WHEREAS, DoControl develops and operates a solution providing businessesa modern security layer enforcing advanced security features on the multipleSaaS applications they use, regardless of each SaaS application’s underlyingcapabilities (the “Service”); and
WHEREAS Customer is interested in using the Service internallywithin Customer’s organization.
NOW THEREFORE, in consideration of the mutual covenants hereinafter,by Customer signing an Insertion Order or enrolling online to the Service andassenting to this Agreement, the Parties agree as follows:
1.1. “Applications” means thosethird-party web applications and online services used by the organization and whichthe Customer has configured to interconnect with the Service, such as, by wayof example only, Dropbox, OneDrive.
1.2. “Feedback” meansinformation or content concerning enhancements, changes or additions to the Serviceor other DoControl offerings, that are requested, desired or suggested by theCustomer or its Users.
1.3.“Output Data” means the various reports, alerts, analytics, recommendations,notices, and other types of information and data that the Service may generate,provide or make available to Customer.
1.4.“ContextualData” meansinformation: (a) that identifies or depicts the Customer’s content that iscontrolled or monitored through the Service, such as, by way of example only,file names; or (b) that identifies individuals who have a bearing to theCustomer’s content that is controlled or monitored through the Service, suchas, by way of example only, sender or recipient name, user name or emailaddress.
1.5. "Service Data” means the data collected and processedin the course of providing the Service about the Customer’s use of the Service,performance of the Service, its compatibility and interoperability, butexcluding Contextual Data.
1.6. “Service Entitlement” means either theinsertion order Customer has signed, or the enrollment plan Customer hasselected and agreed to online, in each case specifying, among others, theCustomer’s details, the fees applicable to this Agreement, the Service usagemetrics and parameters and limitations for the Customer and the particulars ofany support and maintenance scheme for the Service. Such Service Entitlement isincorporated by reference to this Agreement, and constitutes an integral partof it.
1.7. “Term” means the period of this Agreement as specified in Section 12 below.
1.8. “Third Party License” means the licensethat governs a Third Party Software component.
1.9. “Third Party Software” means thosesoftware programs and components licensed by third parties and contained in orprovided in conjunction with the Service, including those detailed in theaccompanying NOTICES file conveyed to Customer.
1.10. “Users” means those employees,consultants and agents that Customer designates to use and deal with theService.
2. Accessto the Service
2.1. Subject to the provisions this Agreement, Docontrolgrants Customer access to use the Service (as specified an detailed in section3 below) during the Term, internally within the Customer’s organization, pursuant to the usage parameters, limits andmetrics specified in the Service Entitlement.
2.2. Customer must ensure that all its Users fully comply with thisAgreement. Customer shall be liable to DoControl for all acts or omissions ofthose that use and deal with the Service on its behalf, as though Customer hadperformed those acts or omissions.
3. Responsibilities, Authorizations andApplications
3.1. The Customer is exclusively responsible fordefining its desired security preferences on the Service, such as data retention policy and temporary sharingpolicy, (the “Policies”). DoControl shall have no liability whatsoeverfor any consequences of Customer defining or not defining Policies.
3.2. Customer instructs and authorizes DoControl tointerconnect the Service with the Applications, using the credentials that theCustomer specifically provides, configures and confirms for this purposethrough the Service’s user interface (“Authorizations”).Customer acknowledges that Docontrol will use the Authorizations in order toimplement Customer’s Policies by transmitting commands and instructions to theApplication. Customer warrants to DoControl that it is lawfully permitted toprovide the Authorizations to DoControl.
3.3. The operation and provision of the Applicationsis under the responsibility of third-party providers, not DoControl. DoControlmakes no warranties whatsoever regarding the quality, features, performance orsecurity capabilities of Application. DoControl does not warrant and is notresponsible for the Applications operating in conformance with the Policies, orany security issue arising from the Applications and their use.
Customer and its Users shall not:
4.1. sublicense, transfer and/or assign the Service or any part thereofto any third party, or allow any third parties to use the Service;
4.2. remove, or in any manner alter, any product identification,proprietary, trademark, copyright or other notices contained in the Service;
4.3. work around any technical limitations of the Service or use anytool to enable features or functionalities that are otherwise disabled,inaccessible or undocumented in the Service
4.4. breach the security of the Service, identify, probe or scan anysecurity vulnerabilities in the Service;
4.5. use robots, crawlers and similar applications to scrape, harvest,collect or compile content from or through the Service.
4.6. enhance, supplement, modify, adapt, decompile, disseminate,disassemble, recreate, generate, reverse assemble, reverse compile, reverseengineer, or otherwise attempt to identify the underlying source code of the Service;or
4.7. use the Service in order to develop or create (or permit others todevelop or create) a product or service similar or competitive to the Service.
5. Intellectual Property
5.1. The Service is a proprietary offering of DoControl, protectedunder copyright laws and international copyright treaties, patent law, tradesecret law and other intellectual property rights of general applicability. TheService is offered to Customer for use and access only in accordance with theterms of this Agreement and is not sold in any other way.
5.2. Customer may provide DoControl with Feedback, including information pertaining to bugs, errors andmalfunctions of the Service, performance of the Service, the Service’scompatibility and interoperability, and information or content concerningenhancements, changes or additions to the Service that Customer requests,desires or suggests. Customer hereby assigns all right, title and interest inand to the Feedback to DoControl,including the right to make commercial use thereof, for any purpose DoControl deems appropriate.
5.3. Except as provided herein with respect to Customer’s Output Dataand Customer’s limited access to use the Service according to this Agreement,this Agreement does not grant or assigns to Customer, any other license, right,title, or interest in or to the Service and Output Data or the intellectualproperty rights associated with them. All rights, title and interest, includingcopyrights, patents, trademarks, trade names, trade secrets and otherintellectual property rights, and any goodwill associated therewith, in and tothe Service or any part thereof, including computer code, graphic design,layout and the user interfaces of the Service, whether or not based on orresulting from Feedback, but excluding Contextual Data, are and will remain atall times, owned by, or licensed, to DoControl.
5.4. WE DO NOT CLAIM OWNERSHIP OVER CONTEXTUAL DATA. WHEN YOUR USE OFTHE SERVICE INVOLVES CONTEXTUAL DATA, YOU REPRESENT AND WARRANT TO US THAT YOU ARE LAWFULLY PERMITTED TO HAVE US PROCESS THE CONTEXTUAL DATAFOR THE PROVISION OF THE SERVICE TO YOU.
5.5. Subject to Customer’swritten consent, and notwithstanding anything to the contrary herein, DoControlmay identify Customer as a customer and indicate Customer as a user of theService on its website and in other online or offline marketing materials andpress releases. Customer herebygrants DoControl a worldwide, non-exclusive, non-transferable, royalty-free andfree of charge, license, to use Customer’s name, logo, and website URL on itswebsite and in other online or offline marketing materials relating to theService. DoControl will use this content strictly in accordance with any usageguidelines sent by Customer in advance.
6.1. ”Confidential Information”shall mean any and all information disclosed by one party (”DisclosingParty”) to the other (”Receiving Party”) regarding past, present, orfuture marketing and business plans, customer lists, lists of prospectivecustomers, technical, financial or other proprietary or confidentialinformation of the Disclosing Party, formulae, concepts, discoveries, data,designs, ideas, inventions, methods, models, research plans, procedures,designs, formulations, processes, specifications and techniques, prototypes, samples,analyses, computer programs, trade secrets, data, methodologies, techniques,non-published patent applications and any other data or information, as well asimprovements and know-how related thereto.
6.2. Contextual Data and Output Data is considered Customer’sConfidential Information and Service Data is considered DoControl’sConfidential Information.
6.3. Each Party herein must hold any Confidential Information inconfidence using the same degree of care, but in no case less than a reasonabledegree of care, that it uses to prevent the unauthorized dissemination orpublication of its own confidential information. Receiving Party may use thisConfidential Information only for the purpose of performing its obligationsunder this Agreement.
6.4. The obligations set forth in this section shall not apply toinformation that: (i) is now or subsequently becomes generally available in thepublic domain through no fault or breach on Receiving Party's part; (ii)Receiving Party can demonstrate in its prior established records to have hadrightfully in Receiving Party's possession prior to disclosure of the same bythe Disclosing Party; (iii) Receiving Party can demonstrate by written recordsthat it had rightfully obtained the same from a third party who has the right totransfer or disclose it, without default or breach of confidentialityobligations; (iv) Disclosing Party has provided its prior written approval fordisclosure; or (v) Receiving Party are required to disclose pursuant to abinding order or request by court or other governmental authority, or a bindingprovision of applicable law, provided that, to the extent permissible,Receiving Party provide the Disclosing Party notice of the requested disclosureas soon as practicable, to allow the Disclosing Party, if it so chooses, toseek an appropriate protective or preventive order.
7. Dataand Privacy ; Data Processing Addendum
7.1. Customer acknowledges and agrees that DoControl itself or trusted third-parties (such as Application providers) willhandle and use the data as follows:
7.1.1. DoControl will use the Contextual Data and theOutput Data to provide the Service to Customer, and conduct administrative andtechnical activities necessary to maintain and provide the Service;
7.1.2. DoControlwill use the Service Data to conduct analysis or generate metrics related tothe Service;
7.1.3. DoControlwill use the Service Data for commercial and marketing purposes, publication ofcase studies and white papers (only in a form not identifying the Customer and itsUsers);
7.1.4. DoControlwill use the Service Data, Output Data and Contextual Data, to bill and collectfees, enforce this Agreement and take any action in any case of dispute, orlegal proceeding of any kind involving Customer with respect to the Service;
7.1.5. DoControlwill use the Service Data, Output Data and Contextual Data, to prevent fraud,misappropriation, infringements, and other illegal activities and misuse of theService; and
7.1.6. DoControlwill use the Service Data, to develop new products and services, and forresearch and testing, provided that no information identifying the Customer andits Users is publicly shared.
7.2. DoControl may disclose or share Service Data,Output Data and Contextual Data, if required, or if it reasonably believes thatit is required, by law, pursuant to a subpoena, order, or decree, issued by acompetent judicial or administrative authority, provided that, to the extentlegally permitted, DoControl will endeavor to give Customer prompt notice ofthe requirement prior to such disclosure, to allow Customer, at Customer’s costand expense, to intervene and protect its interests in the data.
7.3. Subject to the foregoing, DoControl will takeprecautions to maintain the confidentiality of the Output Data and ContextualData, in a manner no less protective than it uses to protect its own similarassets, but in no event less than reasonable care. DoControl will not use ordisclose Customer’s Data except as described above or otherwise subject to Customer’sexpress, prior, written permission. DoControl’s personnel, staff, advisors,sub-contractors and consultants will access Customer’s Service Data on a strict'need to know' basis, subject to this Agreement.
7.4. The Service does not provide, and is notintended as, data back-up service. DoControl may delete Customer’s Data fromthe Service upon termination of this Agreement. Customer is responsible formaintaining back-up copies of its data.
7.5. If, considering the nature and circumstances ofthe Customer, the Contextual Data is subject to the GDPR, then the Customer andDoControl acknowledge that Customer is the Data Controller for such Data,DoControl is a data processor for it, and DoControl may process the ContextualData only for the purpose of its performance of this Agreement. Docontrol andCustomer shall comply with the DPA attached hereto as Exhibit A, withrespect to the Contextual Data.
DoControl, either directly or with theassistance of third parties, will endeavor to provide Customer technicalsupport for technical pursuant to the particulars specified in the ServiceEntitlement. DoControl will attempt to respond to Customer’s technical questions,problems and inquiries as soon as practicably possible. However, DoControlmakes no warranties to the successful or satisfactory resolution of thequestion, problem or inquiry; and may decline to provide such support formatters that it deems, in its sole discretion, to require unreasonable time,effort, costs or expenses. For the purpose of the provision of technicalsupport for Customer’s technical questions, problems and inquiries, Customerwill cooperate, and work closely with DoControl, to reproduce malfunctions,including conducting diagnostic or troubleshooting activities, as DoControlreasonably requests.
9.1. In consideration for the Service, Customer willpay DoControl the fees specified in the ServiceEntitlement according to the payment schemes, paymentterms and payment cycles specified therein. Fees quotedin the Service Entitlement are exclusive of any sales tax, VAT, and transactioncharges. Customer shall bear such taxes and charges.
9.2. All Customer’s payment obligations to DoControlare non-cancelable and all amounts paid in connection with the Service arenon-refundable. Customer is responsible for paying all fees applicable to its subscriptionto the Service, whether or not it actively used, accessed or otherwisebenefited from the Service.
9.3. Unless set forth otherwise in the ServiceEntitlement, amounts are due and payable to DoControl within thirty (30) daysof receipt of the applicable invoice.
9.4. Failure to settle any overdue fee within twentyone (21) calendar days of its original due date will constitute a materialbreach of this Agreement and, without limiting any remedies available to DoControl,DoControl may: (i) terminate these this Agreement; or (ii) suspend performanceof or access to the Service, until payment is made current. Late payments shallbear interest at the rate of nine percent (9%) per annum. Customer willreimburse DoControl for all legal costs and attorney fees DoControl incurs inthe course of collecting Customer’s overdue fees.
9.5. All fees are quoted in US Dollars and Customershall pay DoControl in US Dollars, unless stated differently in the ServiceEntitlement. Fees are payable by the methods indicated in the ServiceEntitlement.
9.6. Payment may be processed and handled throughrelevant third-party payment processors. Any payments processed through thirdparty payment processors are therefore subject not only to this Agreement, butalso the terms and conditions of the applicable third-party payment processorpursuant to Customer’s agreement with them. Customer acknowledges that such third-partypayment processors may charge commission from the Customer. DoControl is notresponsible for such commission, which is strictly between Customer and therelevant payment processor. Fees that DoControl is unable to charge through thepayment method Customer provided is deemed an overdue fee.
10. Term and Termination
10.1. Unless specifically stated otherwise in theService Entitlement, this Agreement will be in effect for the initial periodset forth in the Service Entitlement and it will automatically renew forsuccessive 1-year period(s) thereafter unless terminated by either partythrough a written notice submitted to the other party at least 60 days prior tothe then applicable term (the “Term”). In the absence of any otheragreement between the parties to the contrary, the terms set forth in theService Entitlement with respect to the initial Term (including, withoutlimitation, the number of users and fees) shall apply to any subsequent renewalTerm.
10.2. Notwithstanding the above, either party may terminate thisagreement:
10.2.1. In the event of a breach of this Agreementby the other party, where the breach remains uncured for thirty (30) daysfollowing written notice thereof from thenon-breaching party to the breaching party, but if a breach is of a nature thatcannot be cured, then the non-breaching party may terminate the Agreementimmediately upon notice to the other party;
10.2.2. If theterminating party is required to do so by law;
10.2.3. If theother party becomes or is declared insolvent or bankrupt, is the subject of anyproceeding related to its liquidation or insolvency (whether voluntary orinvoluntary) which proceedings are not dismissed within sixty (60) days oftheir commencement, makes an assignment for the benefit of creditors, or takesor is subject to any such other comparable action in any relevant jurisdiction.
10.3. Immediately upon termination of this Agreement:
10.3.1. DoControl may terminate Customers’ account on the Service anddelete the Output Data and Contextual Data (if stored) in its systems;
10.3.2. Customer shall cease any and all use of the Service;
10.3.3. DoControlwill charge Customer for all then-outstanding Service fees (if any);
10.4. Sectionsin this Agreement that by their purpose of nature should survive termination ofthis Agreement, will so survive.
11. No Warranty and Limitation on Liability
11.1. DoControlwill endeavor to have the Service operate properly. However, as a service thatrelies on back-end software, infrastructure, servers, third party networks andcontinuous internet connectivity, it cannot guarantee that the Service willoperate in an uninterrupted or error-free manner, or that it will always beavailable, free from errors, omissions or malfunctions.
11.2. If DoControlbecomes aware of any failure or malfunction, it shall attempt to regain theService’s availability as soon as practicable. However, such incidents will notbe considered a breach of this Agreement.
11.3. THE SERVICE IS PROVIDED “AS IS”. DOCONTROL HEREBY DISCLAIMS ALLWARRANTIES AND REPRESENTATIONS, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THESERVICE AND THE OUTPUT DATA, INCLUDING ANY WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, NON-INFRINGEMENT, TITLE,SECURITY, COMPATIBILITY OR PERFORMANCE.
11.4. TO THEMAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OFINTENTIONAL MISCONDUCT OR BREACH OF DOCONTROL’S CONFIDENTIALITY OBLIGATIONS, DOCONTROL,INCLUDING ITS EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, ANDANYONE ACTING ON ITS BEHALF, WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL,CONSEQUENTIAL, SPECIAL, STATUTORY OR PUNITIVE DAMAGES, LOSSES (INCLUDING LOSSOF PROFIT, LOSS OF BUSINESS OR BUSINESS OPPORTUNITIES AND LOSS OF DATA), COSTS,EXPENSES AND PAYMENTS, EITHER IN TORT, CONTRACT, OR IN ANY OTHER FORM OR THEORYOF LIABILITY (INCLUDING NEGLIGENCE), ARISING FROM, OR IN CONNECTION, WITH THISAGREEMENT, ANY USE OF, OR THE INABILITY TO USE THE SERVICE, THE OUTPUT DATA, ANYRELIANCE UPON THE OUTPUT DATA OR ANY ERROR, INCOMPLETENESS,INCORRECTNESS OR INACCURACY OF THE SERVICE OR THE OUTPUT DATA.
11.5. TO THEMAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OFINTENTIONAL MISCONDUCT, OR BREACH OF CONFIDENTIALITY OBLIGATIONS, THE TOTAL ANDAGGREGATE LIABILITY OF DOCONTROL (INCLUDING ITS RESPECTIVE EMPLOYEES,DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON ITS BEHALF),FOR DIRECT DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, THE SERVICE ORTHE OUTPUT DATA, SHALL BE LIMITED TO THE FEES PAYABLE TO DOCONTROL FOR THE SERVICEIN THE PRECEDING 12 MONTHS PRIOR TO THE EVENT PURPORTEDLY GIVING RISE TO THECLAIM OCCURRED.
12.1. Customer agrees to indemnify and hold harmless DoControl and itsdirectors, officers, employees, and subcontractors, upon DoControl’s requestand at Customer’s expense, from, and against, any damages, loss, costs,expenses and payments, including reasonable attorney’s fees and legal expenses,arising from any third party complaint, claim, plea, or demand in connectionwith Customer’s breach of Sections 3 - 5 in thisAgreement.
12.2. If DoControl seeks indemnification from Customer, it shall provideCustomer with (i) prompt written notice of any indemnifiable claim; (ii) allreasonable assistance and cooperation in the defense of such indemnifiableclaim and any related settlement negotiations, at Customer’s expense; and (iii)exclusive control over the defense or settlement of such indemnifiable claim,provided, however, that DoControl may settle or reach compromise on any suchclaim without Customer’s consent, if and to the extent such settlement orcompromise does not impose any liability (monetary, criminal or otherwise) on Customer.DoControl shall have the right to participate, at its own expense, in thedefense (and related settlement negotiations) of any indemnifiable claim withcounsel of its selection.
13. Governing Law and Jurisdiction
13.1. Regardless of Customer’s jurisdiction ofincorporation, the jurisdiction where it engages in business, or access theService from, this Agreement and Customer’s use of the Service will beexclusively governed by and construed in accordance with thelaws of the State of New York, excluding any otherwise applicable rules ofconflict of laws, which would result in the application of the laws of ajurisdiction other than the State of New York. Anydispute, controversy or claim which may arise out of or in connection with thisAgreement or the Service, shall be submitted to the sole and exclusivejurisdiction and venue of the Federal and State courts located in New YorkCounty, New York. Subject to Section 13.2 below, theParties herebyexpressly consent to the exclusive personal jurisdiction and venue of such courts, and waive any objections related theretoincluding objections on the grounds of improper venue, lack of personaljurisdiction or forum non conveniens.
13.2. Notwithstanding the foregoing, DoControl may also lodge a claimagainst Customer: (a) pursuant to the indemnity clause above, in any court adjudicating athird party claim against DoControl; and (b) for interim, emergency orinjunctive relief in any other court having general jurisdiction over Customer.
14.1. Assignment.Customer may not assign this Agreement without obtaining DoControl’s priorwritten consent. Any purported assignment without DoControl’s prior writtenconsent is void. To the greatest extent permissible by law, DoControl mayassign these Terms in their entirety, including all right, duties, liabilities,performances and obligations herein, upon notice to Customer and withoutobtaining Customer’s further specific consent, to a third-party, upon a merger,acquisition, change of control or the sale of all or substantially all of DoControl’sequity or assets. By virtue of such assignment, the assignee assumes DoControl’sstead, including all right, duties, liabilities, performances and obligationshereunder, and DoControl shall be released therefrom.
14.2. Relationshipof the Parties. The relationship between the Parties hereto isstrictly that of independent contractors, and neither Party is an agent,partner, joint venturer or employee of the other.
14.3. Subcontracting.DoControl may subcontract or delegate the performance of its obligations under thisAgreement, or the provision of the Service (or any part thereof), to any thirdparty of its choosing, provided however, that it remains liable to Customer forthe performance of its obligations under this Agreement.
14.4. CompleteTerms and Severability. This Agreement constitutes the entireand complete agreement between the Parties concerning the subject matter hereinand supersede all prior oral or written statements, understandings,negotiations and representations with respect to the subject matter herein. Ifany provision of this Agreement is held invalid or unenforceable, that provisionshall be construed in a manner consistent with the applicable law to reflect,as nearly as possible, the original intentions of the Parties, and theremaining provisions will remain in full force and effect. This Agreement maybe modified or amended only in writing, signed by the duly authorizedrepresentatives of both Parties.
14.5. No Waiver. Neither Party will, by mere lapse oftime, without giving express notice thereof, be deemed to have waived anybreach, by the other Party, of any terms or provisions of these Terms. Thewaiver, by either Party, of any such breach, will not be construed as a waiverof subsequent breaches or as a continuing waiver of such breach.
Exhibit A- Data Processing Addendum
1. Customercommissions, authorizes and requests that DoControl provide Customer theService, which involves Processing Personal Data (as these capitalized termsare defined and used in Eu Regulation 2016/679 General Data ProtectionRegulation (GDPR) (“Data Protection Laws”). Capitalized terms used herein butnot defined shall have the meaning ascribed to the in the GDPR.
2. ThisAddendum applies only to DoControl’s Processing described in Section 7.1.1 ofthe Agreement, as a Processor of Customer.
3. DoControlwill Process the Personal Data only on Customer’s behalf and for as long asCustomer instructs DoControl to do so. DoControl and Customer are each responsiblefor complying with the Data Protection Law applicable to them in their roles asData Processor and Data Controller, respectively.
4. The natureand purposes of the Processing activities are describedin Section 7.1.1 ofthe Agreement. The Personal Data Processed may include,without limitation, the substance described in Sections 1.3 and 1.4 of theAgreement.
5. The DataSubjects, as defined in the Data Protection Law, about whom Personal Data isProcessed are end-users of the Customer and individuals who have a bearing tothe Customer’s content that is controlled or monitored through the Service.
6. DoControlwill Process the Personal Data only on instructions from Customer documented inthis Addendum, the Agreement or otherwise provided in writing, including withregard to cross-border transfers of Personal Data. The foregoing applies unlessDoControl is otherwise required by law to which it is subject (and in such acase, DoControl shall inform Customer of that legal requirement beforeprocessing, unless that law prohibits such information on important grounds ofpublic interest). DoControl shall immediately inform Customer if, inDoControl’s opinion, an instruction is in violation of Data Protection Laws.
7. DoControlwill make available to Customer all information in its disposal necessary todemonstrate compliance with the obligations under Data Protection Laws, andshall make them available to the Customer upon request.
8. DoControlwill follow Customer’s instructions to accommodate, and shall assist byappropriate means to ensure compliance with the provisions on, Data Subjects’rights in relation to their Personal Data, including accessing their data,correcting it, restricting its processing or deleting it. DoControl will passon to Customer requests that it receives (if any) from Data Subjects regardingtheir Personal Data Processed by DoControl.
9. Customerauthorizes DoControl to engage another sub-processor for carrying out specificprocessing activities of the Services, provided that DoControl informs Customerat least 30 business days in advance of any new or substitute sub-processor, inwhich case Customer shall have the right to object, on reasoned grounds, tothat new or replaced sub-processor. If Customer so objects, DoControl may notengage that new or substitute sub-processor for the purpose of ProcessingPersonal Data in the provision of the Services. For the avoidance of doubt,Application providers are not sub-processors of DoControl.
10. Without limiting the foregoing, in any event where DoControlengages another sub-processor, DoControl will ensure that the same dataprotection obligations as set out in this Addendum (or those required underData Protection Laws to be flowed down to sub-processors) are likewise imposedon that other sub-processor by way of a contract, in particular providingsufficient guarantees to implement appropriate technical and organizationalmeasures in such a manner that the processing will meet the requirements ofData Protection Laws. Where the other sub-processor fails to fulfil its dataprotection obligations, DoControl shall remain fully liable to Customer for theperformance of that other sub-processor's obligations.
11. DoControl and its other sub-processors will only Process thePersonal Data in member states of the European Economic Area, or if outside themember states of the European Economic Area then under adequate safeguards asrequired under Data Protection Law governing cross-border data transfers (e.g.,Model Clauses). DoControl must inform Customer at least 30 business days inadvance of any cross-border data transfer scenario, in which case Customershall have the right to object, on reasoned grounds, to that envisionedcross-border data transfer. If Customer so objects, DoControl may not engage inthat envisioned cross-border data transfer for the purpose of ProcessingPersonal Data in the provision of the Services.
12. DoControl and the Customer hereby subscribe to the standardcontractual clauses for the transfer of personal data to processors establishedin third countries (“Controller to Processor EU Model Clauses”), pursuant to EUCommission Decision 2010/87/EU, which are incorporated hereto by reference. Forthe purpose of the Controller to Processor EU Model Clauses: Customer shall bethe data exporter; DoControl shall be the data importer, the parties’ contactinformation shall be as set out in the Agreement; the Data Subjects, thecategories of persona data and the nature of processing shall be as set outabove; the processing operations include collection, recording, organization,structuring, storage, adaptation or alteration, retrieval, consultation, use,dissemination or otherwise making available, alignment or combination,pseudonymization, erasure; Technical and organizational security measuresimplemented by the data importer are as set out in DoControl’s securitywhitepaper available here https://www.docontrol.io/security.
13. In Processing Personal Data, DoControl will implement appropriatetechnical and organizational measures to protect the Personal Data againstaccidental or unlawful destruction or accidental loss, alteration, unauthorizeddisclosure or access, as set out in DoControl’s security whitepaper availablehere https://www.docontrol.io/security.
14. DoControl will ensure that its staff authorized to Process thePersonal Data have committed themselves to confidentiality or are under anappropriate statutory obligation of confidentiality.
15. DoControl shall allow for and contribute to audits, includingcarrying out inspections conducted by Customer or another auditor jointlymandated by Customer and DoControl in order to establish DoControl’s compliancewith this Addendum and the provisions of the applicable Data Protection Law asregards the Personal Data that DoControl processes on behalf of Customer.
16. DoControl shall document any Personal Data Breach (as this term isdefined and used in Data Protection Law and applicable regulatory guidelines).This documentation shall include all the facts relating to the personal databreach, its effects and the remedial action taken. DoControl shall withoutundue delay, and in any event within 72 hours, notify Customer through twodifferent types of channels (e.g., email and telephone), of any Personal DataBreach that it becomes aware of regarding Personal Data of Data Subjects thatDoControl Processes. DoControl will thoroughly investigate the breach, and takeall available measures to mitigate the breach and prevent its reoccurrence.Customer and DoControl will cooperate in good faith, on issuing any statementsor notices regarding such breaches, to authorities and Data Subjects. Thenotification to Customer referred to in this subsection shall include at leastthe following information:
• Adescription of the nature of the personal data breach including, wherepossible, the categories and approximate number of data subjects concerned, andthe categories and approximate number of personal data records concerned;
• The nameand contact details of the data protection officer or other contact point wheremore information can be obtained;
• Adescription of the likely consequences of the personal data breach; and
• Adescription of the measures taken or proposed by the controller to address thepersonal data breach, including measures to mitigate its possible adverseeffects.
Ifit is not possible to provide the above information pursuant with thenotification, DoControl shall provide this information as soon as it isavailable.
17. DoControl will assist Customer with the eventual preparation ofdata privacy impact assessments and prior consultation as appropriate (and ifneeded).
18. DoControl will provide Customer prompt notice of any request itreceives from authorities to produce or disclose Personal Data it has Processedon Customer’s behalf, so that Customer may contest or attempt to limit thescope of production or disclosure request.
19. Upon Customer’s request, DoControl will delete the Personal Datait has Processed on Customer’s behalf under this Addendum from its own and itssub-processor’s systems, or, at Customer’s choice, return such Personal Dataand delete existing copies, and upon Customer’s request, will furnish writtenconfirmation that the Personal Data has been deleted or returned pursuant tothis section.
20. The duration of Processing that DoControl performs on the PersonalData is for the period set out in the Agreement. This Addendum shall prevail inthe event of inconsistencies between it and the Agreement or subsequentagreements entered into or purported to be entered into after the date of thisAddendum – except where explicitly agreed otherwise in writing.
* * * * *