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by Arelios. We assume no responsibility for the reliability or performance of any connections as described in this section.
4.3 Your Responsibilities.
You are responsible for your conduct, Content, and communications with others while using the Services. You must comply with the following requirements when using the Services:
(a) You may not purchase, use, or access the Services if You are a direct competitor of Arelios, except with Arelios’s prior written consent, (a.1) if you intend to build a competitive product or service or (a.2) for any other competitive purposes, including the monitoring performance, availability, functionality, or (a.3) for any benchmarking or competitive purposes.
(b) You may not misuse our Services by interfering with their normal operation; you may not use the Services in any manner that damages, disables, overburdens, or impairs any of our websites or interferes with any other party's use of the Services;
(c) You may not attempt to access our Services using a method other than through our interfaces and instructions that we provide or to gain unauthorized access to them;
(d) You may not circumvent or attempt to circumvent any limitations that Arelios imposes on your account (such as by opening up a new account to conduct a survey that we have closed for a Terms violation).
(e) Unless authorized by Arelios in writing, you may not probe, scan, or test the vulnerability of any Arelios system or network.
(f) Unless authorized by Arelios in writing, you may not use any manual or automated system or software to extract or scrape data from the websites or other interfaces through which we make our Services available.
(g) Unless permitted by applicable law, you may not deny others access to, or reverse engineer, the Services, or attempt to do so.
(h) You may not transmit any viruses, malware, or other types of malicious software, or links to such software, through the Services.
(i) You may not engage in abusive or excessive usage of the Services, which is usage significantly in excess of average usage patterns that adversely affects the speed, responsiveness, stability, availability, or functionality of the Services for other users. Arelios will endeavor to notify you of any abusive or excessive usage to provide you with an opportunity to reduce such usage to a level acceptable to Arelios.
(j) You may not use the Services to infringe the intellectual property rights of others, or to commit an unlawful activity.
(k) Unless authorized by Arelios in writing, you may not resell or lease the Services.
(l) If your use of the Services requires you to comply with industry-specific regulations applicable to such use, you will be solely responsible for such compliance, unless Arelios has agreed with you otherwise. You may not use the Services in a way that would subject Arelios to those industry-specific regulations without obtaining Arelios’ prior written agreement. For example, you may not use the Services to collect, protect, or otherwise handle “protected health information” (as defined in 45 C.F.R. §160.103 under United States federal regulations) without entering into a separate business associate agreement with Arelios that permits you to do so.
(m) You may not register accounts by “bots” or other automated methods.
(n) Your Content and use of the Services may not violate our Content Policy.
(o) You may not use the Services for any purpose or in any manner that is unlawful or prohibited by this Agreement.
(p) You may not reproduce, distribute, publicly display, or publicly perform the Services.
(q) You are responsible for compliance with the provisions of these Terms by Users and End-Users and for any and all activities that occur under Your Account, as well as for all Your Data. Without limiting the foregoing, You are solely responsible for ensuring that use of the Service to store and transmit Your Data is compliant with all applicable laws and regulations. You also maintain all responsibility for determining whether the Service or the information generated thereby is accurate or sufficient for Your purposes. Subject to any limitation on the number of individual Users available under the Service Plan for which You subscribed, access to and use of the Service is restricted to the specified number of individual Users permitted under Your subscription to the Service. You agree and acknowledge that each User will be identified by a unique username and password (“Login”) and that a User Login may only be used by one individual. You will not share a User Login among multiple individuals. You and Your Users are responsible for maintaining the confidentiality of all Login information for Your Account.
You will notify us right away of any unauthorized use of your Users’ identifications and passwords or your account by login to Agilos Web Support application.
5.1. Warranties
The website and the service, including all server and network components are provided on an “as is” and “as available” basis, without any warranties of any kind to the fullest extent permitted by law, and Arelios expressly disclaims any and all warranties, whether express or implied, including, but not limited to, any implied warranties of merchantability, title, fitness for a particular purpose, and non-infringement. You acknowledge that Arelios does not warrant that the service will be uninterrupted, timely, secure, error-free or free from viruses or other malicious software, and no information or advice obtained by you from Arelios or through the service shall create any warranty not expressly stated in these terms.
5.2. Compliance achievement
Arelios provides you a Service that helps you achieve you GDPR compliance process. Despite the fact Arelios might provide recommendations, guidelines, indications or any kind of information related to GDPR or your own compliance status, via the platform, the chatbox or any other channel, generated by an Arelios collaborators or a third-party or a bot, Arelios does not give any guarantee of success nor compliance.
It remains your own responsibility to (a) evaluate the adequateness of the received information with your own situation, (b) assess your GDPR compliance, (c) define the corrective actions to be implemented and (d) implement them. In no case Arelios will be responsible of your level of compliance with GDPR nor of your ability to comply nor of any fines or damages you might be exposed to due to your lack of compliance.
6.1. Materials included in the Services
The Services are owned and operated by Agilos-Solutions. The visual interfaces, graphics, design, surveys, assessment formulas, compilation, information, data, computer code (including source code or object code), products, software, services, templates and all other elements of the Services (“Materials”) provided by Agilos-Solutions are protected by intellectual property and other laws. All Materials included in the Services are the property of Agilos-Solutions or its third party licensors. Except as expressly authorized by Agilos-Solutions, you may not make use of the Materials. Agilos-Solutions reserves all rights to the Materials not granted expressly in these Terms.
6.2. Feedback
If you choose to provide input and suggestions regarding problems with or proposed modifications or improvements to the Service (“Feedback”), then you hereby grant Buffer an unrestricted, perpetual, irrevocable, non-exclusive, fully-paid, royalty-free right to exploit the Feedback in any manner and for any purpose, including to improve the Service and create other products and services.
7.1. Term and Renewal.
Your initial Services subscription period will be specified in your Order, and your subscription will automatically renew for the shorter of the subscription period, or one year. To prevent renewal of the subscription, the required notice must be provided within the timeframe as specified in the ‘Subscription Types’ section below. If you add products during the Subscription Term, the fees for these additional products will be pro-rated and they will renew along with your subscription, unless otherwise indicated in your Order.
The renewal pricing set forth in your Order will apply, subject to adjustment as specified in the ‘Fees and Payments’ section above. If renewal pricing is not included in your Order, then our standard pricing available in our Product and Services Catalog on the date of renewal will apply.
See the ‘Limits’ section below for the applicability of product limits on renewal.
7.2. No Early Termination; No Refunds. The Services Subscription Term will end on the expiration date and the subscription cannot be cancelled early. We do not provide refunds if you decide to stop using the Agilos Solutions subscription during your Subscription Term.
7.3. Termination for Cause. Either party may terminate this Agreement for cause, as to any or all Services Subscription: (i) upon thirty (30) days’ notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) immediately, if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, liquidation or assignment for the benefit of creditors. We may also terminate this Agreement for cause on thirty (30) days’ notice if we determine that you are acting, or have acted, in a way that has or may negatively reflect on or affect us, our prospects, or our customers. This Agreement may not otherwise be terminated prior to the end of the Subscription Term.
7.4. Suspension for Prohibited Acts. We may suspend any User’s access to any or all Services without notice for: (i) use of the Managed Service in a way that violates applicable local, laws or regulations or the terms of this Agreement.
7.5. Suspension for Non-Payment. We will provide you with notice of non-payment of any amount due. Unless the full amount has been paid, we may suspend your access to any or all of the Services Subscription ten (10) days after such notice. We will not suspend the Service while you are disputing the applicable charges reasonably and in good faith and are cooperating diligently to resolve the dispute. If a Service is suspended for non-payment, we may charge a re-activation fee to reinstate the Service.
7.6. Upon termination or expiration of this Agreement, you will stop all use of the affected Services Subscription Data. We may provide you the opportunity to retrieve Customer Data after termination or expiration as specified in the ‘Retrieval of Customer Data’ section below. If you terminate this Agreement for cause, we will promptly refund any prepaid but unused fees covering use of the Services after termination. If we terminate this Agreement for cause, you will promptly pay all unpaid fees due through the end of the Subscription Term. Fees are otherwise non-refundable.
7.7. Notice of Non-Renewal. Your subscription will automatically renew according to the ‘Term and Renewal’ section above.
Unless otherwise specified in your Order, to prevent renewal of your Services Subscription, you or we must give written notice of non-renewal and this written notice must be received no less than sixty (60) days in advance of the end of the Subscription Term. If you decide not to renew, you may send the notice of non-renewal by email to contact@agilos.com.
7.8. Retrieval of Customer Data. For Services Subscriptions, as long as you have paid all fees owed to us, if you make a written request within thirty (30) days after termination or expiration of your subscription, we will permit you to export your Customer Data, at your expense, in accordance with the capabilities of the Service. Following such period, we shall have the right to delete all Customer Data stored or Processed by us on your behalf in accordance with our deletion policies and procedures. You expressly consent to such deletion.
8.2. Arelios will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Your Data. These safeguards include encryption of Your Data in transmission (using SSL or similar technologies), except for certain Other Services that do not support encryption, which You may link to through Service at Your election. Our compliance with the provisions of this Section 8.2 shall be deemed compliance with Our obligations to protect Your Data as set forth in Section 8.1.
8.3. You agree that Arelios and the service providers We use to assist in providing the Service to You shall have the right to access Your Account and to use, modify, reproduce, distribute, display and disclose Your Data solely to the extent necessary to provide the Service, including, without limitation, in response to Your support requests. Any third party service providers We utilize will only be given access to Your Account and Your Data as is reasonably necessary to provide the Service and will be subject to (a) confidentiality obligations which are commercially reasonable and substantially consistent with the standards described in Section 8.2; and (b) their agreement to comply with the data transfer restrictions applicable to Personal Data as set forth in Section 8.5.
Arelios may also access or disclose information about You, Your Account, Users or End-Users, including Your Data, in order to (a) comply with the law or respond to lawful requests or legal process; (b) protect Arelios’ or its customers’ or partners’ rights or property, including enforcement of these Terms or other policies associated with the Service; (c) act on a good faith belief that such disclosure is necessary to protect personal safety or avoid violation of applicable law or regulation.
8.4. We collect certain information about You, Users, and End-Users as well as Your and their respective devices, computers and use of the Service. We use, disclose, and protect this information as described in Our Privacy Policy, the then-current version of which is available at www.arelios.com/privacy_policy and is incorporated into the Terms.
8.5. To the extent Your Data include any Personal Data, You acknowledge in all cases that Arelios acts as the processor of such Personal Data and You remain the controller of such Personal Data for GDPR and any other applicable Personal Data protection regulations. You understand that if You give an integration provider access to Your Arelios account, You serve as the controller of such information and the integration provider serves as the processor for the purposes of those data laws and regulations that apply to You. In no case are such integration providers our subprocessors. The Exhibit A to these Terms includes Data Processing Agreement between You and Us which shall govern the terms of our Processing of Service Data, unless we entered into a separate Data Processing Agreement and unless neither you nor us are required to enter into a data processing agreement taking into account the nature of Service Data, location of Users and other aspects of the Services provided by Us to You.
Your Data is currently hosted by Agilos or its authorized service partners in data centres located in the European Economic Area. If Your principal location is within the European Economic Area, we will use commercially reasonable efforts to notify You at least thirty (30) days before our election to host Personal Data provided to Arelios in connection with use of the Service in data centres located outside the European Economic Area or the United States. If You are entitled to this notice and do not wish to have Your Personal Data hosted in data centres located in such other country or territory, You may terminate Your Subscription and Your Account with immediate effect upon written notice to Arelios within 30 days or Your receipt of such notice.
9.1. Publicity. You grant us the right to add your name and company logo to our customer list and website.
9.2. Indemnification. You will indemnify, defend and hold us harmless, at your expense, against any third-party claim, suit, action, or proceeding (each, an "Action") brought against us (and our officers, directors, employees, agents, service providers, licensors, and affiliates) by a third party not affiliated with us to the extent that such Action is based upon or arises out of (a) unauthorized or illegal use of the Managed Service by you, (b) your noncompliance with or breach of this Agreement, (c) your use of Third-Party Products, or (d) the unauthorized use of the Managed Service by any other person using your User information. We will: notify you in writing within thirty (30) days of our becoming aware of any such claim; give you sole control of the defence or settlement of such a claim; and provide you (at your expense) with any and all information and assistance reasonably requested by you to handle the Défense or settlement of the claim. You shall not accept any settlement that (i) imposes an obligation on us; (ii) requires us to make an admission; or (iii) imposes liability not covered by these indemnifications or places restrictions on us without our prior written consent.
9.3. Disclaimers; Limitations of Liability
9.4. Miscellaneous
*************Exhibit A: Data Processing Agreement*************
This Data Processing Agreement (the “DPA”) is made between Arelios as the data processor (the “Data Processor”) and the Subscriber as the data controller (the “Data Controller”) to reflect the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Terms. In case of discrepancy between DPA and the Terms, DPA prevails.
1. DEFINITIONS
1.1 Capitalized terms used in this DPA shall have the meanings given to them in the Terms and below:
(a) Applicable Data Protection Law: means the following data protection law(s)): means (i) where Data Controller is established in a European Economic Area (“EEA”) member state or where Data Controller’s Agents or End-Users access the Services from an EEA member state: GDPR; and (ii) where Data Controller is established in Switzerland, the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded).
(b) Privacy Shield Framework: means the EU-U.S. and/or Swiss-U.S. Privacy Shield self-certification program operated by the US Department of Commerce
(c) Privacy Shield Principles: means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded, or replaced
(d) Sub-processor: means any third party data processor engaged by Data Processor, who receives Personal Data from Data Processor for processing on behalf of Data Controller and in accordance with Data Controller’s instructions (as communicated by Data Processor) and the terms of its written subcontract.
(e) Supervisor: means any Data Protection Supervisory Authority with competence over Data Controller’s and Data Processor’s Processing of Personal Data.
2. PURPOSE
2.1 Pursuant to the Terms the Data Controller is granted a license to access and use the Service. In providing the Service, Data Processor will engage, on behalf of Data Controller, in the Processing of Personal Data submitted to and stored within the Service by Data Controller.
2.2 The Parties are entering into this DPA to ensure that the Processing by Data Processor of Personal Data, within the Service by Data Controller and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.
3. OWNERSHIP OF THE SERVICE DATA
3.1 As between the Parties, all Service Data Processed under the terms of this DPA and the Terms shall remain the property of Data Controller. Under no circumstances will Data Processor act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Service under any Applicable Data Protection Law.
4. OBLIGATIONS OF DATA PROCESSOR
4.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Appendix 1 of this DPA and in the Terms.
4.2 As part of Data Processor providing the Service to Data Controller under the Terms, Data Processor agrees and declares as follows:
(a) to process Personal Data in accordance with Data Controller’s documented instructions as set out in the Terms and this DPA or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);
(b) to ensure that all staff and management of any member of the Processor are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) to implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a “Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected;
(d) to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller’s Service Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach;
(e) to comply with the requirements of Section 5 (Use of Sub-processors) when engaging a Sub-processor;
(f) taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
(g) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(h) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 9 (Return and Destruction of Personal Data);
(i) to comply with the requirements of Section 6 (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
(j) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibit A to this DPA.
(k) Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
5. USE OF SUB-PROCESSORS
5.1 Data Controller agrees that Data Processor may appoint Sub-processors to assist it in providing the Service and Processing Personal Data provided that such Sub-processors:
(a) agree to act only on Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller’s Processing instructions to Data Processor); and
(b) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the Security Standards described in Appendix 2.
5.2 Data Processor agrees and warrants to remain liable to Data Controller for the subcontracted Processing services of any of its direct or indirect Sub-Processors under this DPA. Data Processor shall maintain an up-to-date list of the names and location of all Sub-Processors used for the Processing of Personal Data under this DPA at https://www.productboard.com/subprocessors/. Data Processor shall update the list of any Sub-Processor to be appointed at least 30 days prior to the date on which the Sub-Processor shall commence processing Personal Data.
5.3 In the event that Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-Processor as described in Section 5.2, it shall inform Data Processor immediately. In such event, Data Processor will either (a) instruct the Sub-Processor to cease any further processing of Data Controller’s Personal Data, in which event this DPA shall continue unaffected, or (b) allow Data Controller to terminate this DPA (and any related services DPA with Data Processor) immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Data Controller as of the effective date of termination.
5.4 In addition, and as stated in the Terms, the Service provides links to integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Data Controller’s account or instance in the Service. If Data Controller elects to enable, access or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Data Controller and the provider of such Third Party Services. Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Data Controller’s enablement, access or use of any such Third Party Services, or Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this DPA.
6. AUDIT
6.1 The Parties acknowledge that Data Processor may use external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which Data Processor provides its data processing services.
6.2 Data Processor shall provide responsive and detailed information to Data Controller’s requests for information (including any requests by Data Controller under instruction from Data Subjects), which may include responses to relevant information security and audit questionnaires.
6.3 At Data Controller’s written request, Data Processor will provide Data Controller with a confidential summary of the Report (“Summary Report”) so that Data Controller can reasonably verify Data Processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute Data Processor’s Confidential Information under the confidentiality provisions of Data Processor’s Terms.
7. INTERNATIONAL DATA EXPORTS
7.1 Data Controller acknowledges that Data Processor and its Sub-processors may maintain data processing operations in countries that are outside of the EEA and Switzerland. As such, both Data Processor and its Sub-processors may Process Personal Data in non-EEA and non-Swiss countries. This will apply even where Data Controller has agreed with Data Processor to host Personal Data in the EEA if such non-EEA Processing is necessary to provide support-related or other services requested by Data Controller.
7.2 Where Data Controller is self-certified to the Privacy Shield Framework and transfers Personal Data from the EEA or Switzerland to Data Processor, Data Controller is obliged under the terms of the Privacy Shield Framework to flow down the following requirements and Data Processor hereby agrees:
(a) to provide at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles;
(b) to notify Data Controller if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles; and
(c) upon notice, including under Section 7.2(ii) above, to work with Data Controller to take reasonable and appropriate steps to stop and remediate any unauthorized processing of the Personal Data.
7.3 The Parties agree that each Party may disclose any relevant privacy provisions in this DPA to the US Department of Commerce, the Federal Trade Commission or a relevant Supervisor.
8. OBLIGATIONS OF DATA CONTROLLER
8.1 As part of Data Controller receiving the Service under the Terms, Data Controller agrees and declares as follows:
(a) it is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired and the Processing of Personal Data by Data Controller, including instructing Processing by Data Processor in accordance with this DPA, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Law, particularly with respect to the collection, security, protection and disclosure of Personal Data;
(b) that if Processing by Data Processor involves any “special” or “sensitive” categories” of Personal Data (as defined under Applicable Data Protection Law), Data Controller has collected such Personal Data in accordance with Applicable Data Protection Law;
(c) that Data Controller will inform its Data Subjects:
(i) about its use of data processors to Process their Personal Data, including Data Processor, to the extent required under Applicable Data Protection Law; and
(ii) that their Personal Data may be Processed outside of the European Economic Area;
(d) That it shall notify to the Data Processor the contact details of EU representative of the Data Controller, if applicable; and of the data protection officer of the Data Controller, if appointed;
(e) that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Data Controller, and to give appropriate instructions to Data Processor in a timely manner; and
(f) that it shall respond in a reasonable time to enquiries from a Supervisor regarding the Processing of relevant Personal Data by Data Controller.
9. RETURN AND DESTRUCTION OF PERSONAL DATA
9.1 Upon the termination of Data Controller’s access to and use of the Service, Data Processor will up to thirty (30) days following such termination permit Data Controller to export its Service Data, at its expense, in accordance with the capabilities of the Service. Following such period, Data Processor shall have the right to delete all Service Data stored or Processed by Data Processor on behalf of Data Controller in accordance with Data Processor’s deletion policies and procedures. Data Controller expressly consents to such deletion.
10. DURATION
10.1 This DPA will remain in force as long as Data Processor Processes Personal Data on behalf of Data Controller under the Terms.
11. LIMITATION ON LIABILITY
11.1 UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS DPA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA DATA CONTROLLER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DATA PROCESSOR), BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS DPA, OR THE SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.
11.2 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DPA OR THE TERMS, DATA PROCESSOR’S AGGREGATE LIABILITY TO DATA CONTROLLER OR ANY THIRD PARTY ARISING OUT OF THIS DPA AND ANY LICENSE, USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE LIMITATIONS SET FORTH IN THE TERMS.
11.3 FOR THE AVOIDANCE OF DOUBT, THIS SECTION SHALL NOT BE CONSTRUED AS LIMITING THE LIABILITY OF EITHER PARTY WITH RESPECT TO CLAIMS BROUGHT BY DATA-SUBJECTS.
12. MISCELLANEOUS
12.1 This DPA may not be amended or modified except by a writing signed by both Parties hereto. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential and each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. Data Controller may not, directly or indirectly, by operation of law or otherwise, assign all or any part of its rights under this DPA or delegate performance of its duties under this DPA without Data Processor’s prior consent, which consent will not be unreasonably withheld. Data Processor may, without Data Controller’s consent, assign this DPA to any affiliate or in connection with any merger or change of control of Data Processor or the sale of all or substantially all of its assets provided that any such successor agrees to fulfil its obligations pursuant to this DPA. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This DPA and the Terms constitute the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.
13. GOVERNING LAW AND JURISDICTION
13.1 This DPA shall be governed by Belgian law. Excluding its conflict of laws rules; The Courts of Brussels (Belgium) in their territorial scope shall have exclusive jurisdiction on dispute relating thereto.
Appendix 1: Subject Matter and Details of the Data Processing
Subject Matter
Data Processor’s provision of the Services and related technical support to the Data Controller.
Duration of the Processing
The applicable Subscription Term (as defined in the Terms) plus the period from expiry of such Subscription Term until deletion of all Service Data by the Data Processor in accordance with the DPA.
Nature and Purpose of the Processing
The Data Processor will process Service Data, which qualify as Personal Data, submitted, stored, sent or received by the Data Controller, Users or End-Users (both as defined in the Terms) via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the DPA.
Categories of Data
Personal data submitted, stored, sent or received by the Data Controller, Users or End-User via the Services may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data.
Data Subjects
Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: Users including Data Processor’s employees and contractors; Users including Data Processor’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with Users and End-Users.
Effective as of June 1st, 2019, AGILOS-SOLUTIONS CVBA., (“Arelios”) and its subsidiaries (collectively, “Arelios” or “we” or “us” or “our”) have updated our Terms of Service (“Terms”).
THESE TERMS OF SERVICE (“TERMS”) CONSTITUTE A CONTRACT BETWEEN YOU AND ARELIOS AND GOVERN USE OF AND ACCESS TO THE SERVICE AND WEBSITE BY YOU, USERS, AND END-USERS WHETHER IN CONNECTION WITH A PAID SUBSCRIPTION TO THE SERVICE OR A FREE TRIAL OF THE SERVICE.
By accepting these Terms, or by accessing or using the Service or Website, or authorizing or permitting any User or End-User to access or use the Service, You agree to be bound by these Terms. If You are entering into these Terms on behalf of a company, organisation or another legal entity (an “Entity”), You are agreeing to these Terms for that Entity and representing to Arelios that You have the authority to bind such Entity and its affiliates to these Terms, in such case the terms “Subscriber,” “You,” “Your” or related capitalized terms herein shall refer to such Entity and its affiliates. If You do not have such authority, or if You do not agree with these Terms, You must not accept these Terms and may not use the Service.
The terms and Conditions of this Agreement apply to all Arelios Services provided to End User by Arelios directly or via one of its partners.
- DEFINITIONS
"Arelios", "we", "us" or “our” means the applicable contracting entity providing the Service to the User or End-User as specified in the ‘Contracting Entity and Applicable Law’ section. Arelios is a brand of Agilos-Solutions CVBA.
"You", "your" or “Customer” means the person or entity using the Service and identified in the applicable account record, billing statement, or Order Form as the customer.
"Agreement" means the Terms of Use and Conditions for Agilos Solutions, Services and all materials referred or linked to in here.
“Paid Users” means those types of Users (defined below) for which Arelios charge fees as set forth in its subscription catalog.
"Billing Period" means the period for which you agree to prepay fees under an Order Form, which will be the same as or shorter than the Managed Service Subscription Term. For example, if you subscribe to the Managed service for a three (3) year Subscription Term, with a twelve (12) month upfront payment, the Billing Period will be twelve (12) months.
“Confidential Information” means all information provided by you or us ("Discloser") to the other (“Receiver”), whether orally or in writing that is designated as confidential. Confidential Information will include Customer Data and information about the Discloser’s business plans, technical data, and the terms of the Order. Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Discloser or (ii) was known to the Receiver before receipt from the Discloser.
"Contact" means a single individual (other than a User) whose Contact Information is stored by you in the Service.
"Contact Information" means the name, email address, phone number, online user name(s), telephone number, and similar information uploaded by you to the Managed Service.
"Order" or "Order Form" means any Arelios generated service order form executed or approved by You with respect to Your subscription to the Service, which form may detail, among other things, the number of Users authorized to use the Service under Your subscription to the Service and the Service Plan applicable to Your subscription to the Service.
"Subscription Fee" means the amount you pay for subscribing to the Service.
" Service" means all of our web-based solutions, tools, platforms, and services that you have subscribed to by an Order Form or that we otherwise make available to you, and are developed, operated, and maintained by us, and any ancillary products and services, including website hosting, that we provide to you.
“Other Services”: means third party products, applications, services, software, products, networks, systems, directories, websites, databases and information which the Service links to, or which You may connect to or enable in conjunction with the Service, including, without limitation, Other Services which may be integrated directly into Your Arelios Service.
"Subscription Term" means the initial term of your subscription to the applicable Service, as specified on your Order Form(s), and each subsequent renewal term (if any).
"Users" means your employees, representatives, consultants, contractors or agents who are authorized to use the Service for your benefit and have unique user identifications and passwords for the Services.
“Personal Data”: means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“Processing/To Process”: means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Service Plan(s)”: means the packaged service plan(s) and the functionality and services associated therewith (as detailed on the Website applicable to the Service) for the Services to which You subscribe.
“Website”: means www.arelios.com and other websites that Arelios operates
“Software”: means software provided by Arelios (either by download or access through the internet) that allows Users and End-Users to use any functionality in connection with the Service.
- GENERAL COMMERCIAL TERMS
2.1. Access. During the Services Subscription Term, we will provide you access to use our solutions and services as described in this Agreement and the applicable Order (consistent with the Service Plan You subscribe to) for Your internal business purposes.
2.2. Availability. We try to make the Service available 24 hours a day, 7 days a week, except for planned down-time for maintenance and updates and unplanned circumstances.
2.3. Changes to Services.
We regularly change and improve our Services. We may add, alter, or remove functionality from a Service at any time without prior notice. We may also limit, suspend, or discontinue a Service at our discretion. If we discontinue a Service, we will give you reasonable advance notice to provide you with an opportunity to export a copy of your Content from that Service. We may remove content from the Services at any time in our sole discretion, although we will endeavour to notify you before we do that if it materially impacts you and if practicable under the circumstances.
2.4. Downgrades.
Downgrading your account plan may cause the loss of content, features, functionality, or capacity of your account.
- FEES AND PAYMENTS
3.1. Services Subscription Fees. The monthly subscription fee is calculated on your subscription plan rate and your usage of the Service in case of a quantity-based plan (number of users, number of business units, number of surveys or any other measurable usage as per description of you plan). The plan subscription rate will remain fixed during the Subscription Term unless you: (i) subscribe for additional Services (ii) upgrade products or base packages or (iii) subscribe to additional features.
3.2. Fee Adjustments During a Billing Period.: In any of the above cases, you will be invoiced for the additional Subscription Fee pro-rated the remaining Billing Period.
3.3. Next Billing Period. upon renewal, your subscription will be adjusted to match the new usage quantity of your plan at the end of your then-current Subscription Term. For more detail on renewal pricing, see the ‘Term and Renewal’ section below.
3.4. Payment against invoice. Unless otherwise indicated on a Form referencing these Terms and subject to Section 6.2, all charges associated with Your access to and use of the Service (“Subscription Charges”) are due in full upon commencement of Your Subscription Term. If You fail to pay Your Subscription Charges or charges for other services indicated on any Form referencing these Terms within five (5) business days of Our notice to You that payment is due or delinquent, or if You do not update payment information upon Our request, in addition to Our other remedies, We may suspend or terminate access to and use of the Service by You, Users and End-Users.
3.5. Service plan upgrade. If You choose to upgrade Your Service Plan or increase the quantity during Your Subscription Term (a “Subscription Upgrade”), any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Your then-current Subscription Term, charged to Your Account and due and payable upon implementation of such Subscription Upgrade. In any future Subscription Term, Your Subscription Charges will reflect any such Subscription Upgrades.
3.6. Refunds. No refunds or credits for Subscription Charges or other fees or payments will be provided to You if You elect to downgrade Your Service Plan. Downgrading Your Service Plan may cause loss of content, features, or capacity of the Service as available to You under Your Account, and Arelios does not accept any liability for such loss. Arelios reserves the right to contact You about special pricing if You maintain an exceptionally high number of Users, End-Users or other excessive stress on the Service.
3.7. Tax. Unless otherwise stated, all Our fees do not include any taxes, levies, duties or similar governmental assessments, including value-added, sales, use or withholding taxes assessable by any local, state, provincial or foreign jurisdiction (collectively “Taxes”). You are responsible for paying Taxes except those assessable against Arelios based on its income. We will invoice You for such Taxes if We believe We have a legal obligation to do so and You agree to pay such Taxes if so invoiced.
3.8. Credit card. If You pay by credit card, the Service provides an interface for the account owner to change credit card information (e.g. upon card renewal). The Account owner will receive a receipt upon each receipt of payment by Arelios, or they may obtain a receipt from within the Service to track subscription status. You hereby authorize Arelios to bill Your credit card or another payment instrument in advance on a periodic basis in accordance with the terms of the Service Plan until you terminate your Subscription, and you further agree to pay any Subscription Charges so incurred. Arelios uses a third-party intermediary to manage credit card processing and this intermediary is not permitted to store, retain or use Your billing information except to process Your credit card information for Arelios.
- USE AND ACCESS TO THE SERVICES
4.1 Permission to Use
Subject to your complete and ongoing compliance with these Terms, we grant you limited, non-transferable, non-sublicensable, revocable permission to access and use the Services for your personal, internal use during the Term at the level of service for which you have paid all applicable Fees.
4.2 Conditions of service performance
A high-speed Internet connection is required for proper transmission of the Service. You are responsible for procuring and maintaining the network connections that connect Your network to the Service, including, but not limited to, “browser” software that supports protocols used by Arelios, including Secure Socket Layer (SSL) protocol or other protocols accepted by Arelios, and to follow procedures for accessing services that support such protocols. We are not responsible for notifying You, Users or End-Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Your Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by Arelios. We assume no responsibility for the reliability or performance of any connections as described in this section.
4.3 Your Responsibilities.
You are responsible for your conduct, Content, and communications with others while using the Services. You must comply with the following requirements when using the Services:
(a) You may not purchase, use, or access the Services if You are a direct competitor of Arelios, except with Arelios’s prior written consent, (a.1) if you intend to build a competitive product or service or (a.2) for any other competitive purposes, including the monitoring performance, availability, functionality, or (a.3) for any benchmarking or competitive purposes.
(b) You may not misuse our Services by interfering with their normal operation; you may not use the Services in any manner that damages, disables, overburdens, or impairs any of our websites or interferes with any other party's use of the Services;
(c) You may not attempt to access our Services using a method other than through our interfaces and instructions that we provide or to gain unauthorized access to them;
(d) You may not circumvent or attempt to circumvent any limitations that Arelios imposes on your account (such as by opening up a new account to conduct a survey that we have closed for a Terms violation).
(e) Unless authorized by Arelios in writing, you may not probe, scan, or test the vulnerability of any Arelios system or network.
(f) Unless authorized by Arelios in writing, you may not use any manual or automated system or software to extract or scrape data from the websites or other interfaces through which we make our Services available.
(g) Unless permitted by applicable law, you may not deny others access to, or reverse engineer, the Services, or attempt to do so.
(h) You may not transmit any viruses, malware, or other types of malicious software, or links to such software, through the Services.
(i) You may not engage in abusive or excessive usage of the Services, which is usage significantly in excess of average usage patterns that adversely affects the speed, responsiveness, stability, availability, or functionality of the Services for other users. Arelios will endeavor to notify you of any abusive or excessive usage to provide you with an opportunity to reduce such usage to a level acceptable to Arelios.
(j) You may not use the Services to infringe the intellectual property rights of others, or to commit an unlawful activity.
(k) Unless authorized by Arelios in writing, you may not resell or lease the Services.
(l) If your use of the Services requires you to comply with industry-specific regulations applicable to such use, you will be solely responsible for such compliance, unless Arelios has agreed with you otherwise. You may not use the Services in a way that would subject Arelios to those industry-specific regulations without obtaining Arelios’ prior written agreement. For example, you may not use the Services to collect, protect, or otherwise handle “protected health information” (as defined in 45 C.F.R. §160.103 under United States federal regulations) without entering into a separate business associate agreement with Arelios that permits you to do so.
(m) You may not register accounts by “bots” or other automated methods.
(n) Your Content and use of the Services may not violate our Content Policy.
(o) You may not use the Services for any purpose or in any manner that is unlawful or prohibited by this Agreement.
(p) You may not reproduce, distribute, publicly display, or publicly perform the Services.
(q) You are responsible for compliance with the provisions of these Terms by Users and End-Users and for any and all activities that occur under Your Account, as well as for all Your Data. Without limiting the foregoing, You are solely responsible for ensuring that use of the Service to store and transmit Your Data is compliant with all applicable laws and regulations. You also maintain all responsibility for determining whether the Service or the information generated thereby is accurate or sufficient for Your purposes. Subject to any limitation on the number of individual Users available under the Service Plan for which You subscribed, access to and use of the Service is restricted to the specified number of individual Users permitted under Your subscription to the Service. You agree and acknowledge that each User will be identified by a unique username and password (“Login”) and that a User Login may only be used by one individual. You will not share a User Login among multiple individuals. You and Your Users are responsible for maintaining the confidentiality of all Login information for Your Account.
You will notify us right away of any unauthorized use of your Users’ identifications and passwords or your account by login to Agilos Web Support application.
- DISCLAIMER OF WARRANTIES
5.1. Warranties
The website and the service, including all server and network components are provided on an “as is” and “as available” basis, without any warranties of any kind to the fullest extent permitted by law, and Arelios expressly disclaims any and all warranties, whether express or implied, including, but not limited to, any implied warranties of merchantability, title, fitness for a particular purpose, and non-infringement. You acknowledge that Arelios does not warrant that the service will be uninterrupted, timely, secure, error-free or free from viruses or other malicious software, and no information or advice obtained by you from Arelios or through the service shall create any warranty not expressly stated in these terms.
5.2. Compliance achievement
Arelios provides you a Service that helps you achieve you GDPR compliance process. Despite the fact Arelios might provide recommendations, guidelines, indications or any kind of information related to GDPR or your own compliance status, via the platform, the chatbox or any other channel, generated by an Arelios collaborators or a third-party or a bot, Arelios does not give any guarantee of success nor compliance.
It remains your own responsibility to (a) evaluate the adequateness of the received information with your own situation, (b) assess your GDPR compliance, (c) define the corrective actions to be implemented and (d) implement them. In no case Arelios will be responsible of your level of compliance with GDPR nor of your ability to comply nor of any fines or damages you might be exposed to due to your lack of compliance.
- PROPRIETARY RIGHTS AND OWNERSHIP
6.1. Materials included in the Services
The Services are owned and operated by Agilos-Solutions. The visual interfaces, graphics, design, surveys, assessment formulas, compilation, information, data, computer code (including source code or object code), products, software, services, templates and all other elements of the Services (“Materials”) provided by Agilos-Solutions are protected by intellectual property and other laws. All Materials included in the Services are the property of Agilos-Solutions or its third party licensors. Except as expressly authorized by Agilos-Solutions, you may not make use of the Materials. Agilos-Solutions reserves all rights to the Materials not granted expressly in these Terms.
6.2. Feedback
If you choose to provide input and suggestions regarding problems with or proposed modifications or improvements to the Service (“Feedback”), then you hereby grant Buffer an unrestricted, perpetual, irrevocable, non-exclusive, fully-paid, royalty-free right to exploit the Feedback in any manner and for any purpose, including to improve the Service and create other products and services.
- SUBSCRIPTION TERM, TERMINATION, SUSPENSION
7.1. Term and Renewal.
Your initial Services subscription period will be specified in your Order, and your subscription will automatically renew for the shorter of the subscription period, or one year. To prevent renewal of the subscription, the required notice must be provided within the timeframe as specified in the ‘Subscription Types’ section below. If you add products during the Subscription Term, the fees for these additional products will be pro-rated and they will renew along with your subscription, unless otherwise indicated in your Order.
The renewal pricing set forth in your Order will apply, subject to adjustment as specified in the ‘Fees and Payments’ section above. If renewal pricing is not included in your Order, then our standard pricing available in our Product and Services Catalog on the date of renewal will apply.
See the ‘Limits’ section below for the applicability of product limits on renewal.
7.2. No Early Termination; No Refunds. The Services Subscription Term will end on the expiration date and the subscription cannot be cancelled early. We do not provide refunds if you decide to stop using the Agilos Solutions subscription during your Subscription Term.
7.3. Termination for Cause. Either party may terminate this Agreement for cause, as to any or all Services Subscription: (i) upon thirty (30) days’ notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) immediately, if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, liquidation or assignment for the benefit of creditors. We may also terminate this Agreement for cause on thirty (30) days’ notice if we determine that you are acting, or have acted, in a way that has or may negatively reflect on or affect us, our prospects, or our customers. This Agreement may not otherwise be terminated prior to the end of the Subscription Term.
7.4. Suspension for Prohibited Acts. We may suspend any User’s access to any or all Services without notice for: (i) use of the Managed Service in a way that violates applicable local, laws or regulations or the terms of this Agreement.
7.5. Suspension for Non-Payment. We will provide you with notice of non-payment of any amount due. Unless the full amount has been paid, we may suspend your access to any or all of the Services Subscription ten (10) days after such notice. We will not suspend the Service while you are disputing the applicable charges reasonably and in good faith and are cooperating diligently to resolve the dispute. If a Service is suspended for non-payment, we may charge a re-activation fee to reinstate the Service.
7.6. Upon termination or expiration of this Agreement, you will stop all use of the affected Services Subscription Data. We may provide you the opportunity to retrieve Customer Data after termination or expiration as specified in the ‘Retrieval of Customer Data’ section below. If you terminate this Agreement for cause, we will promptly refund any prepaid but unused fees covering use of the Services after termination. If we terminate this Agreement for cause, you will promptly pay all unpaid fees due through the end of the Subscription Term. Fees are otherwise non-refundable.
7.7. Notice of Non-Renewal. Your subscription will automatically renew according to the ‘Term and Renewal’ section above.
Unless otherwise specified in your Order, to prevent renewal of your Services Subscription, you or we must give written notice of non-renewal and this written notice must be received no less than sixty (60) days in advance of the end of the Subscription Term. If you decide not to renew, you may send the notice of non-renewal by email to contact@agilos.com.
7.8. Retrieval of Customer Data. For Services Subscriptions, as long as you have paid all fees owed to us, if you make a written request within thirty (30) days after termination or expiration of your subscription, we will permit you to export your Customer Data, at your expense, in accordance with the capabilities of the Service. Following such period, we shall have the right to delete all Customer Data stored or Processed by us on your behalf in accordance with our deletion policies and procedures. You expressly consent to such deletion.
- DATA PRIVACY AND SECURITY; CONFIDENTIALITY
8.2. Arelios will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Your Data. These safeguards include encryption of Your Data in transmission (using SSL or similar technologies), except for certain Other Services that do not support encryption, which You may link to through Service at Your election. Our compliance with the provisions of this Section 8.2 shall be deemed compliance with Our obligations to protect Your Data as set forth in Section 8.1.
8.3. You agree that Arelios and the service providers We use to assist in providing the Service to You shall have the right to access Your Account and to use, modify, reproduce, distribute, display and disclose Your Data solely to the extent necessary to provide the Service, including, without limitation, in response to Your support requests. Any third party service providers We utilize will only be given access to Your Account and Your Data as is reasonably necessary to provide the Service and will be subject to (a) confidentiality obligations which are commercially reasonable and substantially consistent with the standards described in Section 8.2; and (b) their agreement to comply with the data transfer restrictions applicable to Personal Data as set forth in Section 8.5.
Arelios may also access or disclose information about You, Your Account, Users or End-Users, including Your Data, in order to (a) comply with the law or respond to lawful requests or legal process; (b) protect Arelios’ or its customers’ or partners’ rights or property, including enforcement of these Terms or other policies associated with the Service; (c) act on a good faith belief that such disclosure is necessary to protect personal safety or avoid violation of applicable law or regulation.
8.4. We collect certain information about You, Users, and End-Users as well as Your and their respective devices, computers and use of the Service. We use, disclose, and protect this information as described in Our Privacy Policy, the then-current version of which is available at www.arelios.com/privacy_policy and is incorporated into the Terms.
8.5. To the extent Your Data include any Personal Data, You acknowledge in all cases that Arelios acts as the processor of such Personal Data and You remain the controller of such Personal Data for GDPR and any other applicable Personal Data protection regulations. You understand that if You give an integration provider access to Your Arelios account, You serve as the controller of such information and the integration provider serves as the processor for the purposes of those data laws and regulations that apply to You. In no case are such integration providers our subprocessors. The Exhibit A to these Terms includes Data Processing Agreement between You and Us which shall govern the terms of our Processing of Service Data, unless we entered into a separate Data Processing Agreement and unless neither you nor us are required to enter into a data processing agreement taking into account the nature of Service Data, location of Users and other aspects of the Services provided by Us to You.
Your Data is currently hosted by Agilos or its authorized service partners in data centres located in the European Economic Area. If Your principal location is within the European Economic Area, we will use commercially reasonable efforts to notify You at least thirty (30) days before our election to host Personal Data provided to Arelios in connection with use of the Service in data centres located outside the European Economic Area or the United States. If You are entitled to this notice and do not wish to have Your Personal Data hosted in data centres located in such other country or territory, You may terminate Your Subscription and Your Account with immediate effect upon written notice to Arelios within 30 days or Your receipt of such notice.
- GENERAL LEGAL TERMS
9.1. Publicity. You grant us the right to add your name and company logo to our customer list and website.
9.2. Indemnification. You will indemnify, defend and hold us harmless, at your expense, against any third-party claim, suit, action, or proceeding (each, an "Action") brought against us (and our officers, directors, employees, agents, service providers, licensors, and affiliates) by a third party not affiliated with us to the extent that such Action is based upon or arises out of (a) unauthorized or illegal use of the Managed Service by you, (b) your noncompliance with or breach of this Agreement, (c) your use of Third-Party Products, or (d) the unauthorized use of the Managed Service by any other person using your User information. We will: notify you in writing within thirty (30) days of our becoming aware of any such claim; give you sole control of the defence or settlement of such a claim; and provide you (at your expense) with any and all information and assistance reasonably requested by you to handle the Défense or settlement of the claim. You shall not accept any settlement that (i) imposes an obligation on us; (ii) requires us to make an admission; or (iii) imposes liability not covered by these indemnifications or places restrictions on us without our prior written consent.
9.3. Disclaimers; Limitations of Liability
- No Indirect Damages. TO THE EXTENT PERMITTED BY LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR LOSS OF PROFITS, REVENUE, DATA OR BUSINESS OPPORTUNITIES.
- Limitation of Liability. EXCEPT FOR YOUR LIABILITY FOR PAYMENT OF FEES, YOUR LIABILITY ARISING FROM YOUR OBLIGATIONS UNDER THE ‘INDEMNIFICATION’ SECTION, AND YOUR LIABILITY FOR VIOLATION OF OUR INTELLECTUAL PROPERTY RIGHTS, IF, NOTWITHSTANDING THE OTHER TERMS OF THIS AGREEMENT, EITHER PARTY IS DETERMINED TO HAVE ANY LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY, THE PARTIES AGREE THAT THE AGGREGATE LIABILITY OF A PARTY WILL BE LIMITED TO THE TOTAL AMOUNTS YOU HAVE ACTUALLY PAID FOR THE SUBSCRIPTION SERVICE IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO A CLAIM.
9.4. Miscellaneous
- Amendment; No Waiver. We may update and change any part or all of these Customer Terms of Service, including the fees and charges associated with the use of the Services (but, your fees and charges will not change during the Subscription Term except as we explain in the ‘Fees and Payments’ section above.) When we change these Customer Terms of Service, the "Last Modified" date above will be updated to reflect the date of the most recent version.
- Force Majeure. Neither party will be responsible for failure or delay of performance if caused by: an act of war, hostility, or sabotage; act of God; electrical, internet, or telecommunication outage that is not caused by the obligated party; government restrictions; or other event outside the reasonable control of the obligated party. Each party will use reasonable efforts to mitigate the effect of a force majeure event.
- Actions Permitted. Except for actions for non-payment or breach of a party’s proprietary rights, no action, regardless of form, arising out of or relating to this Agreement may be brought by either party more than one (1) year after the cause of action has accrued.
- Compliance with Laws. We will comply with all European laws in our provision of the Subscription Service and our processing of Customer Data. You will comply with all laws in your use of the Services, including any applicable export laws.
- Severability. If any part of this Agreement is determined to be invalid or unenforceable by applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of this Agreement will continue in effect.
- Entire Agreement. This Agreement (including each subscription), is the entire agreement between us for the Services and Consulting Services and supersedes all other proposals and agreements, whether electronic, oral or written, between us. We object to and reject any additional or different terms proposed by you, including those contained in your purchase order, acceptance or website. Our obligations are not contingent on the delivery of any future functionality or features of the Services or dependent on any oral or written public comments made by us regarding future functionality or features of the Services. We might make versions of this Agreement available in languages other than English. If we do, the English version of this Agreement will govern our relationship and the translated version is provided for convenience only and will not be interpreted to modify the English version of this Agreement.
- Assignment. You will not assign or transfer this Agreement, including any assignment or transfer by reason of merger, reorganization, sale of all or substantially all of your assets, change of control or operation of law, without our prior written consent, which will not be unreasonably withheld. We may assign this Agreement to any affiliate or in the event of merger, reorganization, sale of all or substantially all of our assets, change of control or operation of law.
- Authority. Each party represents and warrants to the other that it has full power and authority to enter into this Agreement and that it is binding upon such party and enforceable in accordance with its terms.
- Survival. The following sections shall survive the expiration or termination of this Agreement: 'Definitions’, ‘Fees and Payments’, 'Prohibited and Unauthorized Use', ‘No Early Termination; No Refunds’, ‘Termination for Cause’, ‘Suspension for Prohibited Acts’, ‘Suspension for Non-Payment’, ‘Effect of Termination or Expiration’, ‘Retrieval of Customer Data’, ‘Customer’s Proprietary Rights’, 'Confidentiality’, ‘Publicity’, ‘Indemnification’, ‘Disclaimers; Limitations of Liability’, ‘Miscellaneous’ and ‘Contracting Entity and Applicable Law’.
- JURISDICTION SPECIFIC TERMS
- Contracting Entity and Applicable Law. This Agreement, its construction, validity or performance, shall be governed by Belgian law. Excluding its conflict of laws rules; The Courts of Brussels (Belgium) in their territorial scope shall have exclusive jurisdiction on dispute relating thereto.
*************Exhibit A: Data Processing Agreement*************
This Data Processing Agreement (the “DPA”) is made between Arelios as the data processor (the “Data Processor”) and the Subscriber as the data controller (the “Data Controller”) to reflect the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Terms. In case of discrepancy between DPA and the Terms, DPA prevails.
1. DEFINITIONS
1.1 Capitalized terms used in this DPA shall have the meanings given to them in the Terms and below:
(a) Applicable Data Protection Law: means the following data protection law(s)): means (i) where Data Controller is established in a European Economic Area (“EEA”) member state or where Data Controller’s Agents or End-Users access the Services from an EEA member state: GDPR; and (ii) where Data Controller is established in Switzerland, the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded).
(b) Privacy Shield Framework: means the EU-U.S. and/or Swiss-U.S. Privacy Shield self-certification program operated by the US Department of Commerce
(c) Privacy Shield Principles: means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded, or replaced
(d) Sub-processor: means any third party data processor engaged by Data Processor, who receives Personal Data from Data Processor for processing on behalf of Data Controller and in accordance with Data Controller’s instructions (as communicated by Data Processor) and the terms of its written subcontract.
(e) Supervisor: means any Data Protection Supervisory Authority with competence over Data Controller’s and Data Processor’s Processing of Personal Data.
2. PURPOSE
2.1 Pursuant to the Terms the Data Controller is granted a license to access and use the Service. In providing the Service, Data Processor will engage, on behalf of Data Controller, in the Processing of Personal Data submitted to and stored within the Service by Data Controller.
2.2 The Parties are entering into this DPA to ensure that the Processing by Data Processor of Personal Data, within the Service by Data Controller and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.
3. OWNERSHIP OF THE SERVICE DATA
3.1 As between the Parties, all Service Data Processed under the terms of this DPA and the Terms shall remain the property of Data Controller. Under no circumstances will Data Processor act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Service under any Applicable Data Protection Law.
4. OBLIGATIONS OF DATA PROCESSOR
4.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Appendix 1 of this DPA and in the Terms.
4.2 As part of Data Processor providing the Service to Data Controller under the Terms, Data Processor agrees and declares as follows:
(a) to process Personal Data in accordance with Data Controller’s documented instructions as set out in the Terms and this DPA or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);
(b) to ensure that all staff and management of any member of the Processor are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) to implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a “Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected;
(d) to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller’s Service Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach;
(e) to comply with the requirements of Section 5 (Use of Sub-processors) when engaging a Sub-processor;
(f) taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
(g) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(h) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 9 (Return and Destruction of Personal Data);
(i) to comply with the requirements of Section 6 (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
(j) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibit A to this DPA.
(k) Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
5. USE OF SUB-PROCESSORS
5.1 Data Controller agrees that Data Processor may appoint Sub-processors to assist it in providing the Service and Processing Personal Data provided that such Sub-processors:
(a) agree to act only on Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller’s Processing instructions to Data Processor); and
(b) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the Security Standards described in Appendix 2.
5.2 Data Processor agrees and warrants to remain liable to Data Controller for the subcontracted Processing services of any of its direct or indirect Sub-Processors under this DPA. Data Processor shall maintain an up-to-date list of the names and location of all Sub-Processors used for the Processing of Personal Data under this DPA at https://www.productboard.com/subprocessors/. Data Processor shall update the list of any Sub-Processor to be appointed at least 30 days prior to the date on which the Sub-Processor shall commence processing Personal Data.
5.3 In the event that Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-Processor as described in Section 5.2, it shall inform Data Processor immediately. In such event, Data Processor will either (a) instruct the Sub-Processor to cease any further processing of Data Controller’s Personal Data, in which event this DPA shall continue unaffected, or (b) allow Data Controller to terminate this DPA (and any related services DPA with Data Processor) immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Data Controller as of the effective date of termination.
5.4 In addition, and as stated in the Terms, the Service provides links to integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Data Controller’s account or instance in the Service. If Data Controller elects to enable, access or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Data Controller and the provider of such Third Party Services. Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Data Controller’s enablement, access or use of any such Third Party Services, or Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this DPA.
6. AUDIT
6.1 The Parties acknowledge that Data Processor may use external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which Data Processor provides its data processing services.
6.2 Data Processor shall provide responsive and detailed information to Data Controller’s requests for information (including any requests by Data Controller under instruction from Data Subjects), which may include responses to relevant information security and audit questionnaires.
6.3 At Data Controller’s written request, Data Processor will provide Data Controller with a confidential summary of the Report (“Summary Report”) so that Data Controller can reasonably verify Data Processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute Data Processor’s Confidential Information under the confidentiality provisions of Data Processor’s Terms.
7. INTERNATIONAL DATA EXPORTS
7.1 Data Controller acknowledges that Data Processor and its Sub-processors may maintain data processing operations in countries that are outside of the EEA and Switzerland. As such, both Data Processor and its Sub-processors may Process Personal Data in non-EEA and non-Swiss countries. This will apply even where Data Controller has agreed with Data Processor to host Personal Data in the EEA if such non-EEA Processing is necessary to provide support-related or other services requested by Data Controller.
7.2 Where Data Controller is self-certified to the Privacy Shield Framework and transfers Personal Data from the EEA or Switzerland to Data Processor, Data Controller is obliged under the terms of the Privacy Shield Framework to flow down the following requirements and Data Processor hereby agrees:
(a) to provide at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles;
(b) to notify Data Controller if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles; and
(c) upon notice, including under Section 7.2(ii) above, to work with Data Controller to take reasonable and appropriate steps to stop and remediate any unauthorized processing of the Personal Data.
7.3 The Parties agree that each Party may disclose any relevant privacy provisions in this DPA to the US Department of Commerce, the Federal Trade Commission or a relevant Supervisor.
8. OBLIGATIONS OF DATA CONTROLLER
8.1 As part of Data Controller receiving the Service under the Terms, Data Controller agrees and declares as follows:
(a) it is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired and the Processing of Personal Data by Data Controller, including instructing Processing by Data Processor in accordance with this DPA, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Law, particularly with respect to the collection, security, protection and disclosure of Personal Data;
(b) that if Processing by Data Processor involves any “special” or “sensitive” categories” of Personal Data (as defined under Applicable Data Protection Law), Data Controller has collected such Personal Data in accordance with Applicable Data Protection Law;
(c) that Data Controller will inform its Data Subjects:
(i) about its use of data processors to Process their Personal Data, including Data Processor, to the extent required under Applicable Data Protection Law; and
(ii) that their Personal Data may be Processed outside of the European Economic Area;
(d) That it shall notify to the Data Processor the contact details of EU representative of the Data Controller, if applicable; and of the data protection officer of the Data Controller, if appointed;
(e) that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Data Controller, and to give appropriate instructions to Data Processor in a timely manner; and
(f) that it shall respond in a reasonable time to enquiries from a Supervisor regarding the Processing of relevant Personal Data by Data Controller.
9. RETURN AND DESTRUCTION OF PERSONAL DATA
9.1 Upon the termination of Data Controller’s access to and use of the Service, Data Processor will up to thirty (30) days following such termination permit Data Controller to export its Service Data, at its expense, in accordance with the capabilities of the Service. Following such period, Data Processor shall have the right to delete all Service Data stored or Processed by Data Processor on behalf of Data Controller in accordance with Data Processor’s deletion policies and procedures. Data Controller expressly consents to such deletion.
10. DURATION
10.1 This DPA will remain in force as long as Data Processor Processes Personal Data on behalf of Data Controller under the Terms.
11. LIMITATION ON LIABILITY
11.1 UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS DPA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA DATA CONTROLLER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DATA PROCESSOR), BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS DPA, OR THE SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.
11.2 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DPA OR THE TERMS, DATA PROCESSOR’S AGGREGATE LIABILITY TO DATA CONTROLLER OR ANY THIRD PARTY ARISING OUT OF THIS DPA AND ANY LICENSE, USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE LIMITATIONS SET FORTH IN THE TERMS.
11.3 FOR THE AVOIDANCE OF DOUBT, THIS SECTION SHALL NOT BE CONSTRUED AS LIMITING THE LIABILITY OF EITHER PARTY WITH RESPECT TO CLAIMS BROUGHT BY DATA-SUBJECTS.
12. MISCELLANEOUS
12.1 This DPA may not be amended or modified except by a writing signed by both Parties hereto. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential and each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. Data Controller may not, directly or indirectly, by operation of law or otherwise, assign all or any part of its rights under this DPA or delegate performance of its duties under this DPA without Data Processor’s prior consent, which consent will not be unreasonably withheld. Data Processor may, without Data Controller’s consent, assign this DPA to any affiliate or in connection with any merger or change of control of Data Processor or the sale of all or substantially all of its assets provided that any such successor agrees to fulfil its obligations pursuant to this DPA. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This DPA and the Terms constitute the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.
13. GOVERNING LAW AND JURISDICTION
13.1 This DPA shall be governed by Belgian law. Excluding its conflict of laws rules; The Courts of Brussels (Belgium) in their territorial scope shall have exclusive jurisdiction on dispute relating thereto.
Appendix 1: Subject Matter and Details of the Data Processing
Subject Matter
Data Processor’s provision of the Services and related technical support to the Data Controller.
Duration of the Processing
The applicable Subscription Term (as defined in the Terms) plus the period from expiry of such Subscription Term until deletion of all Service Data by the Data Processor in accordance with the DPA.
Nature and Purpose of the Processing
The Data Processor will process Service Data, which qualify as Personal Data, submitted, stored, sent or received by the Data Controller, Users or End-Users (both as defined in the Terms) via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the DPA.
Categories of Data
Personal data submitted, stored, sent or received by the Data Controller, Users or End-User via the Services may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data.
Data Subjects
Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: Users including Data Processor’s employees and contractors; Users including Data Processor’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with Users and End-Users.