Looking for CVM? We rebranded to supplier.io.
|User Terms of Service||Subscriber Agreement||Acceptable Use||Data Processing Agreement||Subprocessors|
LAST UPDATED: June 20, 2020
supplier.io, Inc. (“supplier.io,” “we,” “our”) offers a variety of supplier discovery, data and collaboration tools available online, including via a mobile application (collectively, the “Service”), and websites, including but not limited to www.supplier.io, explorer.supplier.io, unitier.io, unifiedtier2.com, supplierone.co, cvmsolutions.com, ascend.cvmsolutions.com (the Websites”).
supplier.io has three different types of users depending on the supplier.io products used:
IMPORTANT NOTICE: DISPUTES ABOUT THESE TERMS AND THE SERVICE AND WEBSITES PROVIDED BY SUPPLIER.IO ARE SUBJECT TO BINDING ARBITRATION AND A WAIVER OF CLASS ACTION RIGHTS AS DETAILED IN THE “MANDATORY ARBITRATION AND CLASS ACTION WAIVER” SECTION BELOW.
We may, from time to time, modify these Terms. Please check this page periodically for updates. If you do not agree to, or cannot comply with, the modified Terms, you must stop using the Service and Websites. The updated Terms will take effect upon their posting and will apply on a going-forward basis, unless otherwise provided in a notice to you, and except as provided in the Mandatory Arbitration and Class Action Waiver section of these Terms. Your continued use of the Service and Websites after any such update constitutes your acceptance of such changes.
1. ELIGIBILITY AND SCOPE
1.1 General. To use the Service and Websites you must be, and represent and warrant that you are, at least 13 years of age and competent to agree to these Terms. If supplier.io has previously prohibited you from accessing or using the Service and Websites, you are not permitted to access or use the Service and Websites.
1.2 Location. These Terms are applicable to Users located in the United States only. If you are located outside of the United States, you will be presented with a different set of terms.
2. ACCOUNT REGISTRATION AND USE
2.1 Account Registration and Confidentiality. To access the Service and Websites, you must register for an account on the appropriate service by creating a user name and password. You agree to provide us with accurate, complete, and current registration information about yourself. It is your responsibility to ensure that your password remains confidential and secure. By registering, you agree that you are fully responsible for all activities that occur under your user name and password. We may assume that any communications we receive under your account have been made by you. If you are a billing owner, an administrator, or if you have confirmed in writing that you have the authority to make decisions on behalf of a Customer (“Account Administrator”), you represent and warrant that you are authorized to make decisions on behalf of the Customer and agree that supplier.io is entitled to rely on your instructions.
2.2 Unauthorized Account Use. You are responsible for notifying us at email@example.com if you become aware of any unauthorized use of or access to your account. You understand and agree that we may require you to provide information that may be used to confirm your identity and help ensure the security of your account. supplier.io will not be liable for any loss, damages, liability, expenses or attorneys’ fees that you may incur as a result of someone else using your password or account, either with or without your knowledge and/or authorization, and regardless of whether you have or have not advised us of such unauthorized use. You will be liable for losses, damages, liability, expenses and attorneys’ fees incurred by supplier.io or a third party due to someone else using your account. In the event that the Account Administrator or Customer loses access to an account or otherwise requests information about an account, supplier.io reserves the right to request from the Account Administrator or Customer any verification it deems necessary before restoring access to or providing information about such account in its sole discretion.
3. OUR PROPRIETARY RIGHTS
The Service and Websites are owned and operated by supplier.io and contain materials (including all software, design, text, editorial materials, informational text, photographs, illustrations, audio clips, video clips, artwork and other graphic materials, and names, logos, trademarks and services marks) which are derived in whole or in part from materials supplied by supplier.io and its partners, as well as other sources, and are protected by United States copyright laws, international treaty provisions, trademarks, service marks and other intellectual property laws. The Service and Websites are also protected as a collective work or compilation under U.S. copyright and other law and treaties. You agree to abide by all applicable copyright and other laws, as well as any additional copyright notices or restrictions contained in the Service and Websites. You acknowledge that the Service and Websites have been developed, compiled, prepared, revised, selected, and arranged by supplier.io and others through the application of methods and standards of judgment developed and applied through the expenditure of substantial time, effort, and money and constitute valuable intellectual property of supplier.io and such others. You agree to protect the proprietary rights of supplier.io and all others having rights in the Service and Websites during and after the term of these Terms and to comply with all written requests made by supplier.io or its suppliers and licensors (collectively, “Suppliers”) of content or otherwise to protect their and others’ contractual, statutory, and common law rights in the Service and Websites. You agree to notify supplier.io immediately upon becoming aware of any claim that the Service and Websites infringe upon any copyright, trademark, or other contractual, statutory, or common law rights. All present and future rights in and to trade secrets, patents, copyrights, trademarks, service marks, know-how, and other proprietary rights of any type under the laws of any governmental authority, domestic or foreign, including without limitation rights in and to all applications and registrations relating to the Service and Websites shall, as between you and supplier.io, at all times be and remain the sole and exclusive property of supplier.io. Any unauthorized use of any material contained on or through the Service and Websites may violate copyright laws, trademark laws, the laws of privacy and publicity and communications regulations and statutes.
4. USER CONTENT AND FEEDBACK
4.1 User Content and Submissions on the Service. The Service allows you to manage supplier information, and submit associated information, text, files, and other materials (collectively, “User Content”) and to share that User Content with others. User Content submitted or otherwise made available to the Service is subject to the following terms:
4.1.2 Subscriber User Content on the Service. Content submitted to the Service by Subscribers (“Subscriber User Content”) is owned and controlled by the Customer as set forth in the introduction to these Terms and the Customer Agreement. supplier.io maintains a limited, non-exclusive and non-transferrable (except in connection with the sale or transfer of its business) license to access, use, copy, reproduce, process, adapt, publish, transmit, host, and display Subscriber User Content for the following limited purposes: (i) to maintain, provide and improve the Service; (ii) to prevent or address technical or security issues and resolve support requests; (iii) to investigate when we have a good faith belief, or have received a complaint alleging, that such Subscriber User Content is in violation of the Customer Agreement or these Terms; (iv) to comply with a valid legal subpoena, request, or other lawful process that meets the requirements of the Customer Agreement; and (v) as otherwise set forth in our Customer Agreement or as expressly permitted in writing by the Customer.
4.2 Feedback on the Websites. The Websites may have certain features that allow you to submit comments, information, and other materials (collectively, “Feedback”) to supplier.io and share such Feedback with other users, or the public. By submitting Feedback through the Websites, you grant supplier.io a license to access, use, copy, reproduce, process, adapt, publish, transmit, host, and display that Feedback for any purpose (including in testimonials or other supplier.io marketing materials and where required to do so by law or in good faith to comply with legal process.). We reserve the right to remove any Feedback posted in public forums for any reason at our sole discretion.
4.3 User Content and Feedback Representations. You acknowledge and agree that you have all required rights to submit User Content and Feedback without violation of any third-party rights. You understand that supplier.io does not control, and is not responsible for, User Content or Feedback, and that by using the Service and/or Websites, you may be exposed to User Content or Feedback from other users that is offensive, indecent, inaccurate, misleading, or otherwise objectionable. Please also note that User Content and Feedback may contain typographical errors, other inadvertent errors or inaccuracies. You agree that you will indemnify, defend, and hold harmless supplier.io for all claims resulting from User Content or Feedback you submit through the Service and/or Websites. We reserve the right, at our own expense, to assume the exclusive defense and control of such disputes, and in any event you will cooperate with us in asserting any available defenses.
5. LICENSE AND ACCEPTABLE USE
5.2 Acceptable Use.
All Users must comply with the following rules regarding acceptable use of the Service and Websites.
Disruption of the Service. You may not:
Misuse of the Service and Websites. You may not utilize the Service and Websites to carry out, promote or support:
User Content Standards Within the Service and Websites. You may not post any User Content on the Service or Websites that:
Violations of this Section 5. In addition to any other remedies that may be available to us, supplier.io reserves the right to take any remedial action it deems necessary, including immediately suspending or terminating your account or your access to the Service or Websites, upon notice and without liability for supplier.io should you fail to abide by the rules in this Section 5 or if, in supplier.io’s sole discretion, such action is necessary to prevent disruption of the Service or Websites for other users. If you are a Subscriber, supplier.io reserves the right to notify the Customer’s Account Administrator(s) or other Customer representative(s) of any violations of these Terms.
7. WARRANTIES, DISCLAIMERS AND LIMITATION OF LIABILITY
THE SERVICE AND WEBSITES AND USER CONTENT, WHETHER PROVIDED BY SUPPLIER.IO, ITS LICENSORS, ITS VENDORS OR ITS USERS, AND OTHER INFORMATION ON OR ACCESSIBLE FROM THE SERVICE AND WEBSITES ARE PROVIDED “AS IS” WITHOUT WARRANTY, REPRESENTATION, CONDITION, OR GUARANTEE OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES, REPRESENTATIONS, CONDITIONS OR GUARANTEES OF QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ALL OF WHICH ARE DISCLAIMED TO THE FULLEST EXTENT PERMITTED BY LAW. SPECIFICALLY, BUT WITHOUT LIMITATION, SUPPLIER.IO DOES NOT WARRANT THAT: (i) THE INFORMATION AVAILABLE ON THE SERVICE AND WEBSITES IS FREE OF ERRORS; (ii) THE FUNCTIONS OR FEATURES (INCLUDING BUT NOT LIMITED TO MECHANISMS FOR THE DOWNLOADING AND UPLOADING OF USER CONTENT) WILL BE UNINTERRUPTED, SECURE, OR FREE OF ERRORS; (iii) DEFECTS WILL BE CORRECTED, OR (iv) THE SERVICE AND WEBSITES OR THE SERVER(S) THAT MAKE THE SERVICE AND WEBSITES AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. IN NO EVENT SHALL SUPPLIER.IO OR ITS AFFILIATES, LICENSORS, VENDORS, OR ANY OF THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, OR OTHER REPRESENTATIVES BE LIABLE TO YOU OR ANY OTHER PERSON OR ENTITY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, LOSS OF USE, OR COSTS OF OBTAINING SUBSTITUTE GOODS OR SERVICES), ARISING OUT OF OR IN CONNECTION WITH THE SERVICE AND WEBSITES, ANY MATERIALS, INFORMATION, OR RECOMMENDATIONS APPEARING ON THE SERVICE AND WEBSITES, OR ANY LINK PROVIDED ON THE SERVICE AND WEBSITES, WHETHER OR NOT SUPPLIER.IO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND WHETHER BASED UPON WARRANTY, CONTRACT, TORT, STRICT LIABILITY, VIOLATION OF STATUTE, OR OTHERWISE. THIS EXCLUSION OF LIABILITY SHALL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW. IN ANY EVENT, OUR AGGREGATE LIABILITY WILL NOT EXCEED THE AMOUNT PAID FOR THE SERVICE OR WEBSITES TO WHICH THE CLAIM RELATES OR, IF THE CLAIM DOES NOT RELATE TO A PRODUCT OR SERVICE, $100. SUPPLIER.IO DOES NOT WARRANT, ENDORSE, GUARANTEE OR ASSUME RESPONSIBILITY FOR ANY PRODUCT OR SERVICE ADVERTISED OR OFFERED BY A THIRD PARTY THROUGH THE SERVICE AND WEBSITES OR ANY WEBSITE FEATURED OR LINKED TO THROUGH THE SERVICE AND WEBSITES, AND supplier.io WILL NOT BE A PARTY TO OR IN ANY WAY BE RESPONSIBLE FOR MONITORING ANY TRANSACTION BETWEEN YOU AND THIRD-PARTY PROVIDERS OF PRODUCTS OR SERVICE AND WEBSITES. SUPPLIER.IO WILL NOT BE LIABLE FOR THE OFFENSIVE OR ILLEGAL CONDUCT OF ANY THIRD PARTY. YOU VOLUNTARILY ASSUME THE RISK OF HARM OR DAMAGE FROM THE FOREGOING. THE FOREGOING LIMITATIONS WILL APPLY EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE AND TO THE FULLEST EXTENT PERMITTED BY LAW. If you are a California resident, you hereby waive California Civil Code §1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which if known by him or her must have materially affected his or her settlement with the debtor.” This release includes the criminal acts of others.
8. EXCLUSIONS AND LIMITATIONS
Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for incidental or consequential damages such as above in Section 7. Accordingly, some of the above limitations may not apply to you. If you are a New Jersey resident, or a resident of another state that permits the exclusion of these warranties and liabilities, then the limitations in Section 7 specifically do apply to you.
10. THIRD-PARTY LINKS AND SERVICE AND WEBSITES
The Service and Websites may provide (1) information and content provided by third parties; (2) links to third-party websites or resources, such as sellers of goods and services; and (3) third-party products and services for sale directly to you. supplier.io is not responsible for the availability of such external sites or resources, and does not endorse and is not responsible or liable for (i) any content, advertising, products, or other materials on or available from such sites or resources, (ii) any errors or omissions in these websites or resources, or (iii) any information handling practices or other business practices of the operators of such sites or resources. You further acknowledge and agree that supplier.io shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any linked sites or resources. Your interactions with such third parties will be governed by the third parties’ own terms of service and privacy policies, and any other similar terms.<
supplier.io reserves the right at any time to modify or discontinue, temporarily or permanently, the Service and Websites (or any part thereof), with or without notice. You agree that supplier.io shall not be liable to you or any third party for any modification, suspension or discontinuance of the Service and Websites.
12. MANDATORY ARBITRATION AND CLASS ACTION WAIVER
PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR LEGAL RIGHTS, INCLUDING YOUR RIGHT TO FILE A LAWSUIT IN COURT.
12.1 Application. You and supplier.io agree that these Terms affect interstate commerce and that the Federal Arbitration Act governs the interpretation and enforcement of these arbitration provisions. This Section 12 is intended to be interpreted broadly and governs any and all disputes between us including but not limited to claims arising out of or relating to any aspect of the relationship between us, whether based in contract, tort, statute, fraud, misrepresentation or any other legal theory; claims that arose before these Terms or any prior agreement (including, but not limited to, claims related to advertising); and claims that may arise after the termination of these Terms. The only disputes excluded from this broad prohibition are the litigation of certain intellectual property and small court claims, as provided below.
12.2. Initial Dispute Resolution. Most disputes can be resolved without resort to arbitration. If you have any dispute with us, you agree that before taking any formal action, you will contact us at firstname.lastname@example.org and provide a brief, written description of the dispute and your contact information (including your username, if your dispute relates to an account). Except for intellectual property and small claims court claims, the parties agree to use their best efforts to settle any dispute, claim, question, or disagreement directly through consultation with supplier.io, and good faith negotiations shall be a condition to either party initiating a lawsuit or arbitration.
12.3 Binding Arbitration. If the parties do not reach an agreed-upon solution within a period of thirty (30) days from the time informal dispute resolution is initiated under the Initial Dispute Resolution provision above, then either party may initiate binding arbitration as the sole means to resolve claims, (except as provided in section 12.7 below) subject to the terms set forth below. Specifically, all claims arising out of or relating to these Terms (including the Terms’ formation, performance, and breach), the parties’ relationship with each other, and/or your use of supplier.io shall be finally settled by binding arbitration administered by the JAMS Comprehensive Arbitration Rules & Procedures (“JAMS”). The JAMS rules will govern payment of all arbitration fees. supplier.io will pay all arbitration fees for claims less than $75,000. If you receive an arbitration award that is more favorable than any offer we make to resolve the claim, we will pay you $1,000 in addition to the award. supplier.io will not seek its attorneys’ fees and costs in arbitration unless the arbitrator determines that your claim is frivolous.
12.4 Arbitrator’s Powers. The arbitrator, and not any federal, state, or local court or agency, shall have exclusive authority to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability, or formation of these Terms including but not limited to any claim that all or any part of these Terms is void or voidable, whether a claim is subject to arbitration, or the question of waiver by litigation conduct. The arbitrator shall be empowered to grant whatever relief would be available in a court under law or in equity. The arbitrator’s award shall be written and shall be binding on the parties and may be entered as a judgment in any court of competent jurisdiction.
12.5 Filing a Demand. To start an arbitration, you must do the following: (a) Write a Demand for Arbitration (“Demand”) that (i) briefly explains the dispute, (ii) lists your and supplier.io’s names and addresses, (iii) specify the amount of money in dispute, if applicable, (iv) identify the requested location for a hearing if an in-person hearing is requested, and (v) state what you want in the dispute; (b) send one copy of the Demand to JAMS, along with a copy of these Terms and the filing fee required by JAMS; and (c) Send one copy of the Demand for Arbitration to us at email@example.com
The parties understand that, absent this mandatory arbitration provision, they would have the right to sue in court and have a jury trial. They further understand that, in some instances, the costs of arbitration could exceed the costs of litigation and the right to discovery may be more limited in arbitration than in court. If you are a resident of the United States, arbitration may take place in the county where you reside at the time of filing, unless you and we both agree to another location or telephonic arbitration. For individuals residing outside the United States, arbitration shall be initiated in Cook County, Illinois, United States, and you and supplier.io agree to submit to the personal jurisdiction of any federal or state court in Cook County, Illinois, United States, in order to compel arbitration, stay proceedings pending arbitration, or to confirm, modify, vacate, or enter judgment on the award entered by the arbitrator.
12.6 Class Action Waiver. The parties further agree that the arbitration shall be conducted in the party’s respective individual capacities only and not as a class action or other representative action, and the parties expressly waive their right to file a class action or seek relief on a class basis. YOU AND supplier.io AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. If any court or arbitrator determines that the class action waiver set forth in this paragraph is void or unenforceable for any reason or that an arbitration can proceed on a class basis, then the arbitration provisions set forth above shall be deemed null and void in their entirety and the parties shall be deemed to have not agreed to arbitrate disputes.
12.7 Exception: Litigation of Intellectual Property and Small Claims Court Claims. Notwithstanding the parties’ decision to resolve all disputes through arbitration, either party may bring enforcement actions, validity determinations or claims arising from or relating to theft, piracy or unauthorized use of intellectual property in state or federal court with jurisdiction or in the U.S. Patent and Trademark Office to protect its intellectual property rights (“intellectual property rights” means patents, copyrights, moral rights, trademarks, and trade secrets, but not privacy or publicity rights). Either party may also seek relief in small claims court in Chicago, Illinois for disputes or claims within the scope of that court’s jurisdiction.
12.8 30-Day Right to Opt Out. You have the right to opt out and not be bound by the arbitration and class action waiver provisions set forth above by sending written notice of your decision to opt out to firstname.lastname@example.org with the subject line, “ARBITRATION AND CLASS ACTION WAIVER OPT-OUT.” The notice must be sent within the later of 30 days of your first use of the Service or within 30 days of changes to this section being announced on the Site. Otherwise you shall be bound to arbitrate disputes in accordance with the terms of these paragraphs. If you opt out of these arbitration provisions, supplier.io also will not be bound by them.
12.9 Changes to This Section. supplier.io will provide thirty (30) days’ notice of any changes to this section by posting on the Service and Websites. Amendments will become effective thirty (30) days after they are posted on the Service and Websites or sent to you by email. Changes to this section will otherwise apply prospectively only to claims arising after the thirtieth (30th) day. If a court or arbitrator decides that this subsection on “Changes to This Section” is not enforceable or valid, then this subsection shall be severed from the section entitled Mandatory Arbitration and Class Action Waiver, and the court or arbitrator shall apply the first Mandatory Arbitration and Class Action Waiver section in existence after you began using the Service and Websites.
12.10 Survival. This Mandatory Arbitration and Class Action Waiver section shall survive any termination of your use of the Service and Websites.
13. CONTROLLING LAW AND SEVERABILITY
These Terms shall be construed in accordance with and governed by the laws of Illinois notwithstanding its conflicts of law principles. Any dispute arising out of these terms and conditions or the use of this site shall be initiated and conducted in the state or federal courts of Cook County, Illinois, and you and supplier.io consent to the exclusive jurisdiction of such courts.
14. GENERAL TERMS
14.1 Force Majeure. Under no circumstances shall supplier.io or its licensor or supplier be held liable for any delay or failure in performance resulting directly or indirectly from an event beyond its reasonable control.
14.2 No Waiver. No waiver of any provision of these Terms will be binding unless in writing, no waiver of any provisions of these Terms will be deemed a further or continuing waiver of such provision or any other provision, and the failure of supplier.io to exercise or enforce any right or remedy in these Terms does not waive that right or remedy. If an arbitrator or a court of competent jurisdiction finds any provision of these Terms to be invalid, the parties agree that the court should endeavor to give effect, to the maximum extent permitted by law, to the parties’ intentions as reflected in the provision, and the other provisions of these Terms will remain in full force and effect.
14.3 Third-Party Beneficiaries. You agree that, except as otherwise expressly provided in these Terms, there shall be no third-party beneficiaries to these Terms.
14.4 Statute of Limitations. Except for residents of New Jersey, you agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to the use of the Service and Websites and/or these Terms must be filed within one (1) year after such claim or cause of action arose or be forever barred.
14.5 Miscellaneous. These Terms (and all terms and conditions incorporated herein) constitute the entire agreement between you and supplier.io and govern your use of the Service and Websites, and supersede any prior agreements between you and supplier.io on the subject matter. These Terms, and any rights or licenses granted hereunder, may not be assigned or delegated by you. These Terms, and any rights or licenses granted hereunder, may be assigned or delegated by supplier.io without restriction. These Terms bind and inure to the benefit of each party and the party’s successors and permitted assigns. These Terms may not be modified by an oral statement by a representative of supplier.io. No agency, partnership, joint venture or employee-employer relationship is intended or created by these Terms. You agree that any agreements made by and between you and us in electronic form are as legally binding as if made in physical written form. If you are using the Service and Websites for or on behalf of the U.S. government, your license rights do not exceed those granted to non-government consumers. The section titles in these Terms are for convenience only and have no legal or contractual effect. Any provision of these Terms that by its nature is reasonably intended to survive beyond termination of these Terms shall survive.
14.6 Notices. We may deliver notice to you by e-mail, posting a notice on the Service and Websites or any other method we choose and such notice will be effective on dispatch. If you give notice to us, it will be effective when received and you must use the following physical or email address: (1) supplier.io, 5 Westbrook Corporate Center, Suite 920, Chicago, IL 60154; or (2) email@example.com.
If you have any questions about these Terms, please contact us at firstname.lastname@example.org.
LAST UPDATED: June 20, 2020
This Subscriber Agreement (the “Agreement”) is entered into by and between supplier.io, Inc. (“supplier.io”) and the organization agreeing to the terms of this Agreement (“Customer”). This Agreement shall be effective on the earliest of (a) the date Customer clicks a button indicating its agreement with the terms of this Agreement; (b) Customer entering into an Order Form or similar form referencing or otherwise incorporating this Agreement; or (c) Customer’s use of the Service (the “Effective Date”). If you are entering into this Agreement on behalf of your organization, that organization is deemed to be the Customer and you represent that you have the power and authority bind that organization to this Agreement.
1 The Service.
1.1 Provision of the Service. supplier.io shall make the Service purchased under an Order Form available to Customer and its End Users pursuant to this Agreement during the applicable Subscription Term. The Service includes the features and functionality applicable to the version of the Service ordered by Customer. supplier.io may update the content, functionality, and user interface of the Service from time to time in its sole discretion.
1.2 Access Rights. Customer has a non-exclusive, non-sublicenseable, non-transferable (except as specifically permitted in this Agreement) right to access and use the Service pursuant to this Agreement during the applicable Subscription Term, solely for Customer’s internal business purposes subject to the limitations set forth in the Order Form.
1.3 Usage Restrictions Customer shall not (a) make the Service available to, or use any Service for the benefit of, anyone other than Customer and its Affiliates; (b) rent, sublicense, re-sell, assign, transfer, distribute, time share, or similarly exploit the Service; (c) reverse engineer, copy, modify, adapt, hack the Service, or otherwise attempt to gain unauthorized access to the Service or its related systems or networks; (d) access the Service, the Documentation, or supplier.io’s Confidential Information to build a competitive product or service; (e) alter or remove, or permit any third party to alter or remove, any proprietary trademark or copyright markings incorporated in, marked on, or affixed to the Service; (f) allow End User Subscriptions to be shared or used by more than one individual End User (except that End User Subscriptions may be reassigned to new End Users replacing individuals who no longer use the Service for any purpose, whether by termination of employment or other change in job status or function); or (g) access or use the Service: (i) to send or store infringing, obscene, threatening, or otherwise unlawful material, including material violative of third-party privacy rights; (ii) in violation of applicable laws; (iii) to send or store material knowingly or intentionally containing software viruses, worms, Trojan horses or other harmful computer code, files, or scripts; or (iv) in a manner that interferes with or disrupts the integrity or performance of the Service (or the data contained therein).
1.4 Protection of Customer Data. supplier.io shall implement and maintain administrative, organizational, and technical safeguards designed for the protection, confidentiality, and integrity of Customer Data.
1.5 Administration of Customer’s Account. Customer acknowledges that it retains administrative control over to whom it grants access to Customer Data hosted in the Service. Customer may specify an End User to be the billing owner and, depending on the Subscription, one or more End Users to be administrators (each an “Administrator”) to manage its account, and supplier.io is entitled to rely on communications from an Administrator when servicing Customer’s account. Depending on the version purchased by Customer, Customer’s Administrator(s) may have the ability to access, monitor, use, and/or export Customer Data. Customer is responsible for maintaining the security of End User accounts and passwords.
1.6 Compliance. Customer is responsible for use of the Service by its End Users and for their compliance with this Agreement. Customer is solely responsible for the accuracy, quality, legality, reliability, and appropriateness of all Customer Data. Customer shall ensure that it is entitled to transfer the relevant Customer Data to supplier.io so that supplier.io and its service providers may lawfully use, process, and transfer the Customer Data in accordance with this Agreement on Customer’s behalf. Customer shall promptly notify supplier.io if it becomes aware of any unauthorized use of or access to Customer’s account or the Service.
1.7 Suspension. supplier.io may request that Customer suspend the account of any End User who (a) violates this Agreement or supplier.io’s User Terms of Service; or (b) is using the Service in a manner that supplier.io reasonably believes may cause a security risk, a disruption to others’ use of the Service, or liability for supplier.io. If Customer fails to promptly suspend or terminate such End User’s account, supplier.io reserves the right to do so.
1.8 Customer’s Use of Third Party Services. Customer may install or enable third party services for use with the Service, such as online applications, offline software products, or services that utilize the supplier.io API in connection with Customer’s use of the Service (“Third Party Services”). Any acquisition and use by Customer or its End Users of such Third Party Services is solely the responsibility of Customer and the applicable third party provider. Customer acknowledges that providers of such Third Party Services may have access to Customer Data in connection with the interoperation and support of such Third Party Services with the Service. To the extent Customer authorizes the access or transmission of Customer Data through a Third Party Service, supplier.io shall not be responsible for any use, disclosure, modification, or deletion of such Customer Data or for any act or omission on the part of the third party provider or its service.
1.9 Trial Subscriptions. Customer may access a version of the Service on a trial basis (a “Trial”) subject to the terms of this Agreement; provided, however, the following additional terms shall apply to its Trial notwithstanding anything to the contrary herein: (a) supplier.io shall have the right to terminate a Trial at any time and for any reason; (b) supplier.io is providing the Service “as is” and makes no warranties (express or implied) of any kind with respect to the Service during the Trial; and (c) supplier.io shall have no obligation to indemnify Customer. CUSTOMER ACKNOWLEDGES THAT ITS TRIAL WILL AUTOMATICALLY CONVERT TO A SUBSCRIPTION AT THE END OF THE TRIAL AND THAT supplier.io MAY CHARGE CUSTOMER FOR THE APPLICABLE SUBSCRIPTION FEES UNLESS CUSTOMER HAS NOTIFIED supplier.io IN WRITING OF ITS DECISION TO OPT OUT DURING THE TRIAL.
2.1 By supplier.io. supplier.io warrants that during the applicable Subscription Term (a) the Service shall perform materially in accordance with the applicable Documentation; and (b) supplier.io shall not materially decrease the functionality of the Service.
2.2 By Customer. Customer warrants that (a) this Agreement is legally binding upon it and enforceable in accordance with its terms; (b) it has obtained all legally required consents and permissions from End Users for the submission and processing of personal data through the Service; and (c) the transfer and processing of Customer Data under the Agreement is lawful.
2.3 Disclaimer EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS SECTION, TO THE FULLEST EXTENT PERMITTED BY LAW, THE PROFESSIONAL SERVICES, SERVICE, AND ALL RELATED COMPONENTS AND INFORMATION ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT ANY WARRANTIES OF ANY KIND, AND supplier.io AND ITS AFFILIATES EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THAT supplier.io DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE. supplier.io IS NOT RESPONSIBLE FOR AND DISCLAIMS ALL LIABILITY RELATED TO DELAYS, DELIVERY FAILURES, INTERCEPTION, ALTERATION, OR OTHER DAMAGE RESULTING FROM MATTERS OUTSIDE OF ITS CONTROL, INCLUDING PROBLEMS INHERENT IN THE USE OF THE INTERNET, MOBILE AND PERSONAL COMPUTING DEVICES, TRANSMISSION OF ELECTRONIC COMMUNICATIONS OVER THE INTERNET OR OTHER NETWORKS, AND THIRD PARTY HOSTING SERVICE PROVIDERS.
3 Fees and Payment.
3.1 Subscription Fees. Customer’s Subscription fees are set forth in the applicable Order Form and are based on the number of End Users and version of the Service purchased. Customer shall pay all fees when due and is responsible for providing complete and accurate billing information to supplier.io. If such fees are being paid via credit card or other electronic means, Customer authorizes supplier.io to charge such fees using Customer’s selected payment method. Payment obligations are non-cancelable and fees paid are non-refundable unless otherwise provided herein. The number of End Users purchased under a Subscription cannot be decreased during the applicable Subscription Term. If Customer requires the use of a purchase order or purchase order number, Customer shall provide the purchase order number at the time of purchase. Where Customer designates use of a third-party payment processor network (such as a payment agent, for example), Customer shall be responsible for payment of all fees and charges associated with use of such network. supplier.io reserves the right to suspend Customer’s account, in addition to all of its other available rights and remedies, in the event that Customer’s account becomes overdue. Suspension shall not relieve Customer’s obligation to pay amounts due.
3.2 Auto-renewal. Customer agrees that its Subscription will automatically renew on an annual or monthly basis depending on Customer’s Subscription (the “Renewal Date”). Customer authorizes supplier.io to automatically charge Customer for the applicable fees on or after the Renewal Date unless the Subscription has been terminated or cancelled in accordance with this Agreement. If Customer wishes to reduce the number of End Users in its Subscription, it must do so prior to the Renewal Date. Customer must cancel its Subscription prior to the Renewal Date in order to avoid billing of the next period’s Subscription fees. Customer can cancel its Subscription anytime online by going into its account settings and following the instructions provided. If Customer chooses to cancel its Subscription during the Subscription Term, Customer may use the Service until the end of Customer’s then-current Subscription Term or renewal period, but will not be issued a refund for the most recently (or any previously) charged fees.
3.3 Calculation. Subscription fees are based on annual or monthly periods (or pro rata portions thereof, calculated on a daily basis) that begin on the Subscription start date and each annual or monthly anniversary thereof. Subscriptions to the Service are sold on a tiered basis based on the number of End Users. Customer shall purchase a Subscription to the Service for each End User, and the initial number of End Users and tier is reflected in the applicable Order Form. Customer may add End Users to its Subscription at any time on written notice to supplier.io (email notice acceptable). supplier.io reserves the right to calculate the total number of End Users periodically and, if the number of End Users exceeds Customer’s current Subscription, then supplier.io reserves the right to invoice Customer for the applicable tier on a pro rata basis for the remaining period in Customer’s Subscription Term, so that all End User Subscription Terms coincide and are co-terminus. supplier.io reserves the right to revise fee rates and/or the billable amount structure for the Service at any time and will provide Customer with notice pursuant to Section 11.4 below) of any such changes at least twenty (20) days prior. supplier.io may charge Customer the then-current pricing for the applicable Subscription if the number of End Users is modified and/or if Customer changes its Subscription plan.
3.4 Taxes. Any fees charged to Customer are exclusive of taxes. Except for those taxes based on supplier.io’s net income, Customer shall be responsible for all applicable taxes in connection with this Agreement including, but not limited to, sales, use, excise, value-added, goods and services, consumption, and other similar taxes or duties. Should any payment for the Service be subject to withholding tax by any government, Customer shall reimburse supplier.io for such withholding tax.
3.5 Future Features and Functionality. Customer agrees that any purchases under this Agreement are not contingent on the delivery of any future feature or functionality or dependent on any oral or written public or private comments made by supplier.io regarding future features or functionality. supplier.io may release Improvements and other features and functionality in its discretion. Some features and functionality may be available only with certain versions of the Service.
4 Term and Termination. This Agreement commences on the Effective Date and shall remain in effect until all Subscriptions to the Service granted in accordance with this Agreement have expired or been terminated. Either party may terminate this Agreement if the other party: (a) is in material breach of this Agreement and fails to cure such breach within twenty (20) days following receipt of written notice from the non-breaching party, except that termination will take effect on notice in the event of a breach of Section 1.3 (“Usage Restrictions”); or (b) ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within sixty (60) days. Upon expiration or termination of this Agreement for any reason, all Subscriptions and any other rights granted to Customer under this Agreement shall immediately terminate, and supplier.io may immediately deactivate Customer’s account(s) associated with the Agreement. In no event will any termination relieve Customer of the obligation to pay any fees accrued or payable to supplier.io. The following sections shall survive expiration or termination of this Agreement: Sections 1.3 (“Usage Restrictions”), 2 (“Warranties”), 3.1 (“Subscription Fees”), 3.4 (“Taxes”), 4 (“Term and Termination”), 5 (“Confidentiality”), 6 (“Intellectual Property Rights”), 7 (“Indemnification”), 8 (“Liability”), 9 (“Export Compliance”), 10 (“Use Outside the United States of America”), 11 (“Miscellaneous”), and 12 (“Definitions”).
5.1 Definition of Confidential Information. During the course of performance under this Agreement, each party may make available to the other party information that is not generally known to the public and at the time of disclosure is either identified as, or should reasonably be understood by the receiving party to be, proprietary or confidential (the “Confidential Information”). Confidential Information specifically includes, but is not limited to, the Service, any Order Form(s) entered into by the parties, Customer Data, Results, business plans, product plans and roadmaps, strategies, forecasts, projects and analyses, financial information and fee structures, business processes, methods and models, and technical documentation. Confidential Information does not include information that (a) is or becomes publicly available without breach of this Agreement by the receiving party; (b) was known to the receiving party prior to its disclosure by the disclosing party; (c) is or was independently developed by the receiving party without the use of any Confidential Information of the disclosing party; or (d) is or was lawfully received by the receiving party from a third party under no obligation of confidentiality.
5.2 Protection of Confidential Information. Except as otherwise expressly permitted under this Agreement, with the express prior written consent of the disclosing party, or as required by law, the receiving party will not disclose, transmit, or otherwise disseminate to a third party any Confidential Information of the disclosing party. The receiving party will use the same care and discretion with respect to the Confidential Information received from the disclosing party as it uses with its own similar information, but in no event less than a reasonable degree of care. The receiving party may disclose the disclosing party’s Confidential Information to its employees, Affiliates, consultants, subcontractors, agents, or advisors (“Representatives”) who have a strict need to access the Confidential Information for the purpose of performing under this Agreement and only to those who are obligated to maintain the confidentiality of such Confidential Information upon terms at least as protective as those contained in this Agreement. Either party may disclose the terms of this Agreement to potential parties to a bona fide fundraising, acquisition, or similar transaction solely for purposes of the proposed transaction, provided that any such potential party is subject to written non-disclosure obligations and limitations on use no less protective than those set forth herein.
5.3 Equitable Relief. The receiving party acknowledges that the remedy at law for breach of this Section 5 may be inadequate and that, in addition to any other remedy the disclosing party may have, it shall be entitled to seek equitable relief, including, without limitation, an injunction or injunctions (without the requirement of posting a bond, other security or any similar requirement or proving any actual damages), to prevent breaches or threatened breaches of this Section 5 by the receiving party or any of its Representatives and to enforce the terms and provisions of this Section 5 in addition to any other remedy to which the disclosing party is entitled at law or in equity.
5.4 Compelled Disclosure. The receiving party may access and disclose Confidential Information of the disclosing party if legally required to do so in connection with any legal or regulatory proceeding; provided, however, that in such event the receiving party will, if lawfully permitted to do so, notify the disclosing party within a reasonable time prior to such access or disclosure so as to allow the disclosing party an opportunity to seek appropriate protective measures. If the receiving party is compelled by law to access or disclose the disclosing party’s Confidential Information as part of a civil proceeding to which the disclosing party is a party, the disclosing party will reimburse the receiving party for the reasonable costs of compiling and providing secure access to such Confidential Information. Receiving party will furnish only that portion of the Confidential Information that is legally required to be disclosed, and any Confidential Information so disclosed shall maintain its confidentiality protection for all purposes other than such legally compelled disclosure.
5.5 Sensitive/Personal Information. Customer agrees that it shall not use the Service to send or store personal information subject to special regulatory or contractual handling requirements (e.g., Payment Card Industry Data Security Standards, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and any similar data protection laws) including without limitation: credit card information, credit card numbers and magnetic stripe information, social security numbers, driver’s license numbers, passport numbers, government issued identification numbers, health-related information, biometric data, financial account information, personally identifiable information collected from children under the age of 13 or from online services directed toward children, and real time geo-location data which can identify an individual, or information deemed “sensitive” under applicable law (such as racial or ethnic origin, political opinions, or religious or philosophical beliefs).
6 Intellectual Property Rights.
6.1 By Customer. Customer owns all right, title, and interest in and to Customer Confidential Information and Customer Data, including all related Intellectual Property Rights. Customer grants supplier.io and its authorized third party service providers a worldwide, non-exclusive license to host, copy, access, process, transmit, and display Customer Data: (a) to maintain, provide, and improve the Service and perform under this Agreement; (b) to prevent or address technical or security issues and resolve support requests; (c) to investigate in good faith an allegation that an End User is in violation of this Agreement or the supplier.io User Terms of Service; or (d) at Customer’s direction or request or as permitted in writing by Customer.
6.2 By supplier.io. supplier.io owns and will continue to own all right, title, and interest, including all related Intellectual Property Rights, in and to its Confidential Information, Results, and the Service, including any enhancements, customizations, or modifications thereto. Where Customer purchases Professional Services hereunder, supplier.io grants to Customer a non-sublicensable, non-exclusive license to use any reports and other materials developed by supplier.io as a result of the Professional Services (“Results”) solely in conjunction with Customer’s authorized use of the Service and in accordance with this Agreement.
6.3 Suggestions. supplier.io welcomes feedback from its customers about the Service and Professional Services. If Customer (including any End User) provides supplier.io with any feedback or suggestions regarding the Service or Professional Services (“Feedback”), supplier.io may use, disclose, reproduce, sublicense, or otherwise distribute and exploit the Feedback without restriction or any obligation to Customer or any End User provided that supplier.io shall not identify Customer or any End User as the source of such Feedback.
7.1 By Customer. Customer shall defend supplier.io, its Affiliates, and their employees, officers, and directors (together, the “supplier.io Indemnified Parties”) from and against third party claims, actions, and demands arising from allegations that Customer Data, unauthorized use of the Service by Customer or its End Users, or supplier.io’s processing of data pursuant to Customer’s instructions infringes a third party’s Intellectual Property Right or privacy right (each, a “Claim Against supplier.io”), and Customer shall indemnify and hold the supplier.io Indemnified Parties harmless against any damages, reasonable attorneys’ fees, and costs finally awarded against supplier.io Indemnified Parties as a result of, or for any amounts paid by the supplier.io Indemnified Parties under a Customer-approved settlement of, a Claim Against supplier.io.
7.2 By supplier.io. supplier.io shall defend Customer, its Affiliates, and their employees, officers, and directors (together the “Customer Indemnified Parties”) from and against third party claims, actions, and demands alleging that Customer’s authorized use of the Service infringes or misappropriates any copyright, trade secret, U.S. patent, or trademark right of that third party (each, a “Claim Against Customer”), and supplier.io shall indemnify and hold the Customer Indemnified Parties harmless against any damages, reasonable attorneys’ fees, and costs finally awarded against Customer Indemnified Parties as a result of, or for any amounts paid by the Customer Indemnified Parties under an supplier.io-approved settlement of, a Claim Against Customer; provided, however, in no event will supplier.io have any obligations or liability under this Section 7.2 to the extent a Claim Against Customer arises from: (a) Customer or any End User’s use of the Service other than as permitted under this Agreement; or (b) use of the Service in a modified form or in combination with products, services, content, or data not furnished to Customer by supplier.io.
7.3 Potential Infringement. If the Service becomes, or in supplier.io’s reasonable judgment is likely to become, the subject of a claim of infringement, then supplier.io may in its sole discretion: (a) obtain the right, at supplier.io’s expense, for Customer to continue using the Service; (b) provide a non-infringing functionally equivalent replacement; or (c) modify the Service so that it is no longer infringing. If supplier.io, in its sole and reasonable judgment, determines that none of the above options are commercially reasonable, then supplier.io may suspend or terminate Customer’s use of the Service, in which case supplier.io’s sole liability (in addition to its obligations under Section 7.2) shall be to provide Customer with a prorated refund of any prepaid, unused fees applicable to the remaining portion of the Subscription Term. Sections 7.2 and 7.3 state supplier.io’s sole liability and the Customer Indemnified Parties’ exclusive remedy for infringement claims.
7.4 Indemnification Process. The party seeking indemnification shall provide prompt notice to the indemnifying party concerning the existence of an indemnifiable claim and shall promptly provide the indemnifying party with all information and assistance reasonably requested and otherwise cooperate fully with the indemnifying party in defending the claim. Failure to give prompt notice shall not constitute a waiver of a party’s right to indemnification and shall affect the indemnifying party’s obligations under this Agreement only to the extent that the indemnifying party’s rights are materially prejudiced by such failure or delay. The indemnifying party shall have full control and authority over the defense of any claim; provided, however, that any settlement requiring the party seeking indemnification to admit liability or make any financial payment shall require such party’s prior written consent, not to be unreasonably withheld or delayed.
8.1 Limitation of Liability. EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 7 (“INDEMNIFICATION”), IN NO EVENT SHALL EITHER PARTY’S OR ITS AFFILIATES’ AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR UNDER ANY OTHER THEORY OF LIABILITY) EXCEED THE TOTAL AMOUNT PAID OR PAYABLE BY CUSTOMER HEREUNDER IN THE 12 MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY.
8.2 Exclusion of Consequential and Related Damages IN NO EVENT SHALL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, REVENUES, OR LOSS OF USE, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY AND WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
8.3 The provisions of this Section 8 allocate the risks under this Agreement between the parties, and the parties have relied on these limitations in determining whether to enter into this Agreement.
9 Export Compliance. The Service may be subject to export laws and regulations of the United States and other jurisdictions. Customer represents that neither it nor any of its End Users are named on any U.S. government denied-party list. Customer shall not permit any End User to access or use any Service in a U.S.-embargoed country or region or in violation of any U.S. export law or regulation. Customer and its End Users shall not use the Service to export, re-export, transfer, or make available, whether directly or indirectly, any regulated item or information to anyone outside the U.S. in connection with this Agreement without first complying with all export control laws and regulations that may be imposed by the U.S. Government and any country or organization of nations within whose jurisdiction Customer operates or does business.
10 Use Outside the United States of America. The Service is controlled and operated by supplier.io from its offices in the United States of America. Except as explicitly set forth herein, supplier.io makes no representations that the Services are appropriate for use in other jurisdictions. Those who access or use the Service from other jurisdictions do so at their own risk and are responsible for compliance with local laws. supplier.io may offer services in other jurisdictions that are subject to different terms and conditions. In such instances, the terms and conditions governing those non-U.S. services shall take precedence over any conflicting provisions in this Agreement.
11.1 Governing Law; Venue. This Agreement and any disputes arising under it will be governed by the laws of the State of Illinois without regard to its conflict of laws provisions, and each party consents to the personal jurisdiction and venue of the state or federal courts located in Chicago, Illinois. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded.
11.2 Informal Dispute Resolution and Arbitration. The parties agree that most disputes can be resolved without resort to litigation. The parties agree to use their best efforts to settle any dispute directly through consultation with each other before initiating a lawsuit or arbitration. If, after good faith negotiations the parties are unable to resolve the dispute, the parties agree that any and all disputes arising out of or in any way relating to this Agreement, including without limitation its existence, validity or termination, shall be resolved according to Illinois law and exclusively by binding arbitration before a single arbitrator with the Judicial Arbitration and Mediation Service (JAMS) and pursuant to the then existing arbitration rules at JAMS. If the parties cannot agree upon selection of an arbitrator, then JAMS shall appoint an arbitrator experienced in the enterprise software industry. The place of the arbitration will be Chicago, Illinois unless otherwise agreed upon by the parties. The arbitration will be conducted in English. The arbitrator shall provide detailed written findings of fact and conclusions of law in support of any award. Judgment upon any such award may be enforced in any court of competent jurisdiction. The parties further agree that the arbitration shall be conducted in their individual capacities only and not as a class action or other representative action, and the parties expressly waive their right to file a class action or seek relief on a class basis. If any court or arbitrator determines that the class action waiver set forth herein is void or unenforceable for any reason or that an arbitration can proceed on a class basis, then the portions of Section 11.3 mandating arbitration shall be deemed null and void in its entirety and the parties shall be deemed to have not agreed to arbitrate disputes. Customer may opt out and not be bound by the arbitration and class action waiver provisions by sending written notice to supplier.io. The notice must be sent within thirty (30) days of the Effective Date of this Agreement between Customer and supplier.io. If Customer opts out of arbitration, supplier.io also will not be bound to arbitrate. Notwithstanding the foregoing, either party shall be entitled to seek injunctive relief as set forth in Section 5.3 (“Equitable Relief”) above and to stop unauthorized use of the Service or infringement of Intellectual Property Rights. Disputes, claims, or controversies concerning either party’s Intellectual Property Rights or claims of piracy or unauthorized use of the Service shall not be subject to arbitration. The parties further agree that the prevailing party in any action or proceeding to enforce any right or provisions under this Agreement, including any arbitration or court proceedings, will be entitled to recover its reasonable costs and attorneys’ fees.
11.3 Notice. supplier.io may give general notices related to the Service that are applicable to all customers by email, text, in-app notifications, or by posting them on the supplier.io website or through the Service and such electronic notices shall be deemed to satisfy any legal requirement that such notices be made in writing. Other notices must be sent via email, first class, airmail, or overnight courier to the addresses of the parties provided herein or via an Order Form and are deemed given when received. Notices to supplier.io must be sent to supplier.io Legal at email@example.com with a copy to supplier.io, Inc., 5 Westbrook Corporate Center, Suite 920, Westchester, IL 60154, Attn: Legal Dept.
11.4 Publicity. supplier.io may include Customer’s name and logo in supplier.io’s online customer list and in print and electronic marketing materials.
11.5 Beta Access. Customer may be invited to participate in review and testing of pre-release versions of new and beneficial tools and Service enhancements which may be identified to Customer as “alpha,” “beta,” “preview,” “pre-release,” “early access,” or “evaluation” product or services (collectively, the “Beta Tests” and such pre-release functionality, the “Beta Product”). Customer acknowledges and understands that its participation in Beta Tests is not required and is at Customer’s own risk, and that Beta Products are made available on an “as is” basis without warranties (express or implied) of any kind, and may be discontinued or modified at any time. Beta Products are for evaluation and testing purposes, not for production use, not supported, not subject to availability or security obligations, and may be subject to additional terms. supplier.io shall have no liability for any harm or damage arising out of or in connection with Beta Products. The Beta Products, including without limitation Customer’s assessment of any Beta Product, are Confidential Information of supplier.io.
11.6 Relationship of the Parties. The parties are and shall be independent contractors with respect to all services provided under this Agreement. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. There are no third-party beneficiaries to this Agreement. Without limiting this Section, a Customer’s End Users are not third-party beneficiaries to Customer’s rights under this Agreement.
11.7 Force Majeure. supplier.io shall not be liable for delayed or inadequate performance of its obligations hereunder to the extent caused by a condition that is beyond supplier.io’s reasonable control, including but not limited to natural disaster, civil disturbance, acts of terrorism or war, labor conditions, governmental actions, interruption or failure of the Internet or any utility service, failures in third-party hosting services, and denial of service attacks (each a “Force Majeure Event”). supplier.io shall be relieved from its obligations (or part thereof) as long as the Force Majeure Event lasts and hinders the performance of said obligations (or part thereof). supplier.io shall promptly notify Customer and make reasonable efforts to mitigate the effects of the Force Majeure Event.
11.8 Severability; No Waiver. In the event that any provision of this Agreement is found to be invalid or unenforceable pursuant to any judicial decree or decision, such provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and remain enforceable between the parties. No waiver of any term of this Agreement shall be deemed a further or continuing waiver of such term or any other term, and a party’s failure to assert any right or provision under this Agreement shall not constitute a waiver of such right or provision.
11.9 Assignment. Neither this Agreement nor any of the rights and licenses granted under this Agreement may be transferred or assigned by either party without the other party’s express written consent (not to be unreasonably withheld or delayed); provided, however, that either party may assign this Agreement and all Order Forms under this Agreement upon written notice without the other party’s consent to an Affiliate or to its successor in interest in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the non-assigning party. Any other attempt to transfer or assign this Agreement will be null and void. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors, and permitted assigns.
11.10 Not Applicable.
11.11 Modifications. supplier.io may revise this Agreement from time to time by posting the modified version on its website. If, in supplier.io’s sole discretion, the modifications proposed are material, supplier.io shall provide Customer with notice in accordance with Section 11.4 at least twenty (20) days prior to the effective date of the modifications being made. By continuing to access or use the Service after the posted effective date of modifications to this Agreement, Customer agrees to be bound by the revised version of the Agreement.
11.12 Entire Agreement. This Agreement, including all attachments, exhibits, addendums, and any Order Form(s) hereunder, constitutes the entire agreement between the parties concerning the subject matter hereof and supersedes and replaces any prior or contemporaneous representations, understandings and agreements, whether written or oral, with respect to its subject matter. The parties are not relying and have not relied on any representations or warranties whatsoever regarding the subject matter of this agreement, express or implied, except for the representations and warranties set forth in this Agreement. To the extent of any conflict or inconsistency between the provisions of the Agreement and any Order Form, the Agreement shall prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order, vendor onboarding process, web portal, or any other Customer order documentation shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void.
11.13 Applicability. This Agreement applies to you if: (a) you are a new Customer or have become a new Customer on or after November 30, 2018; (b) you enter into a Trial of supplier.io that is subject to this Agreement; or (c) you click a button indicating your agreement with the terms of this Agreement or enter into an Order Form or similar form referencing or otherwise incorporating this Agreement.
12.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means either: (a) ownership or control of more than 50% of the voting interests of the subject entity; or (b) the power to direct or cause the direction of the management and policies of an entity, whether through ownership, by contract, or otherwise.
12.2 “Customer Data” means information submitted by an End User through the Service, including all associated messages, attachments, files, tasks, project names, team names, channels, conversations, and other similar content.
12.3 “Documentation” means supplier.io’s then-current online user guides, as updated from time to time, and made accessible from within the “Help” feature of the Service.
12.4 “End User” means an individual who is authorized by Customer to use the Service under Customer’s account. End Users may include, without limitation, Customer’s or its Affiliates’ employees, consultants, contractors and agents.
12.5 “Intellectual Property Rights” means unpatented inventions, patent applications, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, know-how and other trade secret rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world.
12.6 “Improvements” means new features, functionality, enhancements, upgrades, error corrections and bug fixes to the Service made generally available by supplier.io at no additional charge.
12.7 “Order Form” means an ordering document or an online order set forth in the Service interface entered into between Customer and supplier.io (or Affiliates of either party) specifying the Service or Professional Services (if any) to be provided under this Agreement.
12.8 “Professional Services” means the customer success services provided by supplier.io, as specified in the applicable Order Form.
12.9 “Service” means supplier.io’s collaboration work management software as a service platform, including any Improvements, as described in the applicable Order Form.
12.10 “Subscription” means the access to the Service purchased by Customer on a per End User basis.
12.11 “Subscription Term” means the period identified in the Order Form during which Customer’s End Users are permitted to use or access the Service pursuant to the terms set forth in this Agreement.
LAST UPDATED: NOV 29, 2021
This supplier.io Acceptable Use Policy (this "Policy") describes prohibited uses of the cloud-based services offered by supplier.io, Inc. (the"SaaS Products") to you. The examples described in this Policy are not exhaustive. supplier.io may modify this Policy at any time with an updated version. By accessing or using the SaaS Products, you agree to the latest version of this Policy. If you violate the Policy or authorize or help others do so, supplier.io may suspend or terminate your use of the SaaS Products.
No Illegal, Harmful, or Offensive Use or Content
You may not access, use, or authorize, encourage, promote, facilitate or help others to use the SaaS Products for any illegal, harmful, fraudulent, infringing, or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, fraudulent, infringing or objectionable. Prohibited activities or content include any illegal activities that violate the rights of others, or that can be harmful to others, or supplier.io’s operations or reputation; content that infringes or misappropriates the intellectual property or proprietary rights of others; content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable; or content or other computer technology that can damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, spyware or cancelbots.
No Security Violations
You may not use the SaaS Products to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a "System"). Prohibited activities include accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System; monitoring of data or traffic on a System without authorization; or forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route. This provision does not prohibit the legitimate use of aliases and anonymous remailers.
No Network Abuse
You may not make network connections to any users, hosts, or networks unless you have permission to communicate with them. Prohibited activities include monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled; inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective; interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques; operating network services like open proxies, open mail relays, or open recursive domain name servers; or using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions, or to avoid incurring fees.
No E-Mail or Other Message Abuse
You must not access or use the SaaS Products to distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (like "spam"), including commercial advertising and informational announcements. You will not alter or obscure mail headers or assume a sender’s identity without the sender’s explicit permission. You will not collect replies to messages sent from another internet service provider if those messages violate this Policy or the acceptable use policy of that provider.
supplier.io’s Monitoring and Enforcement & Violations of this Policy
supplier.io reserves the right but does not assume the obligation, to investigate any violation of this Policy or misuse of the SaaS Products. supplier.io may investigate violations of this Policy or misuse of the SaaS Products; or remove, disable access to, or modify any content or resource that violates this Policy.
supplier.io may report any activity that supplier.io suspects violate any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. supplier.io’s reporting may include disclosing your information or content if required by law and only in accordance with the applicable law’s requirements. supplier.io may also cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help investigate and prosecute illegal conduct by providing network and systems information related to alleged violations of this Policy.
If you become aware of any violation of this Policy, you must immediately notify us and provide supplier.io with assistance, as requested, to stop or remedy the violation.
YOU AGREE TO HOLD SUPPLIER.IO HARMLESS FROM AND AGAINST, AND WAIVE (TO THE EXTENT PERMITTED BY APPLICABLE LAW) ANY CLAIMS YOU MAY HAVE AGAINST SUPPLIER.IO RESULTING FROM ANY DISCLOSURE, INVESTIGATION OR ACT OR OMISSION OF SUPPLIER.IO IN THE COURSE OF CONDUCTING OR COOPERATING WITH AN INSPECTION AS DESCRIBED IN THIS POLICY.
LAST UPDATED: JUL 12, 2022
This Qurium Solutions Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the Qurium Solutions Subscription Services under the Qurium Solutions Terms of Service between you and us (also referred to in this DPA as the “Agreement”)
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
We update these terms from time to time. If you have an active Qurium Solutions subscription, we will let you know when we do via email or via in-app notification.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“Consumer”, “Business”, “Sell” and “Service Provider” will have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.
“Data Subject” means the individual to whom Personal Data relates.
“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Permitted Affiliates” means any of your Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii) are subject to European Data Protection Laws.
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services.
“Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Privacy Shield” means the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July, 12 2016 and by the Swiss Federal Council on January 11, 2017 respectively; as may be amended, superseded or replaced. “Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July, 12 2016; as may be amended, superseded or replaced.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the standard contractual clauses for Processors.
“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Qurium Solutions employee or consultant.
2. Customer Responsibilities
a. Compliance with Laws. Within the scope of the Agreement and in its use of the services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us.
In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. You will inform us without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Protection Laws.
b. Controller Instructions. The parties agree that the Agreement (including this DPA), together with your use of the Subscription Service in accordance with the Agreement, constitute your complete and final Instructions to us in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between us and you.
3. Qurium Solutions Obligations
a. Compliance with Instructions. We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.
b. Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Subscription Services until such time as you issue new lawful Instructions with regard to the Processing.
c. Security. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
d. Confidentiality. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
e. Personal Data Breaches. We will notify you without undue delay after it becomes aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
f. Deletion or Return of Personal Data. We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Subscription Service in accordance with the procedures and timeframes set out in the Agreement, save that this requirement shall not apply to the extent we are required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with its deletion practices. You may request the deletion of your Qurium Solutions account after expiration or termination of your subscription by sending a request to firstname.lastname@example.org.
4. Data Subject Requests
The Subscription Service provides you with a number of controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with its obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).
To the extent that you are unable to independently address a Data Subject Request through the Subscription Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You shall reimburse us for the commercially reasonable costs arising from this assistance.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
You agree that we may engage Sub-Processors to Process Personal Data on your behalf. We have currently appointed, as Sub-Processors, the Qurium Solutions Affiliates and third parties listed in Annex 4 to this DPA.
Where we engage Sub-Processors, we will impose data protection terms on the SubProcessors that provide at least the same level of protection for Personal Data as those in this DPA to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.
6. Data Transfers
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Qurium Solutions, Inc. in the United States and to other jurisdictions where Qurium Solutions Affiliates and Sub-Processors have operations. We will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
7. Additional Provisions for European Data
a. Scope of Section 7. This ‘Additional Provisions for European Data’ section shall apply only with respect to European Data.
b. Roles of the Parties. When Processing European Data in accordance with your Instructions, the parties acknowledge and agree that you are the Controller of European Data and we are the Processor.
c. Instructions. If we believe that your Instruction infringes European Data Protection Laws (where applicable), we will inform you without delay.
d. Notification and Objection to New Sub-Processors. We will notify you of any changes to Sub-processors by updating Annex 4 to this DPA and will give you the opportunity to object to the engagement of the new Sub-Processor on reasonable grounds relating to the protection of Personal Data within 30 days after updating Annex 4 to this DPA. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).
e. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
f. Transfer Mechanisms for Data Transfers.
(A) Qurium Solutions shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
(B) You acknowledge that in connection with the performance of the Subscription Services, Qurium Solutions, Inc. is a recipient of European Data in the United States. The parties acknowledge and agree the following:
(a) Standard Contractual Clauses: Qurium Solutions, Inc. agrees to abide by and process European Data in compliance with the Standard Contractual Clauses.
(b) Privacy Shield: Although Qurium Solutions, Inc. does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as Qurium Solutions, Inc. is self-certified to the Privacy Shield Qurium Solutions Inc will process European Data in compliance with the Privacy Shield Principles and let you know if it is unable to comply with this requirement.
(c) The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Qurium Solutions, Inc. will be deemed the “data importer” and Customer will be deemed the “data exporter” (notwithstanding that you may yourself be located outside Europe and/or be acting as a processor on behalf of third party controllers), (ii) notwithstanding the foregoing, where the Qurium Solutions contracting entity under the Agreement is not Qurium Solutions, Inc., You provide such contracting entity with a mandate to enter into the Standard Contractual Clauses with Qurium Solutions, Inc. in its name and on its behalf, such contracting entity (not Qurium Solutions, Inc.) will remain fully and solely responsible and liable to you for the performance of the Standard Contractual Clauses by Qurium Solutions, Inc., and you will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity; and (iii) if and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.
g. Demonstration of Compliance. We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections by you in order to assess compliance with this DPA. You acknowledge and agree that you will exercise your audit rights under this DPA by instructing us to comply with the audit measures described in this sub-section (g). You acknowledge that the Subscription Service is hosted by our data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and that our systems are regularly tested by independent third party penetration testing firms. Upon request, we will supply (on a confidential basis) a summary copy of its penetration testing report(s) to you so that you can verify our compliance with this DPA.
Further, at your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year.
8. Additional Provisions for California Personal Information
a. Scope of Section 8. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.
b. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.
c. Responsibilities. The parties agree that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA, including as described in the ‘Data Practices and Machine Learning’ section of our Product Specific Terms.
9. General Provisions
a. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of the Master Terms will apply.
b. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
c. Limitation of Liability. Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Limitation of Liability’ section of the Master Terms and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, if Qurium Solutions, Inc. is not a party to the Agreement, the ‘Limitation of Liability’ section of the Master Terms will apply as between you and Qurium Solutions, Inc., and in such respect any references to ‘Qurium Solutions’, ‘we’, ‘us’ or ‘our’ will include both Qurium Solutions, Inc. and the Qurium Solutions entity that is a party to the Agreement.
d. Governing Law. This DPA will be governed by and construed in accordance with the
‘Contacting Entity; ‘Applicable Law; Notice’ sections of the Jurisdiction Specific Terms, unless required otherwise by Data Protection Laws.
10. Parties to this DPA
a. Permitted Affiliates. By signing the Agreement, you enter into this DPA on behalf of yourself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of your Permitted Affiliates, thereby establishing a separate DPA between us and each such Permitted Affiliate subject to the Agreement and the ‘General Provisions’ and ‘Parties to this DPA’ sections of this DPA. Each Permitted Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates.
b. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
c. Remedies. Except where applicable Data Protection Laws require a Permitted Affiliate to exercise a right or seek any remedy under this DPA against us directly by itself, the parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all communication with us under the DPA and will be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.
d. Other rights. The parties agree that you will, when reviewing our compliance with this
DPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.
EXECUTED BY THE PARTIES AUTHORIZED REPRESENTATIVES:
Qurium Solutions, Inc., by and on behalf Controller: ______________________
of its affiliates, as applicable.
Signature: ________________________ Signature: ________________________
Name: Neeraj Shah Name: ___________________________
Annex 1 – Details of Processing
This Annex forms part of the DPA.
A. Nature and Purpose of Processing
We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
B. Duration of Processing
Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
C. Categories of Data subjects
You may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
• Your end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.
• Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.
D. Categories of Personal Data
You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
• Contact Information such as Name, Email, Title, and Phone Number
• Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.
E. Special categories of data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
F. Processing operations
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
a. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Annex 2 – Security Measures
This Annex forms part of the DPA.
We currently observe the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Master Terms.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with multitenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key.
ii) Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include security group assignment, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: We maintain relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All Qurium Solutions employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Qurium Solutions employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Qurium Solutions products. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Annex 3 – Standard Contractual Clauses
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,
The Customer, as defined in the Qurium Solutions Terms of Service (the “data exporter”)
Qurium Solutions Inc., 5 WESTBROOK CORPORATE CENTER, SUITE 920, WESTCHESTER, IL 60154 (the “data importer”), each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorized access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise Authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data-processing services
1. The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full): _________________________
On behalf of the data importer:
Name (written out in full): Neeraj Shah
Address: 5 WESTBROOK CORPORATE CENTER, SUITE 920, WESTCHESTER, IL 60154
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Standard Contractual Clauses (the ‘Clauses’).
Defined terms used in this Appendix 1 shall have the meaning given to them in the Agreement (including the DPA).
The data exporter is the legal entity specified as “Customer” in the DPA.
The data importer is Qurium Solutions, Inc.
Please see Annex 1 of the DPA, which describes the data subjects.
Categories of data
Please see Annex 1 of the DPA, which describes the categories of data. Special categories of data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
Purposes of Processing
Qurium Solutions, Inc. shall process personal data as necessary to provide the Subscription Services to data exporter in accordance with the Agreement.
Please see Annex 1 of the DPA, which describes the processing operations.
Authorized Signature ____________________
Name: Neeraj Shah, CEO
Authorized Signature ___________________________________
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Standard Contractual Clauses (the ‘Clauses’).
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Please see Annex 2 of the DPA, which describes the technical and organizational security measures implemented by Qurium Solutions.
Authorized Signature ____________________
Name: Neeraj Shah, CEO
Authorized Signature ___________________________________
Appendix 3 to the Standard Contractual Clauses
This Appendix forms part of the Standard Contractual Clauses (the ‘Clauses’).
This Appendix sets out the parties’ interpretation of their respective obligations under specific terms of the Clauses. Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.
For the purposes of this Appendix, “DPA” means the Data Processing Agreement in place between Customer and Qurium Solutions and to which these Clauses are incorporated and “Agreement” shall have the meaning given to it in the DPA.
Clause 4(h) and 8: Disclosure of these Clauses
a. Data exporter agrees that these Clauses constitute data importer’s Confidential Information as that term is defined in the Agreement and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.
Clauses 5(a) and 5(b): Suspension of data transfers and termination
a. The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
b. The parties acknowledge that if data importer cannot provide such compliance in accordance with Clause 5(a) and Clause 5(b) for whatever reason, the data importer agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract the affected parts of the Services in accordance with the terms of the Agreement.
c. If the data exporter intends to suspend the transfer of personal data and/or terminate the affected parts of the Services, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the noncompliance (“Cure Period”).
d. If required, the parties shall reasonably cooperate with each other during the Cure Period to agree what additional safeguards or other measures, if any, may be reasonably required to ensure the data importer’s compliance with the Clauses and applicable data protection law.
e. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend and/or terminate the affected part of the Services in accordance with the provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by the data exporter prior to suspension or termination). The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.
Clause 5(f): Audit
a. Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in the ‘Demonstration of Compliance’ section of the DPA.
Clause 5(j): Disclosure of subprocessor agreements
a. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter.
b. The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter.
c. Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably requires in connection with such subprocessing agreement to data exporter.
Clause 6: Liability
a. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.
Clause 11: Onward subprocessing
a. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer.
b. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in the ‘Notification and Objection to New Sub-Processors’ section of the DPA.
Clause 12: Obligation after the termination of personal data-processing services
a. Data importer agrees that the data exporter will fulfill its obligation to return or destroy all the personal data on the termination of the provision of data-processing services by complying with the ‘Deletion or Return of Personal Data’ section of the DPA.
Authorized Signature ____________________
Name: Neeraj Shah, CEO
Authorized Signature ___________________________________
LAST UPDATED: SEP 1, 2020
Cloud Service Provider
Web Application Firewall
Texting for two-factor authentication
Email Sending Infrastructure
Documents, Email, and Reporting
Customer Support and Customer Relationship Management
Metacube Software Pvt Ltd
|CVM Solutions, LLC||United States|
|CVM Solutions Private Limited||India|