.png)
This Master Software Agreement is between PrinterLogic, Inc. doing business as Vasion, a Delaware Corporation (“Vasion”) and the individual or entity (“You,” “you,” “Your,” “your”) that is a recipient of Vasion’s Services as described on the applicable Quote. Vasion and You are referred to individually as a “Party” and collectively as the “Parties.” By accepting this Agreement, You agree to follow and be bound by the terms and conditions of this Agreement.
CUSTOMER’S ACCEPTANCE OF THIS AGREEMENT IS INDICATED BY ANY OR A COMBINATION OF THE FOLLOWING: (1) CLICKING ON THE “I ACCEPT” BUTTON, (2) EXECUTING A VASION-ISSUED NON-EXPIRED QUOTE THAT REFERENCES THIS AGREEMENT, OR (3) USING THE VASION SERVICES, INCLUDING BUT NOT LIMITED, TO ANY FREE SERVICES (AS DEFINED IN SECTION 1 BELOW).
The Services, Documentation, and/or Vasion website may not be accessed for purposes of monitoring availability, performance or functionality, or for any other benchmarking or competitive purposes. Vasion’s direct competitors are prohibited from accessing the Services and website.
“Acceptable Use Policy”: shall mean the Acceptable Use Policy, updated from time to time, located at: https://printerlogic.com/acceptable-use-policy/ , which shall be deemed validly incorporated into this Agreement as if contained within the main body.
“Affiliate” means an entity directly or indirectly owned or controlled by a party, where “ownership” means the beneficial ownership of fifty percent (50%) or more of an entity’s voting equity securities or other equivalent voting interests and “control” means the power to direct the management or affairs of an entity.
“Agreement” means this Master Software Agreement, updated from time to time.
“Customer” means either: 1) in the case of an individual accepting this Agreement on their own behalf, such individual, or 2) in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this Agreement, and Affiliates of that company or entity (if applicable and only for so long as they remain Affiliates) that are using the Services. The Customer shall be responsible for the actions and omissions of its Affiliates.
“Customer Data” means electronic data and information, including Personal Data, submitted by, to, or for Customer to the Services, excluding Third Party Applications.
“Documentation” means Vasion’s then-current publications on the functionality, specifications and configurations of its Services.
“DPA” shall mean Data Processing Addendum, attached hereto as Exhibit A, and the terms thereof are validly incorporated herein as if they were contained within the body of this Agreement.
“Free Services” means Services that Vasion makes available to Customer free of charge, including free trials. Free Services exclude Purchased Services.
“Malware” means code, files, scripts, agents or programs intended to do harm, including for example viruses, worms, time bombs and Trojan Horses.
“Personal Data” means data that may be used to identify an individual as is defined by the relevant applicable data protection laws.
“Quote” means a Vasion-issued ordering document specifying the Services to be provided to Customer by Vasion.
“On-premise Software” means collectively the object code versions of the Vasion computer software programs installed on the Customer and/or User’s premises and any applicable user documentation.
“Professional Services” means the technical consulting, configuration, training, installation, and implementation services to be provided by Vasion under a separate statement of work or agreement mutually agreed upon by both Parties.
“Purchased Services” means Services that Customer or Customer’s Affiliate purchases pursuant to a Quote, as distinguished from Free Services or those provided pursuant to a free trial.
“SaaS Service(s)” means any Vasion-hosted software as a service (SaaS) including Cloud computing services, print management, storage, e-signature, workflow, eforms, analog to digital, and other similar services developed, operated, and/or maintained by Vasion, and includes all technology made available as part, or in support, of SaaS Services. SaaS Services are comprised of web-based services hosted by Vasion which are made available to and accessed by User at a designated website or IP address login or by such other means as may be designated, enabled, or provided by Vasion.
“Service(s)” means Vasion commercially available computer program bundle, SaaS Services, On-premise Software, Professional Services, apps, or add-ons thereto made available to the Customer and any related update which may be furnished by Vasion to Customer provided that Customer has purchased a subscription or for On-premise Software current maintenance services (as fully described in the SLA). Services exclude Third Party Applications.
“SLA” shall mean the service level agreement, updated from time to time, which shall be deemed validly incorporated into this Agreement as if contained within the main body, located at: https://www.printerlogic.com/support-sla/.
“Third Party Applications” means a web-based or offline software application that is provided by the Customer or a party other than Vasion.
“Usage Limits” shall mean the Customer or User’s Usage Limits as described in the applicable Quote, including, but not limited to, named Users, number of licenses, workflows, and storage.
“User” means an individual who is authorized by Customer to use a Service, for whom Customer has purchased a subscription, and to whom Customer has supplied a user identification and password. Each User account may only be used by a single individual.
“Vasion” shall mean either PrinterLogic, Inc. PrinterLogic Limited, or PrinterLogic GmbH, as the case may be, and in all cases doing business as “Vasion”.
2.1 Free Services. Use of any Free Services is at Customer’s sole discretion, sole risk, and subject to the terms and conditions of this Agreement. In the event of a conflict between this section and any other portion of this Agreement, this section shall control.
If Customer participates in Free Services, the Free Services will terminate at the earlier of (a) the start date of Customer’s subscription for Purchased Services or (b) termination of the Free Services by either Party. Any Customer Data entered into the Services during Customer’s use of the Free Services will be permanently lost, unless before the end of the trial period, Customer purchases a subscription to the same Services as those covered by the Free Services, or Customer exports the Customer Data.
NOTWITHSTANDING THE “REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES, AND DISCLAIMERS” SECTION AND “INDEMNIFICATION BY VASION” SECTION BELOW, THE FREE SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY. VASION SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE FREE SERVICES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW; IN WHICH CASE, VASION’S LIABILITY WITH RESPECT TO ANY FREE SERVICES SHALL NOT EXCEED THE LOWER OF 1) THE AMOUNT REQUIRED BY LAW OR 2) $100.00. FURTHERMORE, VASION OFFERS NO SLA FOR ANY FREE SERVICES. WITHOUT LIMITING THE FOREGOING, VASION DOES NOT REPRESENT OR WARRANT TO CUSTOMER THAT CUSTOMER’S USE OF THE FREE SERVICES WILL: (A) MEET CUSTOMER’S REQUIREMENTS, (B) BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR, AND/OR (C) PROVIDE ACCURATE USAGE DATA. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE “LIMITATION OF LIABILITY” SECTION BELOW, CUSTOMER SHALL BE FULLY LIABLE UNDER THIS MASTER SOFTWARE AGREEMENT TO VASION FOR ANY DAMAGES ARISING OUT OF CUSTOMER’S USE OF THE FREE SERVICES.
3.1 Right of Use. Subject to the terms of this Agreement, Vasion grants a limited, revocable, nonexclusive, non-transferable, subscription to implement and use the Services. As part of the registration process, You will identify an administrative user name and password for Your account. Vasion reserves the right to refuse registration it deems inappropriate. If you purchased Vasion On-premise Software, except as otherwise expressly provided herein, Vasion grants You a license to (i) install, use, access, display, and run one (1) copy of the On-premise Software on your server, and (ii) install, access, and maintain one (1) back-up copy of the On-premise Software on a backup server. Vasion reserves any right not expressly granted to you herein.
3.2 Customer Responsibilities. Customer will: (a) be responsible for the accuracy, and quality of Customer Data and for securing any privacy related rights and permissions in relation to Customer Data as required by applicable laws and for Customer’s use of Customer Data with the Services and the interoperation of any Third Party Applications; (b) use commercially reasonable efforts to prevent unauthorized access to or use of the Services, and notify Vasion promptly of any such unauthorized access or use; and (c) use Services only in accordance with this Agreement, Documentation, the Acceptable Use Policy, Quotes, and applicable laws and government regulations. Any use of the Services in breach of the foregoing by Customer or Users that, Vasion believes threatens the security, integrity, or availability of Vasion’s services, may result in Vasion’s immediate suspension and/or termination of the Services; however, Vasion will use commercially reasonable efforts under the circumstances to provide Customer with notice and an opportunity to remedy such violation or threat prior to any such suspension where appropriate. You further agree to be responsible for the acts and omissions of the Users of the Service in breach of this Agreement.
3.3 Usage Limits. Services are subject to Usage Limits specified in the Quote. If Customer exceeds the Usage Limit, Vasion may work with Customer to seek to reduce Customer’s usage so that it conforms to that limit. If, notwithstanding Vasion’s efforts, Customer is unable or unwilling to abide by the contractual Usage Limit, Customer shall pay for its excess usage by signing a Quote for additional quantities of the applicable Services within ten (10) business days upon Vasion’s request, and/or paying any invoice for excess usage in accordance with the “Invoicing and Payment” section below.
3.4 Usage and License Restrictions. Customer is solely responsible for the legality of its own use of the Services and Customer Data. Vasion may suspend or terminate Customer’s use of the Services, remove Customer Data or any other data, information, or content of data or files used, stored, processed or otherwise by Customer or Users, if Vasion reasonably believes Customer or Users: (a) directly or indirectly make any Service available to anyone other than Customer or Users unless expressly stated otherwise in the Quote; (b) sell, resell, license, sublicense, distribute, or make available any Service; (c) use any Service or third party application to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party rights; (d) use any Service or Third Party Application to store or transmit Malware (e) interfere with or disrupt the integrity or performance of any Service or third party data contained therein; (f) attempt to gain unauthorized access to any Service or its related systems or networks; (g) permit direct or indirect access to or use of any Service in a way that circumvents a contractual Usage Limit, or use any Service to access or use any of Vasion’s intellectual property except as may be expressly permitted under this Agreement; (h) modify, copy, or create derivative works based on a Service or any part, feature, function or user interface thereof; (i) copy any Vasion Documentation or other materials except as permitted herein; (j) frame or mirror any part of any Service; or (k) disassemble, reverse engineer, or decompile any Service or access it to: (1) build a competitive product or service; (2) build a product or service using similar ideas, features, functions or graphics of any Service; (3) copy any ideas, features, functions or graphics of any Service; (4) determine whether any Services are within the scope of any patent; or (5) for any other benchmarking or financially harmful purposes.
3.5 Removal of Third Party Applications. If Customer receives notice from Vasion that a Third Party Application must be removed, modified, and/or disabled to avoid violating applicable law, this Agreement, third-party rights, and/or the Acceptable Use Policy, Customer will promptly do so. If Customer does not promptly take required action in accordance with the above, or if in Vasion’s judgment, a continued violation is likely to occur, Vasion may disable the applicable Service(s) and/or operation with Third Party Application. If requested by Vasion, Customer shall confirm such deletion and discontinuance of use in writing and Vasion shall be authorized to provide a copy of such confirmation to any such third party claimant or governmental authority, as applicable.
4.1 Protection of Data. Each party shall comply with its respective obligations under applicable data protection laws. Each party shall maintain appropriate administrative, physical, technical, and organizational measures that ensure an appropriate level of security for Confidential Information and Personal Data. Vasion will process Personal Data in accordance with the DPA.
4.2 Customer’s Use of Personal Information. Customer will be solely responsible for providing any notices required by applicable law to, and receiving any consents and authorizations required by applicable law from, persons whose personal information may be included in account data and Customer Data.
4.3 General Data Protection Regulation. To the extent the General Data Protection Regulations (the “Directive”) are applicable, each party agrees that, in the performance of its respective obligations under this Agreement, it shall comply with the provisions of (the “Directive”) where applicable.
4.3.1 For the purpose of this clause, ‘data controller’, ‘data processor’, ‘data subject’, ‘Information Commissioner’, ‘personal data’, and ‘processing’ shall have the meanings given to them in the Directive.
4.3.2 The parties agree that you are the data controller in respect of any personal data that Licensor processes in the course of providing services for you (other than business contact data processed by the Licensor to allow it to manage your account), and that Licensor is the data processor of said personal data.
4.3.3 Further, the parties agree that you are the Data Exporter and Licensor is the Data Importer as defined within the standard contractual clauses as amended and set forth in Exhibit A below, and the parties agree to the terms and conditions of the said standard contractual clauses.
5.1 Future Features. Customer agrees that its purchase and future purchases are not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by Vasion regarding future functionality or features.
5.2 Third Party Products and Services. Any acquisition by Customer of third party products or services, and any exchange of data, of any nature, between Customer and any third party provider, product, or service is solely between Customer and that third party. Vasion does not warrant or support third party applications, products, or services. Vasion is not responsible for any disclosure, modification or deletion of Customer Data resulting from access by such third party product or its provider.
5.3 Integration with Third Party Applications. The Services may contain features that interoperate with third party applications. Vasion does not guarantee the continued availability of such Service features, and may cease providing them without entitling Customer to any notice, refund, credit, or other compensation.
6.1 This Section is only applicable in the event Customer is purchasing Services directly from Vasion and not through a third party.
6.2 Fees. Customer shall pay all fees specified in the Quote. Except as otherwise specified herein or in the applicable Quote, (i) fees are based on Services subscriptions purchased and not actual usage (except for excess Usage Limit payments as described in Section 3.3 “Usage Limits”); (ii) payment obligations are non-cancelable (even before an invoice is issued) and fees paid are non-refundable; and (iii) quantities purchased cannot be decreased during the relevant subscription term.
6.3 Invoicing and Payment. If Customer provides credit card information to Vasion, Customer authorizes Vasion to charge said credit card for all Services listed in the Quote(s) for the initial subscription term, additional purchases during the term(s), and any renewal subscription term(s). Unless otherwise stated in the Quote, invoiced fees are due net 30 (thirty) days from the invoice date. Customer is responsible for providing complete and accurate billing and contact information to Vasion and promptly notifying Vasion of any changes to such information. Time is of the essence for payment. Failure to maintain a valid automated payment method may result in the suspension of Services without notice.
6.4 Overdue Charges. If any invoiced amount, or portion thereof, is not received by Vasion by the due date, then without limiting Vasion’s rights or remedies, those charges may accrue late interest at the rate of: 1) 1.5% of the outstanding balance per month, or 2) the maximum rate permitted by law, whichever is greater.
6.5 Suspension of Service and Acceleration. If any charge or part thereof owed by Customer under this or any other agreement for Services is 30 (thirty) days or more overdue, Vasion may, without limiting its other rights and remedies, accelerate Customer’s fee obligations and suspend applicable Services until such amounts are paid in full. If Customer is reasonably and in good faith disputing the applicable charges and is cooperating diligently to resolve the dispute, Vasion will not immediately exercise its rights under the “Overdue Charges” or “Suspension of Service and Acceleration” sections.
6.6 Taxes. Vasion’s fees do not include any taxes or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Vasion has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, Vasion will invoice Customer and Customer will pay that amount unless Customer provides Vasion with an appropriate valid tax exemption certificate. For clarity, Vasion is solely responsible for taxes assessable against it based on its income, property, and employees.
7.1 Customer’s Reservation of Rights. As between the Parties, Customer owns all rights, title, and interest in and to Customer Data. Customer hereby grants Vasion a limited, non-exclusive, royalty-free, world-wide, license for the term of this Agreement to access, use, reproduce, transmit, store, and archive the Customer Data solely as necessary for Vasion to provide the Services to Customer during the term of this Agreement.
7.2 Vasion’s Reservation of Rights. Vasion owns all rights (including but not limited to intellectual property rights), title, and interest in and to the Services, Documentation, feedback (including, without limitation, the right to own and incorporate any suggestion, recommendation, correction, or other feedback provided by Customer or Users into Vasion’s services), and usage data. Vasion may collect usage data and use it to operate, improve, support services, and for other lawful business practices, such as analytics, benchmarking, and reports. No rights are granted to Customer hereunder other than as expressly set forth herein.
8.1 Definition of Confidential Information. “Confidential Information” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and/or the circumstances of disclosure. Confidential Information of Customer includes Customer Data. Confidential Information of Vasion includes pricing, technical information, security information, future product and service offerings, and product roadmaps. Confidential Information of each party includes the terms and conditions of this and previous agreements, negotiations between the parties, business and marketing plans, and business processes, trade secrets, and information that should reasonably be understood as confidential in nature. However, Confidential Information does not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (iii) is received from a third party without breach of any obligation owed to the Disclosing Party; or (iv) was independently developed by the Receiving Party.
8.2 Protection of Confidential Information. As between the parties, each party retains all ownership rights in and to its Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care). Notwithstanding the foregoing, under terms of confidentiality materially as protective as set forth herein, each party may disclose information to the extent necessary to perform its obligations under this Agreement. Recipient’s duty to protect trade secrets continues for so long as it remains a trade secret under applicable law. For Confidential Information other than trade secrets, Recipient’s duty to protect Confidential Information expires three (3) years from the date of termination of this agreement.
8.3 Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.
8.4 This confidentiality section supersedes all prior and contemporaneous agreements concerning its subject matter. Any such agreements are hereby terminated, provided, however, that: 1) all survival provisions in said agreements shall not terminate and 2) any information disclosed by either party prior to the effective date of this agreement is governed by said prior and contemporaneous agreements.
9.1 Limited Warranty. Vasion warrants that during the purchased subscription term, the Services will perform materially in accordance with the applicable Documentation. This warranty does not apply to (a) any Free Services or (b) issues in or caused directly or indirectly by third-party platforms or Third Party Applications. In the event that there is a defect in the Services, you expressly acknowledge and agree that you must provide Vasion with a reasonably detailed explanation of the defect within fifteen (15) days of discovering the defect. You further agree that your exclusive remedy shall be that Vasion, in its sole discretion, shall either (i) replace or repair the affected Service, or (ii) terminate the Services and this Agreement and return the pro rata amount paid for the affected Services.
9.2 Disclaimers. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. VASION IS NOT LIABLE FOR DELAYS, FAILURES, OR PROBLEMS INHERENT IN USE OF THE INTERNET OR OTHER SYSTEMS OUTSIDE VASION’S CONTROL AND DOES NOT WARRANT THAT ANY SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE. FREE SERVICES ARE PROVIDED “AS IS,” AND AS AVAILABLE EXCLUSIVE OF ANY WARRANTY WHATSOEVER.
10.1 Indemnification by Vasion. Vasion will defend You against any claim, demand, suit, or proceeding brought against You by a third party alleging that the Service infringes such third party’s intellectual property rights (a “Claim Against You”), and will indemnify You from the damages, and reasonable and necessary attorney fees and costs finally awarded against You as a result of the infringement, or for amounts paid by You under a settlement approved by Vasion in writing. If Vasion receives information about an infringement or misappropriation claim related to a Service, Vasion may, in its discretion and at no cost to You, (i) modify the Services so that they are no longer claimed to infringe or misappropriate and will not be deemed to be in breach of any warranty under Section 9.1 above, (ii) obtain a license for Your continued use of that Service in accordance with this Agreement, or (iii) terminate Customer’s subscriptions for that Service upon a reasonable period of written notice where possible and refund Customer any prepaid fees covering the remainder of the term of the terminated subscriptions. The above defense and indemnification obligations do not apply if: (1) the allegation and/or claim does not state with specificity that the Services are the basis of the Claim Against Customer; (2) a Claim Against Customer arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes of a third party if the Services or use thereof would not infringe without such combination; (3) a Claim Against Customer arises from any Free Services or complimentary offerings; or (4) a Claim against Customer arises from a Third Party Application; or (5) Customer’s or User’s breach of this Agreement, Privacy Policy, Acceptable Use Policy, Documentation, or Quote.
10.2 Indemnification by Customer. Customer will defend Vasion and its Affiliates against any claim, demand, suit or proceeding made or brought against Vasion by a third party concerning (1) any Customer Data or Customer’s use of Customer Data with the Services; or (2) a Third Party Application used by Customer (including the combination of a Third Party Application used by Customer and used with the Services) that infringes or misappropriates such third party’s intellectual property or other rights; or (3) Customer’s or User’s use of the Services in an unlawful manner or in violation of the Agreement, Privacy Policy, Acceptable Use Policy, Documentation, or Quote (each a “Claim Against Vasion”), and will indemnify Vasion from any damages, attorney fees and costs as a result of, or for any amounts paid by Vasion under a settlement approved by Customer in writing.
10.3 Indemnification Procedure. The Party seeking indemnification under this section must (a) provide the indemnitor prompt written notice of the Claim Against Customer or Claim Against Vasion, respectively (“Claim”), (b) give the indemnitor sole control of the defense and settlement of the Claim (except that the indemnitor may not settle any Claim unless it receives written approval from indemnitee (which shall not be unreasonably withheld)), and (c) gives indemnitor all reasonable assistance, at indemnitor’s expense.
10.4 Exclusive Remedy. This “Indemnification” section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any third party claim described in this section.
11.1 Limitation of Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER AND ITS AFFILIATES HEREUNDER FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT EITHER PARTIES INDEMNIFICATION OBLIGATIONS OR CUSTOMER’S AND ITS AFFILIATES’ PAYMENT OBLIGATIONS UNDER THE “FEES AND PAYMENT” SECTION ABOVE.
11.2 Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY: (1) LOST PROFITS; (2) LOST OR ANTICIPATED REVENUES; (3) LOSS OF GOODWILL; (4) LOSS OF USE; (5) LOST DATA; (6), ANY COSTS AND EXPENSES FROM OR IN CONNECTION WITH REPLACEMENT SERVICES; (7) BUSINESS INTERRUPTION; OR (8) ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY OTHER INTANGIBLE LOSSES, HOWSOEVER ARISING, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
12.1 Term of Agreement. Unless terminated earlier in accordance with this agreement, this Agreement commences on the date specified on the Quote.
12.2 Term of Subscriptions. Unless terminated earlier in accordance with this agreement, the term of each subscription shall be as specified in the applicable Quote. Subscriptions will automatically renew for additional one year terms, unless either party gives the other written notice at least 30 (thirty) days before the end of the relevant subscription term.
12.3 Termination. A party may terminate this Agreement for cause: (i) upon 30 (thirty) days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors, or (iii) either party is required to do so by law.
12.4 Refund or Payment upon Termination. If this Agreement is terminated by Customer in accordance with this section, Vaison will refund Customer any prepaid fees covering the remainder of the subscription term of the applicable Quote after the effective date of termination. If this Agreement is terminated by Vasion in accordance with the “Termination” section above, Customer will pay any unpaid fees covering the remainder of the subscription term of all Quotes to the extent permitted by applicable law. In no event will termination relieve Customer of its obligation to pay any fees payable to Vasion for the period prior to the effective date of termination or interest owed after the date of termination.
12.5 Surviving Provisions. The sections titled “Free Services,” “Fees and Payment,” “Proprietary Rights and Licenses,” “Confidentiality,” “Disclaimers,” “Indemnification,” “Limitation of Liability,” “Refund or Payment upon Termination,” “Removal of Third Party Applications,” “Surviving Provisions” and “General Provisions” will survive any termination or expiration of this Agreement, and the section titled “Protection of Customer Data” will survive any termination or expiration of this Agreement.
13.1 Calendar Days. Unless otherwise stated, all references to “days” shall mean calendar days.
13.2 Export Compliance. The Services and other Vasion technology may be subject to export laws and regulations of the United States and other jurisdictions. Customer (a) represents that neither it nor any User is named on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a “terrorist supporting” country, and (b) agrees not to access or use the Service in violation of any U.S. export embargo, prohibition or restriction. Customer will not permit any User to access or use any Service in a U.S.-embargoed country or region or in violation of any U.S. export law or regulation.
13.3 Opportunity to consult with counsel. Each party agrees that it has had the opportunity to consult with counsel concerning this agreement and the contents contained herein prior to signing.
13.4 Entire Agreement and Order of Precedence. This Agreement, including the documentation which is incorporated herein by way of a link, is the entire agreement between Vasion and Customer regarding Customer’s use of Services and supersedes all prior and contemporaneous agreements, written or oral, concerning its subject matter. No representations have been made, other than what is provided for in this agreement and neither party is relying on any representations made outside of this agreement. The parties agree that any term or condition stated in a Customer purchase order or in any other Customer documentation (excluding Quote(s)) is void and is expressly rejected by Vasion. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) this Agreement, (2) the applicable Quote. Titles and headings of sections of this Agreement are for convenience only and shall not affect the construction or interpretation of any provision of this Agreement.
13.5 Waiver and Severability. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.
13.6 Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees. Except as otherwise expressly set out herein, there are no third-party beneficiaries under this Agreement.
13.7 Customer’s Right to Assign. So long as Customer remains current in the payment of all amounts when due, Customer may assign this Agreement in connection with any merger, consolidation, reorganization, or a sale of all or substantially all of Customer’s business or business assets relating to this Agreement to an unaffiliated third party provided that 1) such assignment is not to a Vasion competitor and 2) customer provides Vasion 30 (thirty) days advance written notice. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns. Under no other circumstances may Customer assign this agreement without the written consent of Vaison any attempt to do so is void.
13.8 Vasion Contracting Entity, Notices, Governing Law, and Venue. The Vasion entity entering into this Agreement, the address to which Customer should direct notices under this Agreement, the law that will apply in any dispute or lawsuit arising out of or in connection with this Agreement, and the courts that have jurisdiction over any such dispute or lawsuit, depend on where Customer is domiciled. Each party agrees to the applicable governing law in the table below without regard to choice or conflicts of law rules, and to the exclusive jurisdiction above. Customer hereby consents to personal jurisdiction in and to the respective jurisdiction.
13.9 Manner of Giving Notice. Vasion’s physical address for notices is as specified in the table above, and its email address for notices is legalteam@vasion.com. Customer’s physical (and, if applicable, email addresses) for notices is specified on the Quote. Notices required or permitted to be given under this Agreement shall be in writing and shall be deemed to be sufficiently given: (i) one (1) business day after being sent by overnight courier to the Party’s physical address; (ii) three (3) business days after being sent by registered mail, return receipt requested, to the Party’s physical address; or (iii) one (1) business day after being sent by email to the Party’s email address (provided that (1) the sender does not receive a response that the message could not be delivered or an out-of-office reply and (2) any notice for an indemnifiable Action, breach, or termination must be sent by courier or mail pursuant to clause (i) or (ii)) and marked “Legal Notice”.
Exhibit A
EU GDPR—2021 standard contractual clauses (SCCs) for the transfer of personal data to third countries—module two—controller to processor
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I. B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (2) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
(a) GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
OR
(a) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
OR
(a) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (5);
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, and the data exporter agrees to notify , the data subject promptly (if necessary with the help of the data importer) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Germany.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
(1) Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
(2) The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
(3) This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
(4) The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.
(5) As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
If executed below by the data exporter or where not executed, where otherwise accepted by the data exporter, or by using the software, the parties agree to theses Standard Contractual Clauses, including the Annexes and, to the extent that the data exporter makes an international transfer of data to which UK Data Protection laws apply, the parties also agree that they are bound by the UK Addendum to the EU Commission Standard Contractual Clauses of even date.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
B. DESCRIPTION OF TRANSFER
The description of the transfer will differ depending on which application/product is being used, see below for further details.
PRINT DRIVER MANAGEMENT SOFTWARE AKA PRINTERLOGIC SAAS AND ON-PREMISE OFFERINGS (“PrinterLogic Software”)
Categories of data subjects whose personal data is transferred
The personal data transferred concerns the following categories of data subjects: End users of the PrinterLogic application which may include employees and other personnel of the Data Exporter or of the customers of the Data Exporter, solely at the control and discretion of the Data Exporter or its end users.
Categories of personal data transferred
The personal data transferred may concern the following categories of data:
First name, last name, email address, title of print job, username and password.
The personal data transferred that may be transferred would not normally include any special categories of data, but data exporter is in control in this regard.
It should be noted that in Pull Printing mode the software will capture and store the title of a document which will be produced in print reports accessible to the licensor’s IT personnel. The title of printed documents which may be reported (and stored) will be the title of the document as transmitted to the printer to be printed. This title may therefore contain special category data or personal data belonging to the data subject for which the data exporter may need to satisfy itself that it has obtained the express consent of the data subject to transfer in order to comply with its legal obligations under the General Data Protection Regulation 2016/679 (GDPR).
The controller is in control and may turn this function on or off as it sees fit.
If controller turns this function off, the Pull Printing mode within software will capture and temporarily store the title of a document which will be encrypted and not accessible to the licensor’s IT personnel and will be temporarily stored until released by the transmitter of the document or for a period of time elected by the Controller until automatic expiry.
Data Exporter warrants to the Data Importer that where such consent must be obtained it has done so and that it has fully complied with its obligations in this regard.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The Data Exporter has contracted with the Data Importer for certain software services. In its use of the software services the Data Exporter will upload certain personal data into the software’s database which may be stored at Controller’s election either on servers (at the time of writing on Amazon Web Services AWS) outside of the EEA (which definition in the event that the United Kingdom leaves the European Union shall include servers in the United Kingdom), at the time of writing on Amazon Web Services (AWS) in the United States or within the EEA (which definition in the event that the United Kingdom leaves the European Union shall include servers in the United Kingdom). The data may be accessed, on the Data Exporter’s request, by the Data Importer in order to provide technical support services. The personal data will be processed for the duration of the contract for software services and for a further period of thirty (30) days to allow appropriate time for deletion and any requested return of the data to the Data Exporter.
Nature of the processing
The print management product does not typically actively use or access any data including personal data that data exporter uploads to its services and products, except where it is necessary to provide technical support to the Data Exporter at the Data Exporter’s request.
Vasion’s PrinterLogic Software (offered as a SaaS solution or an on-premise solution) performs two services that involve personal data.
1. Active Directory: A Vasion customer can establish an Active Directory within the PrinterLogic SaaS software that identifies authorized users for a specific printer along with what manner the authorized user may use the printer. (i.e. Printing in color or black only). The customer controls the information needed to run such authorizations (e.g. username, pin number, ID number, etc.)
2. Print Job Auditing and Reporting
The software provides the customer with the following information via a print report.
-Quantity of pages each department prints weekly, monthly or quarterly
– Usage of any given printer to determine if a printer can be phased out
-Actual cost of printing- itemized by department, location or printer
-Identification of users who frequently initiate large print jobs
-Notification of when a user prints a document labelled as “classified”
-Overall printer usage data and printer consolidation guidance
-Monitoring and reporting of all USB printing
Purpose(s) of the data transfer and further processing
For the on-premise solution, the PrinterLogic software is installed behind the customer’s firewall and Vasion does not have access to the customer’s network unless granted access during a product support request. For the SaaS solution, a client is installed locally that communicates with the PrinterLogic SaaS product hosted in Amazon Web Services which customers may elect to be stored on servers in the United States,or in the EEA (which in the event that the United Kingdom leaves the European Union shall exclude the United Kingdom). Although a customer may elect to store data on servers in the EEA, for purposes of software development and support, a limited number of PrinterLogic production engineers based in the United States may have access to data stored within servers in the EEA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The personal data will be processed for the duration of the contract for software services and for a further period of sixty (60) days to allow appropriate time for deletion and any requested return of the data to the Data Exporter. Data stored within backup archives in AWS will be retained for 6 months after termination of services and permanently deleted thereafter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
At the time of writing the PrinterLogic SaaS solution is built and resides in Amazon Web Services (AWS). AWS is used to host the solution. Vasion does not utilize any other sub processors (or third-party providers) to access, process, or store customer data.
VASION BUSINESS PROCESS AUTOMATION PRODUCT (E-SIGNATURE, CAPTURE, WORKFLOW, and STORAGE) “Vasion Product”
Categories of data subjects whose personal data is transferred
The personal data transferred concerns the following categories of data subjects: End users of the Vasion product which may include employees and other personnel of the Data Exporter or of the customers of the Data Exporter, any other individual whose personal data is contained within the content uploaded to Vasion, always solely at the control and discretion of the Data Exporter or its end users.
Categories of personal data transferred
The personal data processed may concern the following categories of data: first name, last name, email address, title of printed document, username and password, IP addresses, email senders and recipients, and any other categories of personal data that maybe contained within the content uploaded to the Vasion product, solely at the discretion and control of the Data Exporter or its end users
Special categories of data
The personal data processed may contain the following special categories of data: any category of special data that may be contained within the content uploaded to the Vasion product, solely at the discretion and control of the Data Exporter or its end users.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The Data Exporter has contracted with the Data Importer for certain software services. In its use of the software services the Data Exporter will upload certain personal data into the software’s database which will be stored on servers in the United States unless the Data Exporter is located in the United Kingdom or the EEA in which case the data will be stored on servers in the EEA. The data may be accessed, on the Data Exporter’s request, by the Data Importer in order to provide technical support services. The personal data will be processed for the duration of the contract for software services and for a further period of sixty (60) days to allow appropriate time for deletion and any requested return of the data to the Data Exporter.
Nature of the processing
The personal data processed will be subject to the following basic processing activities:
Use of the Vasion product does not typically require active use of or access to any data including personal data that Data Exporter or its end users upload to the product, except where it is necessary for Vasion to provide technical support to the Data Exporter at the Data Exporter’s request. Vasion merely offers technologies that its customers can use to store, retrieve, archive and share their data.
Data Exporter warrants to the Data importer that where consent must be obtained to process the personal data, it has obtained such consent and that it has fully complied with its obligations in this regard.
Purpose(s) of the data transfer and further processing
The Data Exporter and/ or its affiliate(s) have contracted with the Data Importer for a licence to use the Vasion product. In its use of the product the Data Exporter will upload content which may include personal data into the product which will be stored on servers according to where the Data Exporter is located. In accordance with the settings selected by the Data Exporter and its users, solely at their discretion, the Data Importer will permit the content including any personal data to be retrieved by the Data Exporter’s users from (i) the product and (ii) via elected third party products and services. The Data Importer does not have access to the content, including any personal data, unless access is required for the provision of technical services and is authorised by the Data Exporter’s IT representatives.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The personal data will be processed for the duration of the contract for products or services and for a further period of sixty (60) days to allow appropriate time for deletion and any requested return of the data to the Data Exporter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
At the time of writing the Vasion solution is built and resides in Amazon Web Services (AWS). AWS is used to host the solution. PrinterLogic Software does not utilize any other sub processors (or third-party providers) to access, process, or store customer data.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
As determined by the parties.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organisational measure will differ depending on which application/product is being used, see below for further details.
PRINT DRIVER MANAGEMENT SOFTWARE AKA PRINTERLOGIC SAAS AND ON-PREMISE OFFERINGS (“PrinterLogic Software”)
PrinterLogic SaaS solution is built and resides in Amazon Web Services (AWS). Details of physical security implementation for AWS are found both at www.infrastructure.aws and https://aws.amazon.com/compliance/data-center/controls/
For the PrinterLogic Software, Vasion follows the ISO 27001 framework for governance and operations and further follows the OWASP SAMM framework for design, implementation and verification. Vasion anticipates obtaining ISO 27001 certification by Q3, 2022.
System Access Control:
Vasion prevents unauthorized access to data processing systems as follows;
– Supports role-based access control (RBAC) for system administrators. Multi-factor authentication is required to access the production environment containing customer data.
– Ensures that all computers accessing Customer data (this includes remote access) are password protected after boot sequences and have encrypted disks.
– Has dedicated user IDs for authentication against systems user management for every individual,
– Assigns individual user passwords for authentication,
– Ensures that the access control is supported by an authentication system,
– Only grants system access to Vasion’s authorized personnel and/or to permitted employees of Vasion’s subcontractors and strictly limits such persons’ access to applications which process personal data as required for those persons to fulfil their function,
– Implements a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords,
– Ensures that passwords are always stored in encrypted form,
– Has a proper procedure to deactivate user accounts, when user leaves company or function, and
– Has a proper process to adjust administrator permissions when an administrator leaves company or function.
Processing of Personal Data:
Vasion protects Customer personal data it processes or stores in the PrinterLogic Software it provides to customers, as follows:
-Restricts access to files and programs based on a “need-to-know-basis”,
-Only grants access to Vasion personnel and assigns minimal permissions to access data as needed to fulfil their function.
Data Security and Preservation Controls:
Vasion takes the following measures to protect customer data.
VASION BUSINESS PROCESS AUTOMATION PRODUCT (E-SIGNATURE, CAPTURE, WORKFLOW, and STORAGE) “Vasion Product”
Vasion Business Process Automation solution (including E-Signature, Capture, Workflow, and Storage) is built and resides in Amazon Web Services (AWS). Details of physical security implementation for AWS are found both at www.infrastructure.aws and https://aws.amazon.com/compliance/data-center/controls/
System Access Control:
Vasion prevents unauthorized access to data processing systems as follows;
– Supports role-based access control (RBAC) for system administrators. Multi-factor authentication is required to access the production environment containing customer data.
– Ensures that all computers accessing Customer data (this includes remote access) are password protected after boot sequences and have encrypted disks.
– Has dedicated user IDs for authentication against systems user management for every individual,
– Assigns individual user passwords for authentication,
– Ensures that the access control is supported by an authentication system,
– Only grants system access to Vasion’s authorized personnel and/or to permitted employees of Vasion’s subcontractors and strictly limits such persons’ access to applications which process personal data as required for those persons to fulfil their function,
– Implements a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords,
– Ensures that passwords are always stored in encrypted form,
– Has a proper procedure to deactivate user accounts, when user leaves company or function, and
– Has a proper process to adjust administrator permissions when an administrator leaves company or function.
Processing of Personal Data:
Vasion protects Customer personal data it processes or stores in the service it provides to customers, as follows:
– Persons entitled to use data processing systems shall gain access only to the data to which they have a right of access, and personal data will not be copied, modified or removed without authorization in the course of processing. Including, without limitation, Vasion
-Restricts access to files and programs based on a “need-to-know-basis”,
-Only grants access to Vasion personnel and assigns minimal permissions to access data as needed to fulfil their function.
– The responsibilities for the processing of personal data is clearly described (controller, processor, sub-processor, etc.)
– Vasion requires its employees and subcontractors (if applicable) to maintain confidentiality with respect to personal data and other confidential information of which they become aware in the course of providing services.
– Applicable Vasion employees receive appropriate privacy and data protection training to the extent that these matters are of importance to their work
– Personal data made available to Vasion in the course of its services is used solely for the agreed-upon purpose. Therefore, Vasion only processes personal data temporarily and for its intended purpose. At the end of the contract, after the completion of providing the agreed-upon services or upon the request of the customer, Vasion promptly returns or irretrievably deletes all customer data. In this regard, any supplemental agreements shall be taken into account.
Data Security and Preservation Controls:
Vasion takes the following measures to protect customer data.
– For encryption and protection of data during transmission and storage, all data is transported over https using TLS and at rest with AWS RDS database encryption using AES.
– Customer data is backed up daily/weekly. Daily backups are kept for seven days, weekly backups are kept for six months. Backup objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-3) or AWS KMS-managed keys (SSE-KMS)
– For data recovery and business resiliency, Vasion utilizes multiple availability zones within AWS. In the extreme event that all availability zones become unavailable, Vasion can utilize CloudFormation templates to rebuild infrastructure in a different region.
– Vasion separates customer data to prevent malicious or compromised users from affecting the service or data of another service.
– Vasion governs security to coordinate and direct its overall approach to the management of the service and information within industry standard security policies and security standards, defined responsibilities and risk based decision-making authority processes.
– Operational Security- Vasion has processes and procedures in place to ensure the operational security of the service provided including configuration and change management, security patch management, vulnerability management, protective monitoring, security incident management and secure decommissioning.
– Secure Development – Vasion ensures that all software it develops and provides as part of its service has been developed following a secure software development lifecycle process which includes industry best practices for achieving and sustaining required security qualities for confidentiality, integrity and availability protection.
– Vasion ensures that the methods used by administrators to manage the operational service are designed to mitigate any risk of exploitation that could undermine the security of the service. Remote administration sessions must be encrypted, use at least two-factor for authentication, access to the systems administered must be restricted by IP addresses used by the Contractor by means of access control lists
– Vasion ensures to monitor and document the reliability, maintainability, serviceability and availability of a system or service on a continuous basis. Vasion provides a Service Level Agreement identifying a minimum availability of 99.5% per month.
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
ANNEX IV
Amendment to Standard Contractual Clauses
The parties hereby agree that the following amendments are made in accordance with Clause 2(a) of the Standard Contractual Clauses and shall apply as between the parties:
1. Documentation & Compliance (Clause 8.9)
Subclauses 8.9 (c), (d) and (e) are deleted in their entirety and replaced respectively with the following: :
“(c) The parties agree that the data importer shall in accordance with Article 28 of the GDPR and at the request of the data exporter once in any twelve month period submit its data-processing facilities for audit of the processing activities covered by these Standard Contractual Clauses which shall be carried out by a tier one auditing firm bound by a duty of confidentiality (which the data importer may require to be made directly with it).
(d) The parties agree that (i) where the data importer has achieved relevant certification it shall be permitted to substitute evidence of such certification in place of the requirement to submit to an audit under this clause and (ii) where the data importer has already undergone an audit within the previous three (3) year period then it shall be permitted to provide a copy of the resulting report to the data exporter as evidence of its compliance with the relevant data protection laws. The foregoing is subject to the provision that any resulting report shall be maintained as strictly confidential, an original copy is promptly provided to the importer by or on behalf of the exporter and all intellectual property rights in the report and its contents shall be deemed to be those of the importer.
(e) Any audit that is deemed necessary in accordance with this paragraph shall be subject to:
(i) the data exporter giving the data importer reasonable prior notice of such information request, audit and/or inspection and in any event not less than 10 working days;
(ii) the parties mutually agreeing upon the scope, timing and duration of the audit;
(iii) all parties ensuring that all information obtained or generated by the audit in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by applicable law);
(iv) ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to the data importers business, any sub-processors’ business and the business of other customers of the data importer; and
(v) paying the data importer’s reasonable charges for assisting with the provision of information and allowing for and contributing to inspections and audits.”
2. Use of Subprocessors (Clause 9)
The following shall be inserted at the end of subclause 9(a):
“The parties agree that any changes, deletions or modifications made to the subprocessors may be notified to the data exporter via email unless the data importer has previously notified the data exporter in writing that it wishes to notify via publication on its website.”
3. Liabilities (Clause 12)
3.1 A new subclause 12(h) is inserted as follows:
“Notwithstanding anything to the contrary in this Clause 12, if one party is held liable for a violation of the clauses committed by the other party or otherwise suffers any damage resulting from or connected to such violation, defaulting party shall be liable for direct damages, costs, charges, damages, expenses or losses the non-defaulting party has incurred provided that such liability shall be limited to direct damages only (excluding any indirect, exemplary, incidental, special or consequential damages) and shall be limited to a sum equal to the fees paid to Vasion by the Customer in the 12 months preceding the occurrence of the event triggering the damages.”
3.2 A new subclause 12(i) is inserted as follows:
“Nothing in subclause 12(h) shall be construed so as to limit or restrict the rights of the data subject including the right to compensation to the extent that such restriction is not permitted by the GDPR or these Standard Contractual Clauses.”
UK Addendum to the EU Commission Standard Contractual Clauses
This Addendum shall be applicable to all international made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer.
Date of this Addendum:
1. The Clauses are dated on the date that they are executed or otherwise accepted by the data exporter.
This Addendum is effective from the same date as the Clauses.
Background:
2. The Information Commissioner considers this Addendum provides appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and, with respect to data transfers from controllers to processors and/or processors to processors.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Annex those terms shall have the same meaning as in the Annex.
In addition, the following terms have the following meanings:
– This Addendum means this Addendum to the Clauses
– The Annex means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021
– UK Data Protection Laws means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
– UK GDPR means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
– UK means the United Kingdom of Great Britain and Northern Ireland
4. This Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
5. This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
7. In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
Incorporation of the Clauses
8. This Addendum incorporates the Clauses which are deemed to be amended to the extent necessary so they operate:
a. for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
b. to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.
9. The amendments required by Section 7 above, include (without limitation):
a. References to the “Clauses” means this Addendum as it incorporates the Clauses
b. Clause 6 Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
c. References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
d. References to Regulation (EU) 2018/1725 are removed.
e. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”
f. Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner;
g. Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.
h. Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
i. The footnotes to the Clauses do not form part of the Addendum.
Amendments to this Addendum
10. The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
11. The Parties may amend this Addendum provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Clauses and making changes to them in accordance with Section 7 above.
Executing this Addendum
12.The Parties may enter into the Addendum (incorporating the Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Clauses. This includes (but is not limited to):
a. By adding this Addendum to the Clauses and including in the following above the signatures in Annex 1A: “By signing we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses dated:” and add the date (where all transfers are under the Addendum) “By signing we also agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses dated” and add the date (where there are transfers both under the Clauses and under the Addendum) (or words to the same effect) and executing the Clauses; or
b. By amending the Clauses in accordance with this Addendum, and executing those amended Clauses.