PAID MEDIA TERMS & CONDITIONS FOR THE SUPPLY OF SERVICES
These Terms are dated and come into effect on the date of signature on the accompanying IO.
These Terms and Conditions (“Terms”) are incorporated into each IO executed by the Supplier with the Company, and shall apply to and be incorporated or deemed incorporated into any agreement between the Company and the Client for the provision of Services. The IO, these Terms and Data Protection Agreement in Schedule 1 are, collectively, this “Contract”. By executing the IO, Supplier agrees to these Terms.
1 INTERPRETATION
1.1 The following definitions and rules of interpretation in this condition apply in these Terms.
Ads: means any ad format agreed to be part of the Services in the IO, including but not limited to digital ads, print, radio, podcast, TV, video, webinars, digital events or partnership activity.
Assets: includes but is not limited to whitepapers, thought leadership papers, reports, research papers, webinars, creative advertisements, digital banners, audio-visual or social posts.
Client: means a customer of the Company or any of its approved agents or representatives.
Company: meaning Realm B2B. The Realm entity entering into this Contract shall depend on the location of the Supplier. For Suppliers identified within the IO as in Europe, the Realm contracting entity to this DPA is Realm B2B Ltd, The Annexe, 164 Chartridge Lane, Chesham, HP5 2SE, United Kingdom (company number 13065658). For Suppliers identified in the IO as outside of Europe, the Realm contracting entity to this DPA is Realm B2B Inc, 16192 Coastal Hwy, Lewes, Delaware 19958.
Contract: means the IO between the Supplier and Company for the supply and purchase of the Services, together with these Terms, which shall come into existence in accordance with condition 2.2.
Data Protection Legislation: means (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the Law Enforcement Directive (Directive (EU) 2016/680) and any applicable national implementing Laws as amended from time to time; (ii) the Data Protection Act 2018 (as amended or replaced from time to time); (iii) the California CCPA and its amendment CPRA; (iv) Virginia VCDPA; (v) Colorado ColoPA; and (vi) any and all other applicable laws about the processing of Personal Data and privacy that apply to the Parties in the performance of their obligations under the Contract. Data Controller, Data Processor, Data Subject, Personal Data and to Process data have the meanings given to them in the Data Protection Legislation.
Deliverables: all Documents, products and materials developed by the Supplier or its agents, subcontractors and employees in relation to the Services in any form, including but not limited to content, advertising, webinars, computer programs, data, reports, printed matter and specifications (including drafts).
Disclosing Party: means the party disclosing Confidential Information to the other party, including any Affiliate of such other party.
Document: includes, without limitation, in addition to any document in writing, any drawing, map, plan, diagram, design, picture or other image, tape, disk or other device or record embodying information in any form.
DPA: means the Data Processing Agreement at Schedule 1 of this Contract.
Client Content: any media and advertising content (including without limitation, multimedia images, visual design, graphic elements, audio, video, text, data, objects, scripts) or any marketing information used by or proposed to be used by the Client.
In-put Material: all Documents, information and materials provided by Company relating to the Services including (without limitation), client content, computer programs, data, reports and specifications.
Insertion Order (or IO): the Company’s insertion order, including the details of the project or Media Buy for the Client.
Intellectual Property Rights: all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database right, topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world.
Media Buy: any purchases by the Company of any advertising or promotion on or by television, radio, print, digital display, programmatic, content syndication, search, social media, ABM or any other form of media or communication technology or instrument;
Platform: Any technology platform owned by the Supplier which may be leveraged in provision of the Services. This can include, but is not limited to, Programmatic Platforms, Reporting Platforms or Bid Management Platforms where the Company is provided access to log in and manage the Services directly.
Receiving Party: means the party receiving Confidential Information from the other party, including any Affiliate of such other party.
Services: the services to be provided by the Supplier under the Contract as set out in the Insertion Order and the Supplier’s obligations under the Contract together with any other services which the Company takes from the Supplier.
Supplier: the person or company to whom the Company’s Insertion Order is addressed to provide the Services to the Company.
Supplier Retained Works: means (i) Suppliers logo, trademarks, service marks (ii) Supplier’s know-how, techniques, processes, research recommendations, ideas, algorithms, methods and trademarks (iii) pre-existing technology platforms, generic code, AI, modules or components that perform their standard or common functions; and (iv) any commercial software programs, stock images of any third parties or audio and/or music elements proprietary to Supplier or other third parties which are integrated with or incorporating into the Services.
Tax: value added tax chargeable under English law for the time being, or any similar tax chargeable in other jurisdictions.
Third Party Integrations: in order to deliver the Services the Supplier may need to provide the Company with access to Third Party Integrations. This means linkage of API or upload integrations into Supplier owned Platforms.
Work Product: means all tangible, regardless of the media on which they are embodied, materials prepared for the Company or their Client including without limitation, all reports, documents, materials and concepts delivered as part of the agreed Services in the IO.
1.2 Headings in these Terms shall not affect their interpretation.
1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.4 The schedules form part of the Contract.
1.5 A reference to writing or written includes email but not faxes.
1.6 Any obligation in the Contract on a person not to do something includes, without limitation, an obligation not to agree, allow, permit or acquiesce in that thing being done.
1.7 References to conditions and schedules are to the conditions and schedules of the Contract.
2 APPLICATION OF TERMS
2.1 These Terms shall:
2.1.1 apply to and be incorporated into the Contract; and
2.1.2 prevail over any inconsistent terms or conditions contained, or referred to, in the Supplier’s quotation, confirmation of order, or specification, or other Document supplied by the Supplier, or implied by law, trade custom, practice or course of dealing.
2.2 The Supplier’s quotation for Services constitutes an offer by the Supplier to supply the services specified in the IO on these Terms. No offer placed by the Supplier shall be accepted by the Company other than by the Company and the Supplier signing a written Insertion Order, at which point the Contract will be established. The Supplier’s standard terms and conditions (if any) attached to, enclosed with or referred to in any quotation, specification, IO or other Document shall not govern the Contract.
3 COMMENCEMENT AND DURATION
3.1 The Services supplied under the Contract shall be provided by the Supplier to the Company from the date of acceptance by the Company of the Supplier’s offer in accordance with condition 2.2.
3.2 Subject to condition 13 the Services supplied under the Contract shall continue to be supplied for the period set out in the IO.
4 SUPPLIER’S RESPONSIBILITIES
4.1 The Supplier must not carry out any work for the Company unless and until a valid purchase order number has been supplied. The Supplier should refuse any job not accompanied by a purchase order number.
4.2 The Supplier shall provide the Services, and deliver the Deliverables to the Company, in accordance with the IO and shall allocate sufficient resources to the Services to enable it to comply with this obligation.
4.3 The Supplier will use and be equipped to use industry standard software in the latest versions available.
4.4 The Supplier will process Company and Client Personal Data in accordance with the Data Protection Legislation and Schedule 1.
4.5 The Supplier shall meet any reasonable performance or delivery dates specified in the IO. If the Supplier fails to do so, they must work with the Company to mutually agree a resolution in writing. If no mutual resolution can be agreed for a period of 4 weeks after the Supplier fails to perform or deliver on time, then the Company may (without prejudice to any other rights it may have):
4.5.1 terminate the Contract in whole or in part without further liability to the Supplier, other than applicable pro-rata payment for Services delivered up until termination;
4.5.2 refuse to accept any subsequent performance of the Services which the Supplier attempts to make;
4.5.3 where reasonable, ask the Supplier for a make good or restitution on the Client media
4.6 The Supplier shall:
4.6.1 co-operate with the Company in all matters relating to the Services;
4.6.2 use reasonable skill and care in the performance of the Services;
4.6.3 while present at the Company’s premises observe, and ensure that all employees, consultants, agents and subcontractors which it engages in relation to the Services observe all health and safety rules and regulations and any other reasonable security requirements that apply at the Company’s premises;
4.6.4 notify the Company as soon as it becomes aware of any health and safety hazards or issues which arise in relation to the Services; and
4.6.5 before the date on which the Services are to start, obtain, and at all times maintain, all necessary licences and consents and comply with all relevant legislation in relation to:
4.6.5.1 Supplier’s provision of the Services; and
4.6.5.2 the use of In-put Material; and
4.6.5.3 the use of all Documents, information and materials provided by the Supplier or its agents, subcontractors, consultants or employees, relating to the Services which existed prior to the commencement of the Contract, including, without limitation, computer programs, data, reports and specifications.
4.7 The Company shall indemnify the Supplier from liability if any changes, modifications, cancellation, modification, suspension, termination or discontinuance of media programs is as a direct result of a Client being unable to provide the requisite In-put Materials in time for the copy deadline, and change in instruction or orders such as cancellation, modification, suspension, termination or discontinuance shall be borne by the Company, which has recourse against the applicable Client in its agreement with such Client.
4.8 Supplier shall not modify the In-put Materials without Company’s prior written permission. Supplier reserves the right, but does not assume any obligation, to delete In-put Materials that Supplier, in its sole discretion, deems abusive, defamatory, obscene, in violation of copyright or trademark laws, in violation of their policies, in violation of applicable laws or otherwise unacceptable.
5 COMPANY’S OBLIGATIONS
Company shall:
5.1 reasonably co-operate with the Supplier in all matters relating to the Services;
5.1.1 provide such access to the Company’s premises and information as may reasonably be requested by the Supplier and agreed with the Company in writing in advance, for the purposes of the Services;
5.1.2 provide the In-put Material in a timely manner and ensure that it is accurate in all material respects; and
5.1.3 inform the Supplier of all health and safety rules and regulations and any other reasonable security requirements that apply at the Company’s premises.
5.2 Company may not use the Services and/or Platform other than for its own internal business purposes, which include, in the case of clause 6 Media Delivery Policy fulfilling campaigns for Clients. Company shall not develop or use for any commercial purpose, nor disclose to any third party, any information or data in any form that incorporates or uses any Information, except that,
5.2.1 Company may disclose leads and campaign performance reports to Clients as applicable, only where such disclosure complies with applicable laws, its privacy policy and the data and privacy obligations set out in the Contract; provided that such Clients are contractually obligated to abide, and do abide, by the limitations on use and disclosure to which Company is bound hereunder.
5.2.2 in the case where Company wishes to use performance or audience statistics for award entries or promotion. In this case Company must obtain written consent from Supplier in advance of utilizing any Information.
6 MEDIA DELIVERY POLICY
6.1 Lead Generation Services:
6.1.1 The Supplier agrees that when it will generate, capture and process leads in compliance with the Data Protection Legislation, and the Standard Contractual Clauses included in Schedule 1. The Company shall provide the leads to their Client to be used only for the purpose described in the IO, also in compliance with the Data Protection Legislation and the Standard Contractual Clauses included in Schedule 1.
6.1.2 Company will receive leads from Supplier that contain Personal Data. Supplier or its contracted service provider has received consent from such lead to provide the lead to Company for Company or their Clients own sales and marketing efforts. Company will contract their Clients to ensure that all leads are used for no other purpose and that Personal Data is held securely and subject to the Data Protection Legislation. Where the information consists of a lead to a resident in a nation with Data Protection Legislation, Company shall use such lead only in a manner consistent with the purpose and required disclosure set out in the Applicable Laws.
6.1.3 The Company and their Client reserve the right to return invalid leads generated by the Supplier in the provision of the Services, and not pay for their delivery. This includes, without limitation, leads which contain invalid contact information, leads which are not from the source indicated by the Supplier, are a duplicate lead or do not otherwise fulfil the criteria agreed in the IO, or other mutually agreed written Document. Where leads are rejected, the Company and the Supplier shall come to a mutually agreeable solution including speed of replacement, ability to replace or any “make-goods” as appropriate. In the event Company wishes to dispute the number and/or validity of any Lead, Company must do so within 14 days of the date the lead was first delivered.
6.1.4 The leads will be deemed to have been delivered to Company when they become available as agreed in the IO, even though Company may also be receiving the Leads in another manner. If Supplier has not delivered the number of leads specified in the IO by the campaign end date, Supplier may, either extend the campaign until the ordered number of the Leads is delivered, offer a make good or credit Company for the shortfall. The specific solution to undelivered leads to be agreed in writing by both parties on a case by case basis.
6.1.5 The cost of the leads varies depending on the type of lead, the criteria selected by Company and other factors. Company will be informed of the price of the leads prior to entering into the applicable IO. When Company’s IO is approved by Supplier it will indicate the total number of leads to be delivered, fees/Lead and total fees associated with the IO.
6.2 Advertising Services:
6.2.1 The Advertising Services allow the Company to purchase and target Ads based on certain criteria provided by Company or by Supplier in conjunction with Company. These are outlined and agreed in the IO.
6.2.2 When Company’s IO is approved by Supplier, the number of ads or assets to be delivered as part of the Services shall be agreed. The price for the delivery of the Services will be as set forth in such IO. If the agreed delivery number is not delivered by the end of a campaign, unless otherwise requested by Company, Supplier may extend the campaign until full delivery is reached, offer a make good or refund any prepaid amount remaining. The specific solution to undelivered impressions is to be agreed in writing by both parties on a case by case basis.
6.2.3 Company acknowledges and agrees that while Supplier maintains a global blockklist and utilizes commercially reasonable efforts to honor Company-specified blocklists and allowlists, Supplier cannot guarantee any prohibitions on editorial adjacencies per se, and, given the imprecise nature of targeting, a user may view an Ad outside of the targeting criteria set forth on the IO. Should there be an issue in delivery outside of targeting criteria then the Supplier may offer a make good or refund for the amount run erroneously, the specific solution is to be agreed in writing by both parties on a case by case basis.
6.2.4 Supplier will deliver regular performance reports of the advertising services, as agreed in writing. If such reports contain Personal Data, Company will ensure that such data is used solely for its own or its Client’s sales and marketing efforts and for no other purpose, and that Personal Data is held securely and subject to the Data Protection Legislation.
6.2.5 Both parties shall be free to use data that is (a) collected, provided or processed in relation to their use of the Services, including campaign performance reports, and integration reports, and/or (b) accessible on or through Company’s third party Platform accounts, including provided data and in relation to Company’s campaigns using third party platforms, in aggregated and anonymized form (collectively, “Aggregated Data”) for business and marketing purposes, including improving the operation of the Services (including development, maintenance, support, and training services), developing products and services, creating benchmarks, performing research, conducting statistical analysis, and distributing aggregated statistics to clients, potential clients and the general public. Each party hereby grants the other a worldwide, non-exclusive, perpetual, royalty-free, fully paid-up license to use Aggregated Data for such purposes. Supplier may not use the name of the Company or Client in association with Aggregated Data without prior written consent.
6.2.6 From time to time, Company may engage Supplier to create Assets, reports or papers as part of the Services. The IO shall specify the type of Asset to be created and the price associated. Upon payment all Assets shall be owned by Company unless specified otherwise in the IO.
6.3 Platform Access:
6.3.1 The Company may be granted access to a Supplier technology Platform in order to deliver the Services. If this is agreed in the IO, then:
6.3.1.1 in consideration of Company’s payment of the applicable fees and subject to the IO, Supplier hereby grants Company a limited, non-exclusive, non-transferable, revocable right, during the term of the IO, to access and use the Platform. In order to access and use the Platform, Company will be provided with an account (“Company Account”) as well as a username and password (“Account Credentials”). Company may also have access to the Platform through a dashboard (“Dashboard”) and, if Company chooses and it is agreed in writing, through an application programming interface (“API”). If Supplier provides Company with an API, Supplier hereby grants to Company a limited, non-exclusive, non-assignable, non-transferable license to such API for the sole purpose of accessing and using the Platform, unless otherwise agreed in writing.
6.3.1.2 except as expressly permitted herein, Company shall not (i) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Platform, the API, and any technology or software used by Supplier to provide any of the foregoing, including underlying technology, trade secrets, data, content or information (collectively, “Supplier Technology”); (ii) modify, adapt, translate, make derivative works based upon any portion of, or reproduce any portion of the Supplier Technology, (iii) reverse engineer, disassemble, decompile or otherwise attempt to derive source code of any portion of the Supplier Technology, (iv) send or store infringing, or otherwise unlawful or tortious material, including material violative of third party Intellectual Property Rights (“Infringing Materials”) or any material containing malware, ransomware, software viruses, worms, Trojan horses, time bombs, cancelbots or other harmful computer code, files, scripts, agents, programs or programming routines (collectively, “Harmful Code”) to, on or through any portion of the Supplier Technology, (v) access the Platform by any means other than through the Dashboard and Account Credentials that are provided by Supplier, or attempt to gain unauthorized access thereto, (vi) disclose or allow third parties to use its Company Account or Account Credentials, (vii) use any portion of the Supplier Technology for any purpose or in any manner that is unlawful or prohibited by the Contract, (viii) publicly disseminate information or analysis regarding the performance of the Platform or Services, (ix) use the Platform in a manner that could reasonably be expected to damage or interfere with the proper functioning of the Platform, or (x) permit or authorize any party to do any of the foregoing.
6.3.1.3 Company is responsible for all activity occurring under its Company Account and Company shall notify Supplier immediately of any unauthorized access to or use of its Company Account or Account Credentials or any other known or suspected breach of security involving its Company Account or Account Credentials and, in such event, Company shall use reasonable efforts to stop immediately any copying, distribution or misuse of any portion of the Supplier Technology that is known or suspected by Company.
6.3.1.4 excluding each party indemnification obligations under section 10, if the Company’s use of the Platform is in violation of the contract, or a party’s intentional misconduct, in no event shall either party be liable hereunder for any special, indirect, incidental or consequential damages or for lost profits regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise, even if informed of the possibility of such damages in advance. Each party’s maximum liability hereunder shall be limited to the amounts paid to supplier hereunder in fees during the 12 months prior to the date on which the claim arose for use of the applicable service that is the subject of the claim.
6.4 Third Party Integrations:
6.4.1 Company or Supplier may select from any Third Party Integrations that are confirmed and agreed as available in the IO or other written approval. Upon successful linkage of applicable third party accounts to the Platform, Supplier will provide the following services:
6.4.1.1 Supplier will read data from the third party platform account, present such data as required on the Platform, build and update as applicable, and send engagement data and reporting as agreed in writing.
6.4.1.2 any price for Third Party Integrations will be as set forth and agreed in the IO.
6.4.1.3 each party hereby grants the other a limited right during the term of the IO to access applicable third party platform account(s) and to use the provided data to provide the Services.
6.4.2 Company understands that use of Third Party Integrations may rely on the Company having an account with the applicable third party platforms. The Supplier makes no representation or warranty about any such third party platforms or Company’s integration therewith.
6.4.3 Each party acknowledges and agrees that (a) they will only be obligated to provide Services while they have access to and permitted use of provided data; (b) they shall have no responsibility or liability for any failure or deficiency in its provision of Services due to any limitation on its access to or permitted use of provided data for whatever reason; and (c) they are responsible for their own use of the Platform.
7 CHARGES AND PAYMENT
7.1 In consideration of the provision of the Services by the Supplier, the Company shall pay the charges, as set out in the IO, in accordance with this condition 7.
7.2 No additional costs beyond those costs included in the IO will be accepted, except where the Company has made amendments to the Services. All additional costs must be agreed in writing between the parties before any amended Services are commenced.
7.3 All charges quoted to the Company shall be exclusive of Tax, which the Supplier shall add to its invoices at the appropriate rate, if applicable. The Supplier shall only invoice the Company for Services actually delivered.
7.4 The Company shall pay each invoice which is properly due and correctly submitted to it by the Supplier within 30 days of receipt, as per the billing dates in the IO, to a bank account nominated in writing by the Supplier. Invoices submitted without the correct purchase order number will not be paid until it is revised and resubmitted.
7.5 If the Company fails to pay any amount payable by it under the Contract within 30 days of receipt, it shall have an additional time of 15 days mediation with the Supplier to pay the invoice.
7.6 If the late payment is not resolved in the additional time, the Supplier may charge the Company interest on the overdue amount from the due date up to the date of actual payment, after as well as before judgment, at the rate of;
7.6.1 if the contracted Supplier in the IO is based in Europe, then 1% per annum above the base rate for the time being of Barclays Bank. Such interest shall accrue on a daily basis and be compounded quarterly and the Company shall pay the interest on demand.
7.6.2 If the contracted Supplier in the IO is based in the US, then at the rate of 2% per annum above the Federal Reserve Bank of New York’s base rate (up to the maximum rate permitted by law). Such interest shall accrue on a daily basis and be compounded and the Company shall pay the interest on demand.
7.7 Company shall reimburse Supplier for reasonable expenses incurred in collecting past due amounts. Supplier reserves the right to suspend all or part of the Services 30 days after serving notice on the Company giving the Company the opportunity to cure its failure to pay amounts due, until such overdue amounts are paid.
7.8 Invoices covering payment in respect of materials purchased by, or services provided to, the Supplier, or for reimbursement of expenses, shall be payable by the Company only if such an arrangement has been pre-agreed and the expenses are accompanied by relevant receipts.
7.9 The Supplier shall maintain accurate records of the time spent and materials used by the Supplier in providing the Services if required in the IO. The Supplier shall allow the Company to inspect such records at all reasonable times on request, if applicable.
8 QUALITY OF SERVICES
8.1 The Supplier warrants to the Company that:
8.1.1 the Supplier will perform the Services with reasonable care and skill, in good time, and in accordance with generally recognised commercial practices and standards in the industry for similar services;
8.1.2 the Services and Deliverables will conform with all descriptions and specifications agreed between the Company and the Supplier in the IO; and
8.1.3 the Services and Deliverables will be provided in accordance with all applicable legislation from time to time in force, and the Supplier will inform the Company as soon as it becomes aware of any changes in that legislation.
8.2 The provisions of this condition 8 shall survive any performance, acceptance or payment pursuant to the Contract and shall extend to any substituted or remedial services provided by the Supplier.
9 INTELLECTUAL PROPERTY RIGHTS
9.1 The Company represents, warrants and undertakes to the Supplier that: –
9.1.1 Their Client is responsible for being the sole and unencumbered owner (or in the case of third party software, licensee, procurer and authorised licensor) of all Intellectual Property Rights in and to any In-put Material provided to the Supplier in connection with the Services, and they have a contract with their Client to that effect;
9.1.2 To the best of its knowledge, as per the Company contract with the Client, there are no existing restrictions or constraints on its right and authority to supply to the Supplier the In-put Material and that the In-put Material do not infringe any Intellectual Property Rights of any third party, and the use by the Supplier or any Media Vendor of any In-put Material will not infringe any such rights; and
9.1.3 The Company shall indemnify and keep indemnified and hold the Supplier harmless against any direct losses suffered by the Supplier arising out of or in connection with the breach of any of the above representations, warranties and undertakings.
9.1.4 The Company or their Client shall own and retain all right, title and interest in and to all Work Product delivered as part of the Services. To the extent applicable, the Company or their Client shall be deemed to be the “author” of the Work Product and all such Work Product will constitute works made for hire” under the U.S. Copyright Act (17 U.S.C. §§ 101 et seq.) and any other applicable copyright law. The Supplier hereby waives any and all moral rights (including rights of integrity and attribution) in and to the Work Product. To the extent that any Work Product does not constitute a work made for hire, Supplier hereby assigns to the Company or their Client all right, title and interest, including all intellectual property rights therein. All Work Product will be deemed to be the confidential, proprietary and trade secret information of the Company or their Client.
9.1.5 The Supplier will retain ownership of Supplier Retained Works. Where applicable in order to deliver the Services, the Supplier grants to the Company or their Client a nonexclusive, royalty free, revocable, worldwide license to use, reproduce and distribute, Supplier Retained Works to the extent necessary to deliver the Services under the scope of the agreed IO.
10 INDEMNITY AND LIMITATION OF LIABILITY
10.1 The Supplier shall indemnify and hold the Company harmless from all claims and all direct, indirect or consequential liabilities (including loss of profits, loss of business, depletion of goodwill and similar losses), costs, proceedings, damages and expenses (including legal and other professional fees and expenses) awarded against, or incurred or paid by, the Company as a result of or in connection with:
10.1.1 any alleged or actual infringement of any third party’s Intellectual Property Rights or other rights arising out of the use or supply of the products of the Services (including the Deliverables) in accordance with the Contract, provided that the Supplier is not obligated to indemnify Company for the foregoing to the extent arising from the Supplier’s use of (i) the detailed specifications, materials or information provided by the Company or any third party on the Company’s behalf, (ii) the modification of the Services or Deliverables by any party other than Supplier, (iii) data or materials provided to Supplier directly by the Company or any third party on the Company’s behalf (excluding their Client’s Input Materials), (iv) any third party systems, technology, or Platform, unless used at Supplier’s sole discretion, or (v) any claim by the applicable third party platform; or
10.1.2 any claim made against the Company in respect of any liability, loss, damage, injury, cost or expense sustained by the Company’s employees or agents or by any customer or third party to the extent that such liability, loss, damage, injury, cost or expense was caused by, relates to or arises from the provision of the Services or the Deliverables as a consequence of a direct or indirect breach or negligent performance or failure in performance of the Contract by the Supplier; and
10.1.3 any claim made against the Company in respect of the Supplier’s breach of Data Protection Legislation and breach of the Supplier’s obligations in Schedule 1 (the DPA).
10.2 During the term of the Contract, the Supplier shall maintain in force, with a reputable insurance company, professional indemnity insurance in an amount not less than £1,000,000 (one million pounds) and shall, on the Company’s request, produce both the insurance certificate giving details of cover and the receipt for the current year’s premium.
10.3 Nothing in this Contract limits any liability which cannot legally be limited, including (but not limited to) liability for death or personal injury caused by negligence, and fraud or fraudulent misrepresentation.
10.4 The Company shall indemnify and hold the Supplier harmless from all claims and all direct liabilities, reasonable costs, proceedings, damages and reasonable expenses (including reasonable legal and other professional fees and expenses) awarded against, or incurred or paid by, the Supplier as a result of or in connection with:
10.4.1 any claim made against the Supplier in respect of any liability, loss, damage, injury, cost or expense sustained by the Supplier’s employees or agents or by any customer or third party to the extent that such liability, loss, damage, injury, cost or expense was caused by, relates to or arises from a direct breach or negligent performance or failure in performance of the Contract by the Company.
10.5 Excluding each party’s indemnification and Data Protection Legislation obligations in this Contract and its Schedules, each party’s liability that cannot be excluded by law as detailed in condition 10.3, or a party’s intentional misconduct, in no event shall either party be liable hereunder for any special, indirect, incidental or consequential damages or for lost profits regardless of the form of action, whether in contract, tort (including negligence) strict liability or otherwise, even if informed of the possibility of such damages in advance. Each party’s maximum liability for any breach hereunder shall be limited to the amounts paid by the Company to the Supplier during the 12 months prior to the date on which a claim arose for the applicable service that is the subject of that claim.
10.6 Company agrees and acknowledges that, notwithstanding anything to the contrary, Supplier shall have no liability arising from the Company’s incorrect use or access of the Platform.
10.7 The provisions of this condition 10 shall survive termination of the Contract, however arising.
11 CONFIDENTIALITY AND COMPANY’S PROPERTY
11.1 Each party shall keep in strict confidence all Documents, In-put Material and all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and have been disclosed to one party (“Receiving Party”) by the other Party, its employees, consultants, agents or subcontractors (“Disclosing Party”) and any other confidential information concerning the Disclosing Party’s (or, where the Disclosing Party is the Company, then it’s Clients’) business or products which the Receiving Party may obtain (Confidential Information). The Receiving Party shall restrict disclosure of Confidential Information to such of its employees, consultants, agents or subcontractors as need to know it for the purpose of discharging the Receiving Party’s obligations to the Disclosing Party, and shall ensure that they are subject to obligations of confidentiality corresponding to those which bind the Receiving Party. Without limiting the foregoing, Confidential Information includes the material terms (but not the existence) of the Contract.
11.2 Each party is aware of the extremely confidential nature of the Confidential Information and shall indemnify and hold the other party harmless from all claims and all direct, indirect or consequential liabilities (including loss of profits, loss of business, depletion of goodwill and similar losses), costs, proceedings, damages and expenses (including legal and other professional fees and expenses) awarded against, or incurred or paid by, the other party as a result of or in connection with any breach of this condition 11.
11.3 Confidential Information does not include any information that:
11.3.1 is or becomes generally available to the public (other than as a result of its disclosure by the Receiving Party, its employees, consultants, agents or subcontractors, in breach of this clause); or
11.3.2 was available to the Receiving Party on a non-confidential basis prior to disclosure by the Disclosing Party; or
11.3.3 was, is or becomes available to the Receiving Party on a non-confidential basis from a person who, to the Receiving Party’s knowledge, is not bound by a confidentiality agreement with the Disclosing Party or otherwise prohibited from disclosing the information to the Receiving Party; or
11.3.4 was known to the Receiving Party before the information was disclosed to it by the Disclosing Party; or
11.3.5 the parties agree in writing is not confidential or may be disclosed.
11.4 All In-put Materials and all other materials, equipment and tools, drawings, specifications and data supplied by the Company to the Supplier shall, at all times, be and remain as between the Company and the Supplier the exclusive property of the Company or Client, but shall be held by the Supplier in safe custody at its own risk and maintained and kept in good condition by the Supplier until returned to the Company. They shall not be disposed of or used other than in accordance with the Company’s written instructions or authorisation.
11.5 The provisions of this condition 11 shall survive termination of the Contract, however arising.
12 DATA PROTECTION
12.1 The Company and the Supplier acknowledge that for the purposes of the Data Protection Legislation, the Company is the Data Processor and the Supplier is a Data Controller of any Personal Data. The Company and the Supplier have agreed to enter into the legally binding provisions of Schedule 1 to this Contract.
13 TERMINATION
13.1 Without prejudice to any other rights or remedies which the parties may have, either party may terminate the Contract without liability to the other immediately on giving notice to the other if:
13.1.1 subject always to condition 7.1, the other party fails to pay any undisputed amount due and payable under the Contract on the due date for payment and remains in default not less than 30 calendar days after being notified in writing to make such overdue payment; or
13.1.2 the other party commits a material breach of any of the material terms of the Contract and (if such a breach is remediable) fails to remedy that breach within 30 calendar days of that party being notified in writing of the breach; or
13.1.3 the other party repeatedly breaches any of the terms of the Contract in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of the Contract; or
13.1.4 the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts; or
13.1.5 the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors; or
13.1.6 a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party; or
13.1.7 an application is made to court, or an order is made, for the appointment of an administrator or if a notice of intention to appoint an administrator is given or if an administrator is appointed over the other party; or
13.1.8 a floating charge holder over the assets of that other party has become entitled to appoint or has appointed an administrative receiver; or
13.1.9 a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party; or
13.1.10 a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of its assets and such attachment or process is not discharged within 60 days; or
13.1.11 any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in condition 13.1.5 to condition 13.1.10 (inclusive); or
13.1.12 the other party suspends or ceases, or threatens to suspend or cease, to carry on all or a substantial part of its business; or
13.2 On termination of the Contract for any reason, the Supplier shall promptly, and without undue delay, deliver to the Company:
13.2.1 all In-put Material and all copies of information and data provided by the Company to the Supplier for the purposes of the Contract. The Supplier shall certify to the Company that it has not retained any copies of In-put Material or other information or data, except for one copy which the Supplier may use for audit purposes only and subject to the confidentiality obligations in condition 11; and
13.2.2 all specifications, programs (including source codes) and other documentation comprised in the Deliverables and existing at the date of such termination, whether or not then complete. Where relevant all Intellectual Property Rights in such materials shall automatically pass to the Company, who shall be entitled to enter the premises of the Supplier to take possession of them at a time mutually agreed.
13.3 On termination of the Contract (however arising), the accrued rights of the parties as at termination shall not be affected and conditions 9, 10, 11, 12, 17,20, and 23 shall survive and continue in full force and effect.
14 FORCE MAJEURE
Each party reserves the right to defer the date for performance of, or payment for, the Services, or to terminate this Contract, if it is prevented from, or delayed in, carrying on its business by acts, events, omissions or accidents beyond its reasonable control, including (without limitation) strikes, lockouts or other industrial disputes (whether involving the workforce of the affected party or any other party), failure of a utility service or transport network, act of God, war, riot, terrorist act, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, or storm.
15 VARIATION
No variation of the Contract or these Terms shall be valid unless it is in writing and signed by, or on behalf of, each of the parties.
16 WAIVER
16.1 A waiver of any right under the Contract is only effective if it is in writing and it applies only to the circumstances for which it is given. No failure or delay by a party in exercising any right or remedy under the Contract or by law shall constitute a waiver of that (or any other) right or remedy, nor preclude or restrict its further exercise. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that (or any other) right or remedy.
16.2 Unless specifically provided otherwise, rights arising under the Contract are cumulative and do not exclude rights provided by law.
17 SEVERANCE
17.1 If any provision of the Contract (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of the Contract, and the validity and enforceability of the other provisions of the Contract shall not be affected.
17.2 If a provision of the Contract (or part of any provision) is found illegal, invalid or unenforceable, the parties shall negotiate in good faith to amend such provision such that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the parties’ original commercial intention.
18 ENTIRE AGREEMENT
18.1 The Contract constitutes the whole agreement between the parties and supersedes all previous agreements between the parties relating to its subject matter.
18.2 Each party acknowledges that, in entering into the Contract, it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty (whether made negligently or innocently) (other than for breach of contract) other than as expressly provided in the Contract. Without limiting the foregoing, neither party makes any representations or warranties, whether express, statutory or implied that are not stated herein. The Services are made available as per the agreed IO.
18.3 Nothing in this condition shall limit or exclude any liability for fraud.
19 ASSIGNMENT
19.1 Neither party will, without the prior written consent of the other party, assign, transfer, charge, mortgage, subcontract or deal in any manner with all or any of its rights or obligations under the Contract, except to the acquirer of all or substantially all of the assets, equity or business of the assigned party, other than the assignment to a competitor of the other party.
19.2 Each party that has rights under the Contract is acting on its own behalf and not for the benefit of another person.
20 NO PARTNERSHIP OR AGENCY
Nothing in the Contract is intended to, or shall be deemed to, constitute a partnership or joint venture of any kind between any of the parties, nor constitute any party the agent of another party for any purpose. No party shall have authority to act as agent for, or to bind, the other party in any way.
21 RIGHTS OF THIRD PARTIES
A person who is not a party to the Contract shall not have any rights under or in connection with it, with the exception of Data Subjects as outlined in Schedule 1 (DPA).
22 NOTICES
Any notice or other communication required to be given under the Contract shall be in writing and shall be delivered personally, or sent by pre-paid first-class post, recorded delivery or by commercial courier to the other party and for the attention of the person specified in the IO, or as otherwise specified by the relevant party by notice in writing to the other party. Email notification should also be sent to the person specified in the IO.
23 NON-SOLICITATION
Each party agrees that during the term of the Contract and for 12 months thereafter, it will not encourage or solicit any employee or consultant to leave the employ of the other party; provided that, each party shall not be prohibited from employing any such person who contacts such party in response to a published general solicitation not specifically targeted at such person.
24 MONITORING
Where applicable for the delivery of the Services, the Supplier may monitor Company’s use of the Platform for violations of the Contract and any other behavior Supplier considers harmful. Supplier may provide information about Company’s use of the Platform to law enforcement authorities, data protection authorities and affected third party vendors or suppliers (e.g., exchanges, networks) at its sole discretion. Supplier may suspend the Services at any time if Company is in breach of any obligation under the Contract that is not cured within 30 days after notice from Supplier or immediately if Supplier has reasonable concerns about a security threat that could affect the Services or the data of any other user of the Services.
25 GOVERNING LAW AND JURISDICTION
25.1 This Contract, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter, shall be governed by, and construed in accordance with, the applicable laws of the contracted Company, to clarify:
25.1.1 If the Supplier is identified within the IO as in Europe, the Realm contracting entity is Realm B2B Ltd, and this Contract, and any dispute or claim, shall be governed by and construed in accordance with the laws of England and Wales.
25.1.2 If the Supplier is identified within the IO as outside of Europe, the Realm contracting entity is Realm B2B Inc, and this Contract, and any dispute or claim, shall be governed by and construed in accordance with the laws of Delaware, United States of America.
———————————————————————————————————————————————————————————————————————————
SCHEDULE 1: DATA PROTECTION AGREEMENT STANDARD CONTRACTUAL CLAUSES
Standard Contractual Clauses (“Clauses”)
Controller to Processor Covering Restricted Transfers of Personal Data
This Data Protection Agreement (“DPA”), including its Appendices, shall apply to any written and electronic agreement between Company and Supplier, pursuant to which Supplier provides the Services to Company. To the extent there are conflicts between the terms of the DPA and the Terms and Conditions, the terms of the DPA shall prevail. This DPA becomes effective on the IO signatory date and will remain in effect until the deletion of all Controller Data by Supplier as described in this DPA (the “Term”). The parties enter into this DPA as of the IO effective date.
Parties:
Data Processor:
For the purposes of this DPA, the Realm entity entering into this DPA as the Data Processor shall depend on the location of the Supplier. For Suppliers identified within the IO as in Europe, the Realm contracting entity to this DPA is Realm B2B Ltd, The Annexe, 164 Chartridge Lane, Chesham, HP5 2SE, United Kingdom (company number 13065658). For Suppliers identified in the IO as outside of Europe, the Realm contracting entity to this DPA is Realm B2B Inc, 16192 Coastal Hwy, Lewes, Delaware 19958
Data Controller:
The Data Controller entering into this DPA is the Supplier named in the IO.
The purpose of this DPA is to reflect the parties’ agreement with respect to the processing of Controller Personal Data (as defined below) in connection with the Contract. The parties agree to comply with this DPA with respect to any Controller Personal Data that is imported or exported in the course of providing the Services pursuant to the Contract.
1 DEFINITIONS
1.1 Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Terms and Conditions or applicable Data Protection Laws.
Affiliates: of a party is any entity (a) that the party Controls; (b) that the party is Controlled by; or (c) with which the party is under common Control, where “Control” means direct or indirect control of fifty percent
(50%) or more of an entity’s voting interests (including by ownership).
Covered Affiliate: means any Suppliers Affiliate that is permitted to perform the Services pursuant to the
Contract between Supplier and Company, but has not signed its own IO or Contract with Company and is not a
“Supplier” as defined under the Contract.
Controller Data: means data provided to Company by or on behalf of Supplier pursuant to the Contract.
Controller Personal Data: means the personal data contained within Controller Data.
Data Controller: the Data Controller determines the purposes for which and the means by which Personal Data is gathered, sourced and processed. In this DPA, that is the Supplier, who is also the Data Exporter.
Data Exporter: means a Data Controller (or, where permitted, a Processor) established in a country with Applicable Laws that transfers personal data to a Data Importer
Data Importer: means a controller or processor located in a different location that receives Personal Data from the Data Exporter.
Data Incidents: means a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise
processed by either Party. Data Incidents will not include unsuccessful attempts or activities that do not
compromise the security of Controller Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
Data Processer: processes the Personal Data on behalf of the Controller to deliver the Services. In this DPA that is the Company, who is also the Data Importer.
Data Protection Laws / Applicable Laws: means all applicable data protection and privacy laws and regulations, and holds the same meaning as Data Protection Legislation in the Terms and Conditions of this Contract.
Data Subject: means the identified or identifiable living individual to whom personal data relates.
DPA Effective Date: is the date of signatory for the IO.
EEA: means the European Economic Area.
EU/UK Data Protection Laws: means: (i) Regulation 2016/679 of the European Parliament and of the
Council on the protection of natural persons with regard to the Processing of Personal Data and on the free
movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved
into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act
2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable
national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii);
in each case as may be amended or superseded from time to time.
Personal Data: Information relating to an identified or identifiable natural person.
Process/Processing: in practice means anything which can be done to data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restricted Transfer: means (i) where the EU GDPR applies, a transfer of personal data from the European
Economic Area to a country outside of the European Economic Area which is not subject to an adequacy
determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data
from the United Kingdom to any other country which is not based on adequacy regulations pursuant to
Section 17A of the United Kingdom Data Protection Act 2018.
Security Measures: means the technical and organizational safeguards adopted by the Parties to protect and
secure the Services and Controller Data.
Sensitive Data: Personal data which is on, which reveals, or which concerns: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (if used to identify a natural person), health, sex life or sexual orientation, criminal convictions and offences.
Special Categories of Data: Personal data which relates to an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.
Standard Contractual Clauses: means (i) where the EU GDPR applies, the contractual clauses annexed to
the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual
clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the
European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data
protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
Sub-processor: means any third-party engaged by Supplier or Covered Affiliates which processes Controller
Data in order to provide parts of the Services.
Supervisory Authority / Authority: an independent national data protection authority, such as the ICO.
Supplier: means the Supplier company identified within the IO acting on its own behalf and as agent for each of its Covered Affiliates.
Third Party: is a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data.
1.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in EU/UK Data Protection Laws, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, in each case irrespective of whether other Data Protection Laws apply.
2 PERSONAL DATA PROCESSING TERMS
The parties acknowledge and agree that:
2.1 With respect to Controller Personal Data, the Supplier is the controller (or, where Supplier is instructed on behalf of a third party controller, a processor on behalf of that controller) and Company is either (i) the processor or (ii) where Company is a processor on behalf of a third party controller, a sub-processor.
2.2 Each party will comply with the obligations applicable to it under the Data Protection Laws
2.3 Parties may engage Sub-processors pursuant to Section 7 (Sub-processors).
2.4 The subject-matter of the data processing covered by this DPA is detailed in the IO. Attachment 1 of this DPA sets out the nature and purpose of the processing, the types of Controller Personal Data Supplier processes and the categories of data subjects whose personal data is processed.
2.5 When Supplier controls Controller Personal Data in the course of providing the Services, Supplier will:
2.5.1 Supplier will process Controller Personal Data in accordance with the requirements of the Applicable Laws directly relating to Supplier’s provision of Services. In the event of a conflict between Applicable Laws and this DPA, the Applicable Laws shall apply.
2.5.2 Ensure that the Personal Data have been collected, processed and transferred in accordance with the laws applicable to the Data Exporter.
2.5.3 It has used reasonable efforts to determine that the Data Importer is able to satisfy its legal obligations under these clauses.
2.5.4 It will provide the Data Importer, when so requested, with copies of relevant Data Protection Laws or references to them (where relevant, and not including legal advice) of the country in which the Data Exporter is established.
2.5.5 If Supplier is a processor itself, Supplier warrants to Company that Supplier’s instructions and actions with respect to the Controller Personal Data, including its appointment of Supplier as another processor, have been authorized by the relevant Controller.
2.5.6 For the avoidance of doubt, Supplier’s instructions to Company for the processing of Controller Personal Data shall comply with all Applicable Laws, including the EU/UK Data Protection Laws. As between Supplier and Company, Supplier shall be responsible for the Controller Data and the means by which Supplier acquired Controller Personal Data, and shall maintain such authorizations and all other approvals, consents and registrations as are required to carry out lawful personal data processing activities under Data Protection Laws.
2.5.7 Supplier, as the Data Controller and Exporter will respond to enquiries from Data Subjects and the Authority concerning processing of the Personal Data by the Data Importer, unless the parties have agreed that the Data Importer will so respond, in which case the Data Exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Importer is unwilling or unable to respond. Responses will be made within a reasonable time.
2.5.8 Data Exporter will make available, upon request, a copy of the clauses to Data Subjects who are third party beneficiaries, unless the clauses contain Confidential Information, in which case it may remove such information. Where information is removed, the Data Exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the Data Exporter shall abide by a decision of the Authority regarding access to the full text of the clauses by Data Subjects, as long as Data Subjects have agreed to respect the confidentiality of the confidential information removed. The Data Exporter shall also provide a copy of the clauses to the Authority where required.
2.5.9 For the purposes of this DPA, the following is deemed an instruction by Supplier to process Controller Personal Data to provide or deliver the Services as documented in the Contract (including this DPA and any other agreement that requires processing of Controller Personal Data). If the Supplier’s deemed instructions in the IO do not strictly comply with the Applicable Laws, Company shall notify Supplier with undue delay and cease such processing of Controller Personal Data.
2.6 When Company processes Controller Personal Data in the course of providing the Services, Company will:
2.6.1 Act as a Data Importer and process the Controller Personal Data only in accordance with Supplier’s instructions, and only to the extent necessary for the performance of the Services, unless Company is required to process Controller Personal Data for any other purpose by UK, European Union or other Applicable Law to which Company is subject. Company shall inform Supplier of this requirement before processing unless prohibited by Applicable Laws on important grounds of public interest.
2.6.2 It will process the Personal Data for purposes and data processing principles described in Attachment 1, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
2.6.3 It will identify to the Data Exporter a contact point within its organization authorised to respond to enquiries concerning processing of the Personal Data, and will cooperate in good faith with the Data Exporter, the Data Subject and the Authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the Data Exporter, or if the parties have so agreed, the Data Importer will assume responsibility for compliance with the provisions of clause 2.5.8.
2.6.4 That it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received by the Data Exporter and it’s obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the clauses, it will promptly notify the change to the Data Controller and/or Data Exporter as soon as it is aware, in which case the Data Controller and/or Data Exporter is entitled to suspend the transfer of data and/or terminate the Contract.
2.6.5 Notify Supplier without undue delay if, in Company’s opinion, an instruction for the processing of Controller Personal Data given by Supplier infringes Applicable Laws and cease such processing of Controller Personal Data.
2.6.6 The Company shall promptly comply with any request from the Supplier requiring the Company to stop processing, amend, transfer or delete any Personal Data.
2.6.7 The Company shall promptly inform the Supplier if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. If the Personal Data was lost or destroyed solely due to actions of the Company, the Company will restore such Personal Data at its own expense.
2.6.8 maintain appropriate records of its processing, and information to demonstrate its compliance with this clause, and permit the Supplier, or its nominated representatives, on reasonable notice to audit and inspect such records, premises or interview such personnel to assess the Supplier’s processing procedures and compliance with the terms of this clause.
2.6.9 Upon reasonable request of the Data Exporter, and at the Data Exporters cost, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the Data Exporter (or any independent or impartial inspection agents or auditors, selected by the Data Exporter and not reasonably objected to by the Data Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or Supervisory Authority within the country of the Data Importer, which consent or approval the Data Importer will attempt to obtain in a timely fashion. Before the commencement of any such on-site audit, the Company and Supplier shall mutually agree upon the scope, timing, and duration of the audit. The Supplier shall promptly notify the Company and provide information about any actual or suspected non-compliance discovered during an audit. The provision in this section shall by no means derogate from or materially alter the provisions on audits as specified in the Standard Contractual Clauses.
2.6.10 It will not disclose or transfer the Personal Data to a third party data controller located outside the area covered by the Applicable Laws, unless it notifies the Data Exporter about the transfer or is agreed in writing in advance, and
2.6.10.1 the third party Data Controller processes the Personal Data in accordance with a Commission decision finding that a third country provides adequate protection, or
2.6.10.2 the third party Data Controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or
2.6.10.3 Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or
2.6.10.4 with regard to onward transfers of Sensitive Data, Data Subjects have given their unambiguous consent to the onward transfer.
2.7 The parties acknowledge and agree that they will both comply with all applicable laws with respect to the processing, whether acting as either a Data Importer or Data Exporter.
3 DATA SECURITY
3.1 Both parties will implement and maintain the Security Measures as set out in Attachment 2 to have in place appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
3.2 Each party must notify the other in writing without undue delay if the party becomes aware that their technical and organizational measures do not meet or exceed the security objectives set forth in the Security Measures.
3.3 Both parties will take reasonable steps to ensure the reliability and competence of personnel engaged in the processing of Controller Personal Data.
3.4 Company and Supplier will take appropriate steps to ensure that all of their personnel engaged in the processing of Controller Personal Data (i) comply with the Security Measures, to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Controller Data, (iii) have received appropriate training on their responsibilities, and (iv) have executed written confidentiality agreements where required. Parties shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.5 If Company or Supplier becomes aware of a Data Incident, they will: (a) notify the other Party of the Data Incident within 72 hours after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Controller Data.
3.6 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and, as applicable, steps the party recommends the other party take to address the Data Incident.
3.7 Notification(s) of any Data Incident(s) will be delivered to the other Party in writing pursuant to any notice provisions of the Contract. Each party is solely responsible for ensuring that their contact information, including Suppliers notification email address in the IO, is current and valid, or has been updated in writing.
4 RETURN OR DELETION OF CONTROLLER DATA
4.1 Upon Supplier’s request, which may be made through the Services, Company will return or delete any Controller Data, or any portion thereof, in its possession. Unless the Applicable Law requires storage, Company will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days.
4.2 Upon expiry of the Term or upon Supplier’s request, Company shall either (a) return (to the extent such data has not been deleted by Supplier from the Services, if the functionality of the applicable Services permit) or (b) securely delete Controller Data, to the extent allowed by applicable law, in accordance with the timeframes specified in Section 4.1, as applicable.
5 DATA SUBJECT RIGHTS
For the Term:
5.1 Company will, in a manner consistent with the functionality of the Services, enable Supplier to rectify and restrict processing of Controller Data, including deletion as described in Section 4 (Return or Deletion of Controller Data);
5.2 Company will promptly, without undue delay, notify Supplier, to the extent legally permitted, if Company receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
5.3 if Company receives any request from a Data Subject in relation to Controller Personal Data, Company will advise the Data Subject to submit his or her request to Supplier and Supplier will be responsible for responding to any such request.
5.4 Taking into account the nature of the processing, Company will assist Supplier by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Suppliers obligation to respond to a Data Subject Request under Applicable Laws. In addition, to the extent Supplier, in its use of the Services, does not have the ability to address a Data Subject Request, Company shall, upon Supplier’s written request, provide Supplier with reasonable cooperation and assistance to facilitate Supplier’s response to such Data Subject Request to the extent a response to such Data Subject Request is required under Applicable Laws.
5.5 The Data Processor shall have appropriate technical and organizational means, taking into account the nature of the Processing in Attachment 1, in so far as this is possible for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the following Data Subject’s rights:
5.5.1 information rights under Articles 13 and 14 of the GDPR;
5.5.2 right of access by the Data Subject under Article 15 of the GDPR;
5.5.3 right to rectification under Article 16 of the GDPR;
5.5.4 right to erasure under Article 17 of the GDPR;
5.5.5 right to restriction of processing under Article 18 of the GDPR;
5.5.6 notification regarding the right of rectification and/or erasure of Personal Data and/or restriction of processing under Article 19 of the GDPR; and
5.5.7 right to data portability under Article 20 of the GDPR right of access by the Data Subject.
6 DATA PROTECTION IMPACT ASSESSMENT
6.1 Upon Supplier’s written request, Company will provide Supplier with reasonable cooperation and assistance needed to fulfill Supplier’s obligation under the GDPR to carry out a data protection impact assessment related to Supplier’s use of the Services, to the extent Supplier does not otherwise have access to the relevant information, and to the extent such information is available to Company. Company will provide reasonable assistance to Supplier in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under the Applicable Laws.
7 SUB-PROCESSORS
7.1 Each party authorizes the others engagement of Company’s Affiliates and third-parties as Sub-processors; provided, however, that each Subprocessor has entered into a written agreement with the party containing data protection obligations not less protective than those in this DPA and the Contract to the extent applicable to the nature of the services provided by such Sub-processor.
7.2 Each party will make available to the other its current list of Sub-processors for the Services defined in the applicable IO (“Sub-processor List”) in writing upon request. The Sub-processor List will include the identities of those Sub-processors and their corporate location.
7.3 One party may object to the others use of a new Sub-processor by notifying Company in writing within fifteen (15) business days after receipt of party’s notice. In the event a party objects to a new Sub-processor, as permitted in the preceding sentence, the other will use reasonable efforts to make available to them a change in the Services or recommend a commercially reasonable change to their configuration or use of the Services to avoid processing of Controller Personal Data by the objected-to Sub-processor without unreasonably burdening the Supplier.
7.4 Appointments of or transfers to Sub-processors:
7.4.1 Where either party engages Sub-processors it will do so in compliance with the terms of any applicable Standard Contractual Clauses. The subject matter, nature and duration of the Processing activities carried out by the Sub-processor will not exceed the subject matter, nature and duration of the Processing activities as described in this Attachment unless otherwise agreed in writing.
7.4.2 Where a Sub-processor is appointed by the Data Processor, they will have written authorization from the Data Controller. The Data Processor will;
7.4.2.1 ensure that a written contract is in place which, as a minimum imposes the same contract terms as this DPA.
7.4.2.2 be liable to the Data Controller for the compliance of the Sub-processor as outlined in Data Protection Law,
7.4.2.3 immediately inform the Data Controller of any incident involving the Data Processor or any of it’s permitted Sub-processors which has resulted in unauthorized access to or disclosure of the Controller Data in accordance with the Incident reporting clause of this DPA.
7.4.2.4 assist the Data Controller in informing Data Subjects if there has been an incident involving the Sub-Processor
7.4.2.5 assist the Data Controller in informing any relevant national data protection authority if there has been an Incident.
7.4.3 Each party shall be liable for the acts and omissions of its Sub-processor to the same extent they would be liable if performing the Services directly under the terms of this Contract.
8 COVERED AFFILIATES
8.1 The parties acknowledge and agree that, by executing the Agreement, the parties enter into the DPA on behalf of itself and as agent of any Covered Affiliates, thereby establishing a separate DPA between Supplier and each such Covered Affiliate subject to the provisions of the Contract, this Section 8 (Covered Affiliates) and Section 10 (Limitation of Liability). Each Covered Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Contract.
8.2 Where a Covered Affiliate becomes a party to the DPA, each party agrees that the other may exercise rights and seek remedies under the DPA directly against the Covered Affiliate.
9 DESCRIPTION OF THE TRANSFER
9.1 The details of the transfer of the Personal Data are specified in Attachment 1. The parties agree that Attachment 1 may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause 2.5.8. The parties may execute additional Attachments to cover additional transfers, which will be submitted to the authority where required. Attachment 1 in this DPA is drafted to cover multiple transfers.
9.2 The parties agree that when the transfer of Controller Personal Data is a Restricted Transfer, it shall be subject to the appropriate Standard Contractual Clauses, including the EU and UK SCCs.
9.2.1 For as long as it is lawfully permitted to rely on standard contractual clauses for the transfer of Personal Data to processors set out in the European Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of Personal Data from the United Kingdom, the Prior C2P SCCs shall apply between Supplier which, where Supplier is a processor on behalf of a third party controller, it enters into on behalf of that controller and Company, on basis that the optional illustrative indemnification Clause will not apply.
9.2.2 Where sub-clause 9.2.1 above does not apply, but Supplier and Company are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
9.2.2.1 The EU SCCs shall also apply to transfers of such Controller Personal Data, subject to subclause below;
9.2.2.2 The UK Addendum shall be deemed executed between Supplier and Company, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Controller Personal Data.
9.2.3 If neither applies, then Supplier and Company shall cooperate in good faith to implement appropriate safeguards for Restricted Transfers of such Controller Personal Data as required or permitted by the UK GDPR without undue delay.
9.2.4 With respect to onward transfers, neither party shall participate in (nor permit any Sub-processor to participate in) any other Restricted Transfers of Controller Personal Data (whether as an exporter or an importer of the Controller Personal Data) unless the Restricted Transfer is made in full compliance with applicable Data Protection Laws and pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Controller Personal Data.
10 LIMITATION OF LIABILITY
10.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and the Contract between Covered Affiliates, Supplier and Company, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Contract, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together subject to any exclusions in accordance with applicable laws.
10.2 Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered:
10.2.1 Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded.
10.2.2 The liability for either party shall not exceed the total amount paid to the Supplier by the Company under the terms of the Contract during the 12 month period immediately prior to the date on which the act or omission causing the liability arose.
10.2.3 Each party shall be liable to Data Subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the Data Exporter under its Data Protection Law.
10.3 The parties agree that a Data Subject shall have the right to enforce as a third party beneficiary relevant clauses as per the Applicable Laws against the Data Importer or the Data Exporter, for their respective breach of their contractual obligations, with regard to their Personal Data, and accept jurisdiction for this purpose in the Data Exporter’s country of establishment. In cases involving allegations of breach by the Data Importer, the Data Subject must first request the Data Exporter to take appropriate action to enforce their rights against the Data Importer; if the Data Exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the Data Subject may then enforce their rights against the Data Importer directly. A Data Subject is entitled to proceed directly against a Data Exporter that has failed to use reasonable efforts to determine that the Data Importer is able to satisfy its legal obligations under these clauses (the Data Exporter shall have the burden to prove that it took reasonable efforts).
10.4 In the event of a dispute between the Data Importer and the Data Exporter concerning any alleged breach of any provision of these clauses, such dispute shall be finally settled under the rules of arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said rules. The place of arbitration shall be the United Kingdom.
10.5 Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this DPA and the remaining terms of the Contract, this DPA will govern
11 MEDIATION & JURISDICTION
11.1 In the event of a dispute or claim brought by a Data Subject or the Authority concerning the processing of the Personal Data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
11.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
11.3 The parties agree that if a Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the clauses, they will accept the decision of the Data Subject:
11.3.1 To refer the dispute to mediation, by an independent person or, where applicable, by the Commissioner;
11.3.2 To refer the dispute to the UK courts
11.4 The clauses and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter, shall be governed by, and construed in accordance with, the laws of England and Wales. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Contract or its subject matter or formation.
11.5 The parties agree that the choice made by the Data Subject will not prejudice it’s substantive or procedural rights to seek remedies in accordance with other provisions of National or International Law.
12 COOPERATION WITH SUPERVISORY AUTHORITIES
12.1 The Data Exporter agrees to deposit a copy of this contract with the Authority if it so requests or if such deposit is required under the Applicable Laws
12.2 The parties agree that the Authority has the right to conduct an audit of the Data Importer, and of any Sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under Applicable Laws.
12.3 The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Sub-processor preventing the conduct of an audit of the Data Importer, of any Sub-processor. In such a case the Data Exporter shall be entitled to take measures foreseen in Clause 2.6.4 of this DPA.
13 TERMINATION
13.1 Either party may terminate this DPA in line with the termination provisions in the Contract.
13.2 In the event that the Data Importer is in breach of its obligations under these clauses, then the Data Exporter may temporarily suspend the transfer of Personal Data to the Data Importer until the breach is repaired or the Contract is terminated.
13.3 In the event that:
13.3.1 the transfer of Personal Data to the Data Importer has been temporarily suspended by the Data Exporter for longer than one month pursuant to paragraph 13.2;
13.3.2 compliance by the Data Importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;
13.3.3 the Data Importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
13.3.4 a final decision against which no further appeal is possible of a competent court of the Data Exporter’s country of establishment or of the Authority rules that there has been a breach of the clauses by the Data Importer or the Data Exporter; or
13.3.5 a petition is presented for the administration or winding up of the Data Importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs
13.4 then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer, shall be entitled to terminate these clauses, in which case the Authority shall be informed where required. In cases covered by 13.3.1, 13.3.2, or 13.3.4 above the Data Importer may also terminate these clauses.
13.5 Either party may terminate these clauses according to GDPR if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the Data Importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
13.6 The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause 13.5) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the Personal Data transferred.
14 VARIATION
14.1 The parties may not modify these clauses except to update any information in Attachment 1 in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.
15 ASSIGNMENT
15.1 This DPA shall not be transferred or assigned by either party except with the prior written consent of the other.
_________________________________________________________________________________________
ATTACHMENT 1 TO THE DATA PROCESSING ADDENDUM
Data Processing Principles & Description of Processing Activities
1 DATA PROCESSING PRINCIPLES
1.1 Purpose limitation: Personal Data may be processed and subsequently used or further communicated only for purposes described in Attachment 1 or subsequently authorized by the Data Subject.
1.2 Data quality and proportionality: Personal Data must be accurate and, where necessary, kept up to date. The Personal Data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
1.3 Transparency: Data Subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the Data Exporter. The Data Controller will inform Data Subjects of such transfers in a privacy statement at the point of data capture.
1.4 Security and confidentiality: Technical and organizational security measures must be taken by the Data Controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, presented by the processing. Any person acting under the authority of the Data Controller, including a Processor, must not process the data except on instructions from the Data Controller.
1.5 Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC under GDPR, Data Subjects must, whether directly or via a third party, be provided with the personal information about them that an organization holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the Data Exporter.
1.5.1 Provided that the Authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the Data Importer or other organizations dealing with the Data Importer and such interests are not overridden by the interests for fundamental rights and freedoms of the Data Subject. The sources of the Personal Data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated.
1.5.2 Data Subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organization may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort.
1.5.3 A Data Subject must also be able to object to the processing of the Personal Data relating to them if there are compelling legitimate grounds relating to their particular situation. The burden of proof for any refusal rests on the Data Importer, and the Data Subject may always challenge a refusal before the Authority.
1.6 Sensitive data: The Data Importer shall take such additional measures (e.g. relating to security) as are necessary to protect such Sensitive Data in accordance with its obligations as a Data Importer. It is not anticipated as part of this Contract that any Sensitive Data will be Processed by the Data Importer.
1.7 Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the Data Subject at any time to “opt-out” from having their data used for such purposes.
1.8 Automated decisions: For purposes hereof “automated decision” shall mean a decision by the Data Exporter or the Data Importer which produces legal effects concerning a Data Subject or significantly affects a Data Subject and which is based solely on automated processing of Personal Data intended to evaluate certain personal aspects relating to them, such as their performance at work, creditworthiness, reliability, conduct, etc. The Data Importer shall not make any automated decisions concerning Data Subjects, except when:
1.8.1 such decisions are made by the Data Importer in entering into or performing a contract with the Data Subject, and
1.8.2 the Data Subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties, or
1.8.3 where otherwise provided by the law of the Data Exporter.
2 DATA SUBJECTS
2.1 The Personal Data transferred shall be clarified in the IO, and can conceivably cover the following categories of Data Subjects:
2.1.1 staff including volunteers, agents, temporary and casual workers
2.1.2 customers and clients (including their staff)
2.1.3 suppliers (including their staff)
2.1.4 members or supporters
2.1.5 shareholders
2.1.6 associates of the data subject
2.1.7 correspondents and enquirers;
2.1.8 advisers, consultants and other professional experts
2.1.9 Business personal marketing contacts (existing and net new customers of the Client)
3 DESCRIPTION OF PROCESSING ACTIVITIES
3.1 Categories of Data Subjects whose Personal Data is controlled by the Supplier:
3.1.1 The Supplier, acting as the Data Exporter, may transfer Personal Data from individuals gathered via media and marketing methods. For the purposes of this Contract, the purpose shall be to provide advertising, marketing and public relations for the Company or their Clients business or activity, goods or services.
3.1.2 The Data Exporter is using the Personal Data which is being transferred for the following purposes or activities:
3.1.2.1 Advertising, marketing and public relations of the Data Exporter’s own business or activity, goods or services.
3.1.2.2 Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organizations, and list broking.
3.1.2.3 Data analytics, including profiling
3.1.2.4 IT, digital, technology or telecom services, including use of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software
3.1.2.5 Media services.
3.1.2.6 Research in any field, including market research. Categories of data subjects whose personal data is transferred by the Company:
3.1.3 Company, acting as the Data Importer, may process Personal Data from net new or engaged marketing contacts via demand activities (sourced and controlled by the Supplier).
3.2 Categories of Data Subjects whose Personal Data is controlled by the Company:
3.2.1 The Company, acting as the Data Importer, may process Personal Data from individuals gathered via media and marketing methods. For the purposes of this Contract, the purpose shall be to provide advertising, marketing and public relations for the Company or their Clients business or activity, goods or services.
3.2.2 The Data Importer is using the Personal Data which is being transferred for the following purposes or activities:
3.2.2.1 Advertising, marketing and public relations of the Data Importer’s own or Client’s business or activity, goods or services.
3.2.2.2 Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organizations, and list broking.
3.2.2.3 Data analytics, including profiling
3.2.2.4 IT, digital, technology or telecom services, including use of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software
3.2.2.5 Media services.
3.2.2.6 Research in any field, including market research. Categories of data subjects whose personal data is transferred by the Company:
3.3 The Personal Data transferred concern the following categories of data:
3.3.1 As Supplier and Company work together to deliver the Services they may interchange personal employee data, in the nature of email address, phone number, job title etc.
3.3.2 Marketing activity can generate personal details as contact level information from prospective customers for the Company or their Client. The data fields can include: First Name, Last Name, Email, Phone Number, Company, Geography, Job Title, Address.
3.3.3 Employment details, including information relating to the employment of the Data Subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records and security records.
3.4 Sensitive Data, or special categories of Personal Data:
3.4.1 Sensitive data transfers by the Supplier (if applicable) will apply restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restriction for onward transfers or additional security measures.
3.4.2 No special categories of Personal Data will be transferred.
3.5 Nature of the processing:
3.5.1 Leads, marketing data and customer segments generated via the Services shall be processed on GDPR/DPA compliant systems and securely uploaded to Client or Supplier directed destinations.
3.5.2 The Personal Data transferred will be subject to the following basic processing activities:
3.5.2.1 Receiving data, including collection, accessing, retrieval, recording, and data entry.
3.5.2.2 Holding data, including storage, organization and structuring.
3.5.2.3 Using data, including analyzing, consultation, testing, automated decision making and profiling.
3.5.2.4 Updating data, including correcting, adaptation, alteration, alignment and combination.
3.5.2.5 Protecting data, including restricting, encrypting, and security testing.
3.5.2.6 Sharing data, including disclosure, dissemination, allowing access or otherwise making available.
3.5.2.7 Returning data to the Data Exporter or Data Subject.
3.5.2.8 Erasing data, including destruction and deletion.
3.6 Purpose(s) of the data transfer and further processing:
3.6.1 Supplier shall source and Control the Personal Data for Company and their Client prospects/customers under B2B marketing with legitimate interest, in accordance with legal requirements and the terms of this DPA.
3.6.2 Company shall process Personal Data for the Supplier and their Client prospects/customers under B2B marketing with legitimate interest, in accordance with legal requirements and the terms of this DPA.
3.6.3 The Personal Data may be transferred to categories of recipients including Clients, secure and compliant marketing or lead management platforms or CRM systems.
3.7 The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
3.7.1 Both parties will only retain the personal data for the length of time required to deliver the services and/or remain compliant with all Applicable Laws.
3.7.2 Standard practice for the Company is for the Personal Data to be immediately processed into a Client environment, and then subject to their data retention terms. If that is not possible, then Company erases personal data as soon as it is securely transferred and recognized, unless local Laws require storage for any reason.
_______________________________________________________________________________________________________
ATTACHMENT 2 TO THE DATA PROCESSING ADDENDUM
SECURITY MEASURES
CONTROLLER SECURITY STATEMENT:
To the extent not otherwise provided for in the Contract: (a) Supplier will implement appropriate administrative, organizational, and technical security measures prior to and during Control or Processing of any Controller Data to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Controller Data and ensure a level of security appropriate to the risks presented by the controlling or processing of Controller Data and the nature of such Controller Data, and these measures shall remain in place throughout the duration of processing or possession of Controller Data); (b) Supplier will source and treat Controller Data with strict confidence and take all reasonable steps to ensure that persons employed and/or persons engaged at their place(s) of business who will process Controller Data are aware of and comply with the DPA and are under a duty of confidentiality with respect to Controller Data no less restrictive than the duties set forth herein; (c) Supplier will not transfer Controller Data to third parties except under written contracts that guarantee at least a level of data protection and information security as provided for herein.
PROCESSOR SECURITY STATEMENT:
To the extent not otherwise provided for in the Contract: (a) Company will implement appropriate administrative, organizational, and technical security measures prior to and during processing of any Supplier Controller Data to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Controller Data and ensure a level of security appropriate to the risks presented by the processing of Controller Data and the nature of such Controller Data, and these measures shall remain in place throughout the duration of the processing or possession of Controller Data); (b) Company will treat Controller Data with strict confidence and take all reasonable steps to ensure that persons employed and/or persons engaged at their place(s) of business who will process Controller Data are aware of and comply with the DPA and are under a duty of confidentiality with respect to Controller Data no less restrictive than the duties set forth herein; (c) Company will not transfer Controller Data to third parties except under written contracts that guarantee at least a level of data protection and information security as provided for herein.
Both parties will implement at least the following specific security measures:
1 DATA CENTER AND NETWORK SECURITY
1.1 Data Centers
1.1.1 If either party maintains their own Data Center and Network Security, they shall adhere to the following terms in part 1.1 of this DPA Security Attachment. If they are entirely cloud based then they shall work only with established technology providers who have robust data protection and security measures in place, and adhere to all Applicable Laws.
1.1.1.1 Infrastructure; maintains geographically distributed data centers and stores all production data in physically secure data centers.
1.1.1.2 Redundancy; infrastructure has been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. This design allows the party to perform maintenance and improvements of the infrastructure with minimal impact on the production systems. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications.
1.1.1.3 Power; all data centers are equipped with redundant power system with various mechanism to provide backup power, such as uninterruptible power supplies (UPS) batteries for short term blackouts, over voltage, under voltage or any power instabilities and diesel generators, for outages extending units of minutes, which allow the data centers to operate for days.
1.1.1.4 Business Continuity; party replicates data across multiple system to help protect against accidental destruction of loss. Vendor has designed and regularly plans and tests its business continuity planning and disaster recovery programs.
1.2 Network and Transmission
1.2.1 Data Transmission; parties uses industry standard encryption schemes and protocols to encrypt data transmissions. This is intended to prevent reading, copying or modification of the data during transfer.
1.2.2 Intrusion Detection; parties employs intrusion detection system and appropriate firewalls. Security personnel will promptly react to any discovered security incidents and will inform the involved parties.
1.2.3 Encryption Technologies; parties to use best practice and industry standard encryption technologies. Where party utilizes cloud based servers they shall work with technologies which adhere to encryption technologies best practice.
2 ACCESS AND SITE CONTROLS
2.1 Site Controls
2.1.1 Data Center Security Operations; All data centers owned by the party maintain 24/7 on-site security operations responsible for all the aspects of physical data center security. Where the party utilizes the cloud they shall work with technologies which adhere to data center security operations best practice.
2.1.2 Data Center Access Procedures; access to the datacenter follows a physical security policy allowing only pre-approved authorized personnel to access the equipment.
2.1.3 Data Center Security; all data centers comply with or exceed the security requirements of SOC2. All owned data centers are equipped with CCTV, on-site security personnel and key card access system. Where a party utilizes the cloud they shall work with technologies which adhere to data center security best practice.
2.2 Access Control
2.2.1 Internal Data Access Processes and Policies – Access Policy; parties internal data access processes and policies are designed to prevent unauthorized persons or systems from getting access to system used to process personal data. These processes can be audited by an independent auditor. Party employs a centralized access management system to control access to production systems and server where applicable, and only provides access to a limited number of authorized personnel. SSO, LDAP and SSH certificates are used to provide secure access mechanisms where applicable. Party requires the use of unique IDs, strong passwords and two factor authentication where applicable. Granting of access is guided by an internal policy. Access to system is logged to provide an audit trail for accountability.
3 DATA
3.1 Data Storage, Isolation and Logging; the parties store data in a combination of dedicated and multi-tenant environments. Supplier also logically isolates Company’s data. Supplier may enable data sharing, should the Services functionality allow it.
3.2 Decommissioned Disks and Disk Erase Policy; disks used in servers might experience hardware failures, performance issue or errors that lead to their decommission. In instances where the party owns the disk, all decommissioned disks are securely erased if intended for reuse, or securely destroyed due to malfunction.
3.3 A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
3.4 Neither party has control over, or any responsibility or liability for security issues relating to data (including provided data) maintained on servers that are not owned or controlled by them. This includes any servers maintained by third party platforms, or relating to the transmission of data or receipt of data from third party platforms.
4 PERSONNEL SECURITY
4.1 Both parties personnel are required to conduct themselves in a manner consistent with best practice guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Both parties conduct appropriate background checks to the extent allowed by applicable law and regulations to deliver the Services. Personnel are required to act in confidentiality to the Services being performed and must acknowledge receipt of, and compliance with, this Contract’s confidentiality, privacy and acceptable use policies. All personnel are provided with security training upon employment and then regularly afterwards. Personnel will not process Controller Data without authorization.
5 SUB-PROCESSOR SECURITY
5.1 Both parties ensure that their Sub-processors have adequate levels of security and privacy to data and scope of services they are engaged to provide. Once the Sub-processor risk is evaluated, the Sub-processor enters into appropriate privacy, confidentiality and security contract terms with the party to ensure the Applicable Laws are adhered to.
5.2 Each party shall confirm to the other in writing any Sub-processors engaged in the delivery of the Services agreed to in the IO.
6 INCIDENT REPORTING
6.1 Both parties must have effective processes for the identification, management and reporting of incidents. Any incident, suspected or actual, involving the Controller Data must be reported immediately to the Data Controller. Any incident (Incident) may include but not be limited to:
6.1.1 Security breach or fraud;
6.1.2 Misuse of relevant system storing the Controller Data;
6.1.3 Misuse, loss or corruption of the Controller Data;
6.1.4 Unauthorized access to, use of, alteration, amendment or deletion of Controller Data;
6.1.5 Physical security incident; and
6.1.6 Any unapproved requirement to disclose the Controller Data to a third party.
6.2 The Data Processor will investigate any such incident, provide status updates throughout the process, and respond to reasonable Data Controller requests during the incident. A written report will be sent to the Data Controller describing:
6.2.1 The nature of the incident;
6.2.2 Any control weaknesses discovered; and
6.2.3 Remedial actions taken.
6.3 The Data Processor will assist the Data Controller in:
6.3.1 informing data subjects if there has been an incident involving the Data Processor; and
6.3.2 informing the relevant national data protection authority of the Incident.
