This Agreement governs Customer’s use of the QuotaPath software-as-a-service application (located at https://app.quotapath.com and described at https://www.quotapath.com/features), including all versions and updates to the application, the related documentation, and all other related software, mobile applications, content, data, and services provided by QuotaPath (collectively, the “Services”).
1. License Grant, Restrictions, Use of Services
1.1 License. In the event of a conflict between the terms in an Order Form and this Agreement, the terms in the Order Form shall control with respect the Services provided under such Order Form. QuotaPath will make the Services available on a limited, revocable, non-exclusive basis, subject to and conditioned on the terms and conditions set forth in this Agreement and all other applicable policies, rules, and agreements posted via the Services. Customer is responsible for all acts and omissions of all persons who use the Services via Customer’s QuotaPath account (each, a “User”) and for ensuring their compliance with this Agreement.
1.2 Mobile Apps. QuotaPath may make available mobile software applications for access to and use of certain components of the Services (collectively, “Mobile Apps”). Customer’s access to and use of Mobile Apps is subject to and governed by this Agreement and all other applicable policies, rules, and agreements posted via the Services. Use of any Mobile App downloaded from app store provider (each, an “Mobile App”) is further subject to Customer’s compliance in all material respects with the terms and conditions of the terms and conditions set forth in the app store provider’s terms of service, as applicable.
1.3.1 No Reverse Engineering and other Limitations. Customer will not (and will not allow Users to) (a) reverse engineer, decompile, disassemble or translate the Services, or otherwise attempt to derive source code, trade secrets, or know-how in or underlying the Services or any portion thereof; (b) interfere with, modify, disrupt, or disable features or functionality of the Services, including without limitation any such mechanism used to restrict or control the functionality, or defeat, avoid, bypass, remove, deactivate, or otherwise circumvent any software protection or monitoring mechanisms of the Services; (c) copy, sell, rent, lease, sublicense, transfer, distribute, redistribute, syndicate, create derivative works of, assign, or otherwise transfer or provide access to, in whole or in part, the Services (including the content or data therein) to any third party except as expressly permitted herein; (d) provide use of the Services on a service bureau, rental or managed services basis, provide or permit other individuals or entities to create Internet “links” to Services or “frame” or “mirror” the Services on any other server, or wireless or Internet-based device; (e) use the Services for any illegal, unauthorized, or otherwise improper purposes, including without limitation to store or transmit infringing, libelous, or otherwise unlawful or tortious material, to store or transmit malicious code, or to store or transmit material in violation of third-party privacy rights; (f) interfere with or disrupt the integrity or performance of the Services including by disrupting the ability of any other person to use or enjoy the Services, or attempt to gain unauthorized access to the Services or related systems or networks; (g) access the Services in order to build a similar or competitive product or service; (h) remove or alter any proprietary notices or marks on the Services; or (i) use spiders, crawlers, robots, scrapers, automated tools, or any other similar means to access the Services (including the content or data therein), or substantially download, reproduce, or archive any portion of the Services or such content or data.
1.3.2 Prohibited Use. Customer is solely responsible and liable for all content, data, information, and other materials that Users submit to the Services (“Customer Content”). For example, Users may not use the Services to abuse, harass, or annoy other users or individuals, to violate contractual obligations to others (such as contractual obligations of confidentiality), or to violate the intellectual property, privacy, and other rights of others. Users will not submit, upload, or post to the Services or otherwise provide to QuotaPath (a) any production data or any confidential or sensitive information, such as protected health information or consumer financial information; (b) infringing, libelous, or otherwise unlawful or tortious material; (c) software viruses, malware, or any other code, files or programs designed to interrupt, destroy or limit the functionality of any software or hardware (“Viruses”). Customer agrees that it is solely responsible for determining whether Users have sufficient rights to share Customer Content in such manner, and QuotaPath shall have no liability whatsoever for any injuries, losses or damages arising from such misuse of the Services, or any components or modifications thereof. QuotaPath may immediately suspend Customer’s access to the Services or delete or prevent Users from accessing some or all of the materials in Customer’s account upon receipt of a complaint from a third party claiming that any Users have shared content, data, information, documents, or other materials to or via use of the Services in violation of such third party’s rights. QuotaPath’s failure to enforce any of these prohibitions shall not act as a waiver for any future enforcement, will not be considered a breach of this Agreement by QuotaPath, and does not create a private right of action for any other party.
1.4 Account. Users may not share account password(s) with any third party. Customer agrees to immediately notify QuotaPath of any loss or unauthorized access, disclosure, or use of any User account, a personal User login, or password. Customer is fully responsible for all activities that occur under any User account. If any User’s account remains inactive for three months or longer, QuotaPath reserves the right to suspend or terminate such account, with or without notice to Customer, and delete all material within such account without liability.
2. Modifying and Terminating the Services.
2.1 Modifying the Services. QuotaPath may add or remove functionalities or features, or suspend or stop a part or all of the Services altogether for any reason, including without limitation for non-compliance with our terms or policies or if we are investigating suspected misconduct. This Agreement is effective upon the earliest of Customer’s acceptance of this Agreement, the creation of an account, or Customer’s access or use of the Services.
2.2. Terminating the Services. Either party may terminate this Agreement for cause upon 30 calendar days’ prior written notice to the other party of a material breach by the other party, if such breach remains uncured at the end of such period.
3. Payment and Fees.
3.1 Fees and Expenses. Customer shall pay all agreed upon fees for the Services as set forth in the applicable Order Form (“Fees”) and in accordance with terms set forth in such Order Form.
3.2 Payment Terms. Customer will pay Fees within 30 days of the invoice date.
3.3 Late Payments. QuotaPath may revoke or suspend the Services for failure to pay any past due invoice. QuotaPath may charge interest on all past due invoices at a rate of 1.5% per month, or the highest rate allowed by applicable law, whichever is lower. If Customer is delinquent in its payments for two (2) consecutive months, QuotaPath may, upon written notice to Customer, modify the payment terms to require full pre-payment of any or all Order Forms (both currently contracted and in the future), or require other assurances to secure Customer’s payment obligations hereunder.
3.4 Taxes. QuotaPath’s Fees do not include any taxes, and Customer is responsible for paying all taxes associated with its purchases hereunder, including any withheld taxes.
3.5 Automatic Renewal. At the end of the term outlined in the applicable Order Form, this Agreement shall be renewed automatically for succeeding terms of equal duration (“Renewal Terms”) unless either party gives notice to the other at least 30 days prior to the expiration of any term of said party’s intention not to renew this Agreement.
4. Proprietary Rights
4.1 Reservation of Rights in the Services. The Services furnished under this Agreement are licensed and not sold to Customer, and all rights not expressly granted in this Agreement are reserved by QuotaPath. QuotaPath possesses all right, title and interest in and to the Services and all copyrights, patents, trademarks, service marks, trade names, trade dress, trade secrets and any other proprietary rights that are associated with the Services throughout the world, and Customer acknowledges that it receives no right, title or interest to the Services except for the limited rights provided within this Agreement. QuotaPath also retains title to any and all copies made of any embodiments or features of the Services, and, upon any termination of this Agreement, all such copies must be returned to QuotaPath or destroyed, at QuotaPath’s instruction. Customer has no rights to receive any source or object code for the Services, or to use the Services except as expressly set forth in this Agreement. Customer agrees not to contest QuotaPath’s title and intellectual property rights in or to the Services.
4.2 Workspace Domains. QuotaPath may assign or approve a dedicated domain name to be associated with Customer’s account, otherwise known as Customer’s “Workspace” (e.g., “Acme.QuotaPath.com”). Customer will have no proprietary rights in or to such Workspace domain name. QuotaPath reserves all rights in connection with the domain name, including, without limitation, the right at any time to take back such dedicated domain name, with or without notice to Customer and with or without reassigning a different domain name for use in connection with Customer’s Workspace. QuotaPath may reassign any domain name for use by another user of the Services.
4.3 Confidential Information.
4.3.1 Nondisclosure. “Confidential Information” means the proprietary information provided or made available by one party (the “Disclosing Party”) to the other party (the “Receiving Party”), which is marked “confidential” or “proprietary” at the time of disclosure by the Disclosing Party, or by its nature or content would reasonably be considered confidential under the circumstances by the Receiving Party, including without limitation, information (tangible or intangible) regarding a party’s technology, designs, techniques, research, know-how, specifications, product plans, pricing, customer information, user data, current or future strategic information, current or future business plans, policies or practices, employee information, and other business and technical information. Confidential Information of QuotaPath includes the Services and the pricing of the Services. Receiving Party agrees that it will not (a) use the Disclosing Party’s Confidential Information in any way, for its own benefit or the benefit of any third party, except as expressly permitted by, or as required to implement, this Agreement, or (b) disclose Confidential Information of the Disclosing Party to any third party except as expressly permitted by this Agreement, required by law or to such party’s attorneys, accountants, and other advisors as reasonably necessary to implement this Agreement, provided that such individuals are bound by written confidentiality provisions at least as restrictive as this Agreement. Receiving Party will secure and protect the confidentiality of the Confidential Information of the Disclosing Party using precautions that are at least as stringent as it takes to protect its own Confidential Information, but in no case less than reasonable precautions.
4.3.2 Exceptions. Receiving Party will have no obligations of confidentiality under Section 4.3.1 for information that is proven by Receiving Party (a) to have been known to Receiving Party prior to its receipt from Disclosing Party from a source other than one having an obligation of confidentiality to Disclosing Party; (b) to have become publicly known, except through a breach of this Agreement by Receiving Party; or (c) to have been entirely independently developed by Receiving Party without use of or reference to the Confidential Information of Disclosing Party. Receiving Party may disclose Confidential Information pursuant to the requirements of a governmental agency or applicable law, provided that, to the extent permitted, it will give Disclosing Party reasonable prior written notice sufficient to permit Disclosing Party to contest such disclosure.
4.4 Feedback. All discoveries, developments, techniques, advice, feedback, suggestions, improvements and similar information developed or provided by Customer related to the Services (“Feedback”) shall be the sole property of QuotaPath, and Customer hereby assigns to QuotaPath all rights, title, and interest in and to any such Feedback. QuotaPath shall be the sole owner of all patents, copyrights, and other rights arising therefrom or in connection therewith, and may freely use, sell and exploit the Feedback without Customer’s consent or any obligation to render an accounting or share profits or royalties.
4.5 Customer Content.
The Services allow Users to submit Customer Content. Customer acknowledges and agrees that by uploading or otherwise submitting Customer Content to QuotaPath or the Services, Customer gives QuotaPath (and those we work with) a royalty-free, worldwide license to use, host, store, reproduce, modify, create derivative works, communicate, publish, and distribute such content. The rights Customer grants in this provision are for the limited purpose of operating, promoting, and improving the Services, and to develop new products and services. This license survives termination of this Agreement.
5. Data Privacy.
6. Warranties and Disclaimers.
6.1 Mutual Warranties. Each party warrants to the other that: (a) it has the legal power and authority to enter into this Agreement; (b) it shall at all times comply with all privacy, data security and other laws and regulations applicable to their activities and geographic territory; and (c) the performance of its obligations and duties pursuant to this Agreement does not conflict with any contractual obligations owed to any third party (including, without limitation, obligations of confidentiality).
6.2 No Warranty. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, AND EXCEPT FOR THE EXPRESS WARRANTIES SET OUT IN THIS SECTION 6, THE SERVICES, INCLUDING ANY DOCUMENTATION, ARE PROVIDED “AS IS,” “AS AVAILABLE,” WITH ALL FAULTS, AND CUSTOMER’S USE OF THE SERVICES IS AT CUSTOMER’S SOLE RISK. QUOTAPATH MAKES, AND CUSTOMER RECEIVES, NO OTHER EXPRESS OR IMPLIED WARRANTIES OF ANY KIND, AND QUOTAPATH SPECIFICALLY DISCLAIMS AND EXCLUDES ALL OTHER REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT; ALL WARRANTIES ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE; AND ALL STATUTORY REMEDIES. QUOTAPATH DOES NOT WARRANT THAT THE SERVICES, OR ANY OTHER PRODUCT OR SERVICE PROVIDED HEREUNDER, WILL BE UNINTERRUPTED, ERROR-FREE, VIRUS-FREE OR SECURE. NO STATEMENT, WHETHER MADE BY QUOTAPATH’S EMPLOYEES, AGENTS, OR OTHERWISE, SHALL BE DEEMED TO BE A WARRANTY BY QUOTAPATH FOR ANY PURPOSE OR TO GIVE RISE TO ANY LIABILITY ON THE PART OF QUOTAPATH. WITHOUT LIMITING THE GENERALITY OF ANY OF THE FOREGOING, QUOTAPATH DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES, AND SPECIFICALLY DISCLAIMS, THAT CUSTOMER WILL EARN ANY COMMISSIONS, INCOME, OR OTHER REVENUES (OR EXPERIENCE AN INCREASE IN ANY OF THE FOREGOING) THROUGH USE OF THE SERVICES, AND NO ASPECT OF THE SERVICES SHALL BE CONSTRUED TO PROVIDE ANY LEGAL OR FINANCIAL ADVICE (INCLUDING, WITHOUT LIMITATION, PERTAINING TO THE VALIDITY, INTERPRETATION, OR ENFORCEABILITY OF ANY CONTRACTS PERTAINING TO THE PAYMENT OR EARNING OF COMMISSIONS OR OTHER INCOME). THIS DISCLAIMER OF WARRANTY MAY NOT BE VALID IN SOME JURISDICTIONS AND CUSTOMER MAY HAVE WARRANTY RIGHTS UNDER LAW WHICH MAY NOT BE WAIVED OR DISCLAIMED. ANY SUCH WARRANTY EXTENDS ONLY FOR THIRTY (30) DAYS FROM THE EFFECTIVE DATE OF THIS AGREEMENT (UNLESS SUCH LAW PROVIDES OTHERWISE).
7.1 Customer Indemnification. Customer hereby agrees to defend, at Customer’s own expense, and hold harmless QuotaPath from and against all third party claims, suits, and actions (“Claims”) against QuotaPath to the extent resulting from or arising out of (a) the Users’ actual or alleged breach of any of Customer representations, warranties, or obligations under the Agreement; (b) the Users’ use or misuse of the Services, including, without limitation, by using the Services in violation of this Agreement or any other applicable policies, agreements, or rules posted via the Services or otherwise made available to Customer; or (c) any content or data submitted by the Users through the QuotaPath Services, including any Viruses or other material that violates any third-party proprietary rights or any contractual or fiduciary obligation owed to a third party (including, without limitation, contractual confidentiality obligations owed to a third party). Customer further agrees to fully indemnify QuotaPath from all losses, expenses, damages and costs (including, but not limited to, reasonable attorneys’ fees), to the extent arising from such a claim, suit, or action.
7.2 QuotaPath Indemnification. QuotaPath agrees to defend, at QuotaPath’s own expense, and hold harmless Customer from and against all Claims against Customer to the extent resulting from or arising out of any third-party claim alleging any gross negligence or willful misconduct of QuotaPath in connection with the performance of its obligations under this Agreement.
8. Limitation of Liability.
8.1 Waiver of Consequential Damages. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY NOR ITS AFFILIATES WILL BE RESPONSIBLE FOR ANY LOST PROFITS OR REVENUES, LOSS OF OR INABILITY TO ACCESS DATA, INFORMATION, AND OTHER CONTENT, LOSS OF GOODWILL OR FINANCIAL LOSSES, OR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES.
8.2 Damages Cap. TO THE FULLEST EXTENT PERMITTED BY LAW, THE TOTAL LIABILITY OF EACH PARTY AND ITS AFFILIATES FOR ANY AND ALL CLAIMS UNDER THIS AGREEMENT, INCLUDING RELATED TO USE OF THE SERVICES, IS LIMITED TO, IN THE AGGREGATE, THE AMOUNT CUSTOMER PAID FOR THE SERVICES IN THE TWELVE (12) MONTH PERIOD PRIOR TO THE DATE THE CLAIM(S) FIRST AROSE.
8.3 Exclusions. IN NO CASE SHALL EITHER PARTY OR ITS AFFILIATES BE LIABLE FOR ANY LOSS OR DAMAGE THAT IS NOT REASONABLY FORESEEABLE OR THAT IS DUE TO EVENTS OUTSIDE OF THE OTHER PARTY’S REASONABLE CONTROL, SUCH AS WARS, CRIMINAL ACTIVITIES, STORMS, NATURAL DISASTERS, ACTS OF GOVERNMENT, ACTS OF THIRD PARTIES, SUPPLY INTERRUPTIONS, HEALTH EMERGENCIES, OR TELECOMMUNICATION OR INTERNET FAILURES. IN NO EVENT WILL QUOTAPATH HAVE ANY LIABILITY WHATSOEVER WITH REGARD TO ANY CONTENT, DATA, OR OTHER MATERIAL UPLOADED TO THE SERVICES BY CUSTOMER.
8.4 Material Part of Agreement. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS, INCLUDING DISCLAIMERS OF WARRANTIES, SHALL APPLY REGARDLESS OF WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. INSOFAR AS APPLICABLE LAW PROHIBITS ANY LIMITATION ON LIABILITY HEREIN, THE PARTIES AGREE THAT SUCH LIMITATION WILL BE AUTOMATICALLY MODIFIED, BUT ONLY TO THE EXTENT SO AS TO MAKE THE LIMITATION COMPLIANT WITH APPLICABLE LAW. THE PARTIES AGREE THAT THE LIMITATIONS ON LIABILITIES SET FORTH HEREIN ARE AGREED ALLOCATIONS OF RISK AND SUCH LIMITATIONS WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
9.1 Governing Law. This Agreement and any claim, controversy or dispute arising under or related to this Agreement shall be governed in all respects by the laws of the State of Delaware, USA, without giving effect to any law that would result in the application of a different body of law. The United Nations Convention for the International Sale of Goods and the Uniform Computer Information Transaction Act shall not apply to this Agreement. Any controversy or dispute arising under or related to this Agreement shall be adjudicated in the state and federal courts in and for Delaware (including their applicable appellate courts), and each party consents to the exercise of jurisdiction and venue by such courts; provided, however, that QuotaPath may seek temporary or emergency injunctive relief, as well as specific performance, in any court of competent jurisdiction to protect or preserve its rights in its intellectual property or its Confidential Information, without the need for posting bond. THE PARTIES AGREE THAT ALL CLAIMS SHALL BE RESOLVED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED OR REPRESENTATIVE ACTION OR OTHER SIMILAR PROCESS (INCLUDING ARBITRATION). IF FOR ANY REASON A CLAIM PROCEEDS IN COURT, THE PARTIES WAIVE ANY RIGHT TO A JURY TRIAL.
9.2 Notices. All notices or reports shall be in writing and shall be delivered by personal delivery, overnight mail or by certified or registered mail, return receipt requested, and shall be deemed given upon personal delivery, five days after deposit in the mail, or upon receipt of personal delivery. Notices to QuotaPath shall be sent to QuotaPath Inc., 2815 Manor Road STE 204, Austin, TX 78722 (or such other address as QuotaPath designates by notice sent pursuant to this paragraph), and shall be addressed to QuotaPath’s CEO, with a copy (which shall not constitute notice) to the attention of Ryan Gravelle, at Kastner Gravelle LLP, 1000 N. Lamar Blvd., Suite 300, Austin, TX 78703. All notices to Customer may be sent to the latest business or e-mail address associated with Customer’s account for the Services.
9.3 No Agency. The parties to this Agreement are independent contractors and nothing in this Agreement shall be deemed to create a joint venture, partnership, or agency relationship between the parties in this Agreement. There are no third-party beneficiaries to this Agreement.
9.4 Waiver. If one party fails to enforce a provision of this Agreement, it shall not be precluded from enforcing the same provision at another time. To be effective any waiver must be in writing and executed by an authorized signatory of the party to be charged with such waiver.
9.5 Severability. If any provision of this Agreement is deemed unenforceable or invalid by law or by a court decision, the provision shall be changed and interpreted, if possible, to accomplish the intent of the provision within the constraints of the law. Only that provision that is deemed unenforceable or invalid, and not the entire Agreement, shall be invalidated.
9.6 Assignment. Customer may not assign this Agreement, in whole or in part, whether voluntarily or by operation of law, contract, merger (whether Customer is the surviving or disappearing entity), stock or asset sale, consolidation, dissolution, through government action or otherwise, to any third party or agency without the prior written consent of QuotaPath. QuotaPath may assign or delegate this Agreement, in whole or in part, without Customer’s consent at any time. QuotaPath may also, without notice, utilize subcontractors and agents to provide aspects of the Services.
9.7 Trademarks. Neither party shall have the right to use the other party’s name, trademarks, tradenames without the prior written approval of the other party in each instance (such consent to be granted or withheld in such party’s sole discretion), provided that QuotaPath may list Customer’s name and/or logo to indicate Customer as a customer of QuotaPath on its website and in its marketing and sales materials.
9.8 Entire Agreement. This Agreement, including all applicable orders, addenda, exhibits and attachments hereto, constitutes the sole, final and entire agreement between the parties with respect to the subject matter hereof, and supersedes any and all prior and contemporaneous understandings and agreements (and all such agreements are hereby terminated), written and oral, regarding such subject matter. This Agreement may only be amended by a written document signed by authorized representatives of the parties. Any terms and conditions agreed to in a mutually agreed upon and executed order or addendum shall be binding on both parties. The provisions of any such order and addendum shall govern and take precedence over any conflicting or inconsistent provisions of this Agreement.
9.9 Compliance with Laws. Each party will comply with all applicable foreign, federal, state, and local laws, rules and regulations, including without limitation, U.S. export laws and import and use laws of the country where the Services are delivered or used, and all applicable laws relating to bribery or corruption. Under these laws, the Services may not be sold, leased, downloaded, moved, exported, re-exported, or transferred across borders without a license, or approval from the relevant government authority, to any country, including countries embargoed by the U.S. Government (currently Cuba, Iran, North Korea, Northern Sudan and Syria); or to any restricted or denied end-user including, but not limited to, any person or entity prohibited by the U.S. Office of Foreign Assets Control; or for any restricted end-use. Customer will maintain throughout its use of the Services all rights and licenses that are required with respect to such use.
Addendum A: Data Processing Addendum
a) Data Processor will only process, store, and use the Personal Data it receives from the Data Controller as necessary to provide the Services, the business purposes as set forth in the Agreement, and Data Controller’s prior written instructions. The Data Processor shall never retain, use, disclose, sell, or process the Personal Data other than as specified in the Data Controller’s documented instructions or as otherwise permitted by law.
b) The Data Controller has all necessary rights to provide the Personal Data to the Data Processor for the processing to be performed in connection with the Services. To the extent required by Data Protection Laws, the Data Controller is responsible for providing all necessary privacy notices to data subjects, and, unless another legal basis set forth in the Data Protection Laws supports the lawfulness of the processing, for obtaining any necessary consents from data subject to authorize the processing required under the Agreement. Should such a consent be revoked by a data subject, the Data Controller will inform the Data Processor of such revocation, and the Data Processor is responsible for implementing Data Controller’s instruction with respect to the processing of such Personal Data.
The Data Processor shall treat all Personal Data as Confidential Information under the Agreement, and it shall inform all its employees, agents and approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed confidentiality agreements with obligations no less restrictive in the use and protection of Confidential Information than those in the Agreement.
3. Security Measures.
a) Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. The Data Processor shall maintain and follow written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies will include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the processing.
b) At the request of the Data Controller, the Data Processor shall reasonably demonstrate the measures it has taken pursuant to this Article 3 and shall allow the Data Controller to audit and test such measures, to the extent it does not require providing access to other customers’ data. Subject to such restriction, the Data Processor shall reasonably cooperate with such audits carried out by or on behalf of the Data Controller, shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the processing of the Personal Data, and shall provide the Data Controller´s auditors with access to any information relating to the processing of the Personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this Addendum.
4. Data Transfers.
To the extent Data Controller transfers any Personal Data from (a) the European Economic Area, or (b) a jurisdiction where a European Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC is in force and covers such transfer, then the parties agree that such Personal Data is subject to the model contractual clauses annexed to EU Commission Implementing Decision (EU) 2021/915 (the “Clauses”), which are hereby incorporated into the Agreement. In such cases, Data Controller is the ‘data exporter’ and Data Processor is the ‘data importer’ as defined in the Clauses.
5. Security Breach.
The Data Processor will notify the Data Controller without undue delay upon discovery of any suspected or actual security or confidentiality breach or other compromise of Personal Data, describing the breach in reasonable detail, the status of any investigation or mitigation taken by the Data Processor, and, if applicable, the potential number of data subjects affected. Data Processor will not communicate with any third party regarding any security breach except as specified by other party or by applicable law.
The Data Processor may subcontract any of its Services-related activities or allow any Personal Data to be processed by a third party.
7. Data Subject Rights.
The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Laws.