SAAS Agreement with Schedules - Software Services AGREEMENT
1.DEFINITIONS.
“Affiliate” means in relation to each of the parties: (a) any parent company of that party; or (b) any corporate body of which that party directly or indirectly has control or which is directly or indirectly controlled by the same person or group of persons as that party.
“Agreed Deliverables” means the specific deliverables as set out in the schedule 7.
“Client Data” means any content, data, or information uploaded to the Services by You or Your Users.
“Consumable Volume” means the consumable volumes as set out in the Order Form.
“Change Request” means any a change, variation or addition to the Services at any time requested by You.
“Configuration” means the configuration options available to you as set out in schedule 6.
“DPA” means either the Data Processing Addendum as provided by You or, where none has been provided, the Data Processing Addendum as set out in Schedule 2.
“Go-Live Date” means the date that we deploy an Invevo system to you ready to start configuration.
“Invevo” means Invevo’s proprietary software licensed to You under the terms of this Agreement.
“Minimum Spend” means the minimum amount payable under this Agreement as set out in the Order Form.
“Order Form” means any ordering (or amendment) form executed by the Parties for the purchase of the Services as set out in schedule 1
“Service Level Agreement” or “SLA” means the agreement as set out at Schedule 3.
“Set-Up Fee” means the one-off payment required for deliverables as set out in schedule 7.
“Specifications” means the Invevo functional specifications as set out in schedule 5.
“Third-Party Applications and Services” means applications, services, and software provided by parties other than Invevo that You access and use with the Services.
“Users” means the following: (i) Your employees and consultants; and (ii) the employees and consultants of Your Affiliates. You are responsible for the acts and omissions of Users as if they were the acts and omissions of Yourself.
2. SERVICES AND SUPPORT SERVICES
2.1 Invevo grants You and Your Affiliates an irrevocable, non-exclusive, non-sublicensable, non-transferable, worldwide license to access and use the Services from the Go Live Date for the duration of the Term, solely for the provision of the Services and Your own business purposes.
2.2 The Services are provided on the basis of the agreed functional specifications as set out in the Schedule 5.
2.3 Invevo and You shall agree the configuration of Invevo based on the system configuration. Any further changes You request after the Go-Live Date will be considered a Change Request and may be subject to additional charges.
2.4 Time shall not be of the essence in regards to the deliverables but Invevo undertakes to make the system available to you ready for data integration and configuration from the go live date.
2.5 Invevo is provided as a self-service application where Your assigned administrator can make changes and manage the logins of users.
2.6 Invevo will accept all Client Data into Invevo provided that it has been provided by You in the format requested by Invevo.
2.7 Invevo owns and reserves all right, title and interest in and to the Services, including any and all patent rights, copyrights, design rights, trademarks, service marks, trade secret, and other intellectual property and proprietary rights, as well as any improvements, modifications, and derivative works of the Services. Except for Your limited right to access and use the Services as expressly set forth in Section 2.1, no right, title, or interest in or to the Services, or any improvements, modifications, or derivative works, is transferred or licensed to You.
2.8 The Services are provided with reasonable care and skill in accordance with the functional Specifications (provided that You comply with all of Your obligations under this Agreement).
2.9 As part of the Services, Invevo will provide You with the support services described in the Service Level Agreement attached at Schedule 3.
2.10 You acknowledge that although Invevo will use reasonable endeavours to ensure that Invevo is error or bug free, some may still occur. For the duration of the Term, Invevo will fix any errors that have been notified to it in accordance with the service level agreement, but this will be the extent of its liability in relation to the errors.
2.11 Invevo operates a continuous delivery pipeline and will automatically deploy bug fixes, security patches and platform performance improvements as part of the on-going service.
3.OUR RESTRICTIONS AND OBLIGATIONS.
3.1 You will co-operate with Invevo and provide any necessary assistance (including access to Your systems) in order for Invevo to be able to provide the Services.
3.2 You acknowledge that any delay in providing any assistance may result in a delay to the deliverables. If Invevo is required to spend additional time and resources as a result of Your delay, Invevo reserves the right to charge an additional set-up fee, provided such a fee is agreed in advance with You.
3.3 You acknowledge that You are fully responsible for any actions of Your Users, including any changes and deletions.
3.4 You may not directly or indirectly, sell, rent, lease, transfer, outsource, act as a service bureau or a provider of a time-sharing service for or otherwise make the Services available to Your customers or any other third party other than Users.
3.5 You may not use the Services in any manner that is contrary to applicable UK and other jurisdictions’ laws, including export laws and regulations.
3.6 You will not remove, alter, or modify Invevo’s proprietary rights’ notices in the Services.
3.7 You will not (a) except as permitted by applicable law, decompile, reverse engineer or otherwise attempt to access the source code of the Services; (b) upload or provide any Client Data that is unlawful, defamatory, invasive of others’ privacy or right of publicity, or that violates third party rights (c) infringe the intellectual property rights of Invevo or any third party in connection with Your use of the Services; (d) interfere with or disrupt the Services; (e) circumvent the user authentication, passwords, or security of the Services and will otherwise maintain the confidentiality of User log-in credentials; (f) modify, prepare derivative works of, copy or duplicate the Services; or (g) in any negligent or intentional way, allow someone other than authorised Users to access or use the Services.
4.INVEVO’S SECURITY AND COMPLIANCE OBLIGATIONS.
4.1 Invevo maintains commercially reasonable administrative, physical, and technical safeguards for protecting the security and confidentiality of Client Data.
4.2 Invevo will process any Client Data containing Personal Data in compliance with the DPA and the EU General Data Protection Regulation (2016/679) (the “GDPR”).
4.3 Invevo will back-up and archive Your Data on a daily basis and the back-up will be kept for no more than fourteen (14) days. Invevo will restore any damaged or lost data from the last saved back-up in the event such occurs, however, this will be Invevo’s only liability to You in the event that any Client Data is lost or damaged.
4.4 Invevo will not use or modify the Client Data except to provide the Services.
4.5 Invevo will comply with all applicable laws and regulations in providing the Services.
4.6 Invevo will its best endeavours to ensure that any disruptions or unauthorised access to Client Data or the Services is avoided.
4.7 Invevo may collect, review and monitor Your use and User behaviour and related metadata of the Services to ensure compliance with this Agreement and evaluate and improve the performance of the Services (“Monitoring”). You allow Invevo to use any Client Data supplied by You, and the results of Monitoring for the purposes of annoymised data analysis. No Client Data will be identifiable as a result of the data analysis.
5.CLIENT OBLIGATIONS FOR CLIENT DATA AND THIRD-PARTY APPLICATIONS AND SERVICES.
5.1 You are solely responsible for the accuracy and legality of Client Data, including how You acquired and use Client Data in connection with the Services (including all applicable laws and regulations) and warrant that You have obtained all rights and permissions in the Client Data necessary to permit Invevo’s compliance with its obligations with respect to the Client Data under this Agreement.
5.2 You warrant that Client Data will be free of all viruses, Trojan horses, and other malicious elements which could interrupt or harm the Services.
5.3 You agree to and have understood our Privacy Policy available at www.invevo.com
5.4 The Services may contain features that interoperate with Third-Party Applications and Services. To use such features, You may be required to obtain access to Third-Party Applications and Services and grant Invevo access to Your account(s) and Client Data on Third-Party Applications and Services. If You install or enable any Third-Party Applications and Services for use with the Services, You hereby grant Invevo permission to allow the applicable third-party provider access to Client Data as required for the Third-Party Applications and Services to operate with the Hosted Services. Invevo is not responsible for Your use of Third-Party Applications and Services, including any exchange of data between You and third party providers, or the processing, disclosure, modification or deletion of Client Data resulting from Your use of Third-Party Applications and Services. Invevo does not warrant that the Third-Party Applications and Services are secure or functional, and Invevo offers no support for the use of such Third-Party Applications and Services. Invevo will not be in breach of this Agreement to the extent that any Third-Party Applications and Services or features thereof cease to function with the Services.
5.5 You acknowledge and agree that the Services are not intended for archiving or backing-up Client Data and You will not use or rely on the Hosted Services for those purposes.
5.6 You acknowledge and agree that Invevo may use and integrate other third-party software providers within the Services (schedule 4). You consent to third party software providers’ use and processing of the Client Data as may be required to fulfil their functions within the Services, provided that the third-party software provider complies with the DPA.
6.PAYMENT TERMS.
6.1 You will pay the Set Up Fee within 30 days of the date of receipt of invoice without set-off or deduction.
6.2 The Services are charged on the basis of the estimated Consumable Volumes as set out in the Order Form. Additional Consumable Volume used during the month will be charged at the additional rate set out in the Order Form.
6.3 You will pay the fees monthly in advance for the Services as calculated based on the Consumable Volume as invoiced by Invevo (“Fees”). However, should the Fees be lower than the Minimum Spend as agreed on the Order Form then You will pay the Minimum Spend as invoiced by Invevo.
6.4 All fees are exclusive of VAT and will be invoiced and paid in Great British Pounds. You will not withhold or set-off any fees owed under this Agreement against any amounts otherwise owed by Invevo to You. Except as expressly set forth in this Agreement, all fees are non-refundable upon receipt by Invevo.
6.5 Invoices are due net 30 from the invoice date. You are responsible for providing complete and accurate billing contact information to Invevo and notifying Invevo of any changes to such information.
6.6 If You fail to pay invoices when due Invevo may, without limiting its other rights and remedies and upon fourteen days prior written notice to You (a) suspend the Services until You pay such amounts in full; and/or (b) charge 4% above the Bank of England’s base rate default interest on any outstanding amounts until payment is received. Such interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, whether before or after judgment.
6.7 Notwithstanding the other provisions of this Section 6, within fifteen (15) days of the date of any invoice You may, by providing written notice to Invevo, reasonably and in good faith dispute any amount set forth in such invoice; provided, that (a) You pay Invevo any undisputed portion(s) of such invoice when due; and (b) You cooperate diligently and in good faith to resolve the dispute.
6.8 For each Renewal Term, Invevo may increase the subscription fees for the Services up to 3% providing written notice to You at least Fifteen (15) days prior to the start of the Renewal Term.
7. CONFIDENTIALITY.
7.1 “Confidential Information” means all non-public information disclosed in any form by a Party or its Affiliate(s) that is designated “confidential” or in a reasonably similar fashion or is disclosed under circumstances reasonably indicating the disclosure is confidential. Without limiting the generality of the foregoing, “Confidential Information” includes (a) with respect to Invevo (i) any non-public portions of and about the Services, (ii) the performance and functionality of the Services, (iii) product roadmaps related to the Services; (b) with respect to Your Client Data; and (c) with respect to both Parties, the existence and terms of this Agreement.
7.2 Each Party will protect the other’s Confidential Information with the same degree of care used to protect its own confidential information, but in no event with less than a reasonable degree of care. In addition, each Party will (a) use the other Party’s Confidential Information solely for purposes of complying with its obligations under this Agreement or using the Services; and (b) restrict the use of and access to the other Party’s Confidential Information to its employees and consultants and the employees and consultants of its affiliates with a need to know such information for purposes of each Party complying with its obligations under this Agreement and who are bound by confidentiality obligations to the Party receiving the Confidential Information consistent with this Agreement. Confidential Information of the disclosing Party may be disclosed by the receiving Party if required to comply with a governmental requirement, legal order, or law; provided, that the receiving Party notifies the disclosing Party prior to disclosure (if such disclose is permitted).
7.3 Confidential Information does not include information that (a) is or becomes publicly known or available without breach of this Agreement; (b) was known by the receiving Party prior to its receipt from the disclosing Party; (c) is disclosed to the receiving Party by a third party under no obligation of confidentiality for that information; or (d) is independently developed by the receiving Party without use of or reference to the Confidential Information of the disclosing Party.
7.4 Each Party acknowledges and agrees that monetary damages are an inadequate remedy for any breach of this Section 7, and the disclosing Party may seek injunctive or other equitable relief in any court of competent jurisdiction, in addition to its other rights and remedies, for any actual or threatened breach of this Section 7 without the need to show actual damages or the posting of a bond.
7.5 Upon the termination of this Agreement, or at either Party’s request, the receiving Party will return or destroy all tangible and electronic materials that constitute the other Party’s Confidential Information; provided, that automatically-generated computer backup or archival copies generated in the ordinary course of the receiving Party’s business need not be returned or destroyed so long as the receiving Party makes no further use of the same and continues to abide by the restrictions set forth in this Section 7 with respect to such information.
7.6 This Section 7 shall supersede any and all previous non-disclosure agreements between the Parties that address the same transaction reflected in this Agreement.
8. TERM, TERMINATION AND EFFECT OF TERMINATION.
8.1 This Agreement will commence on Go-Live Date and will continue for a period of twelve (12) months (“Initial Term”) and will renew annually on each anniversary of the Go-Live Date (“Renewal Term”) (collectively referred as the “Term”). If You do not wish to enter a Renewal Term, You must provide Invevo with a notice to cancel at least thirty (30) days before any Renewal Term.
8.2 Either Party may terminate this Agreement (a) upon 30 days’ prior written notice to the other Party as a result of any material breach of this Agreement by the other Party if the other Party has not cured such breach within such 30-day period; or (b) immediately upon written notice to the other Party as a result of any breach by the other Party of Section 7, Section 4.1 or (c) immediately in the event the other party becomes the subject of a petition in bankruptcy or other proceeding relating to insolvency, liquidation or assignment for the benefit of creditors.
8.3 Upon the termination of this Agreement You will (a) no longer have the right to use or access the Services, and any licenses or access granted to You shall automatically cease to exist as of the date of expiration or termination; and (b) pay Invevo all fees for Services provided by Invevo as of such termination.
8.4 Within 30 days of the termination of this Agreement, upon Your request, Invevo will make available to You a file of the Client Data then in its possession. You hereby acknowledge and agree that 30 days following the expiration or termination of this Agreement Invevo will have no obligation to maintain or produce Client Data under this Agreement, and may, delete and/or destroy all copies of Client Data in the Services or otherwise in Invevo’s possession or control, unless legally prohibited. Other than as set forth above, Invevo will provide no other post-termination assistance absent the Parties’ mutual agreement in writing.
8.5 Sections 0-7, 8.3, 8.4, 8.5, 9-18.11 will survive the expiration or termination of this Agreement.
9. REPRESENTATIONS AND WARRANTIES.
9.1 Each Party represents and warrants that (a) it is authorised to enter into this Agreement; (b) its performance of this Agreement is duly authorised by all necessary corporate action(s); (c) it is duly licensed, authorised or qualified to do business and in good standing in all applicable jurisdictions in which it is conducting business; and (d) the person signing this Agreement on behalf of that Party has authority to do so.
9.2 Invevo warrants that during the Term (a) (i) it will provide the Service in a manner consistent with generally accepted industry standards; and (b) under normal use, the Services will function materially in accordance with the Specifications. This warranty does not apply if (a) You are in violation of this Agreement; (b) the failure is caused by any configuration or customisation to the Services not provided by Invevo; or (c) the failure is caused by Client Data, faulty internet connections or services or Third Party Applications and Services. Invevo also warrants that during the Term it will not change the Services in any way that would materially diminish the Services’ functionality. For any breach of the warranties set forth in this Section 9.2, Your sole and exclusive remedies are those set forth in Sections 8.2(a).
9.3 Except as expressly and specifically provided in this Agreement: (a) You assume sole responsibility for results of the use of the Services. Invevo shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to Invevo by You in connection with the Services, or any actions taken by Invevo at the Your direction; (b)all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement; and (c) the Services are provided to You on an "as is" basis.
9.4 Nothing in this agreement excludes the liability of Invevo: (a) for death or personal injury caused by the Invevo's negligence; or (b) for fraud or fraudulent misrepresentation.
10. INDEMNIFICATION BY INVEVO
10.1 In the event of a third-party claim against You or Your Affiliates and their respective employees, officers, or directors (each, a “Client Indemnitee”), alleging (a) that when used in accordance with this Agreement, the Services infringe or misappropriate the third party’s patent, copyright, trademark, or trade secret rights existing under the laws of England and Wales as of the Effective Date; or (b) that Invevo has breached any applicable law or regulation in providing the Services (a “Claim”), Invevo will defend and indemnify Client Indemnitee(s) against any damages, attorneys’ fees and costs finally awarded against any Client Indemnitee as a result of, or for amounts paid by any Client Indemnitee in settlement of, a Claim; provided, that Client Indemnitee (a) promptly notifies Invevo in writing of the Claim; (b) gives Invevo sole control of the defence and settlement of the Claim; and (c) provides all reasonable assistance with the Claim at Invevo’s expense. Notwithstanding the foregoing, Invevo may not settle any Claim unless it releases all Client Indemnitees of all liability for such Claim. The applicable Client Indemnitee may, at its option and expense and at any time, join in the defence and settlement of a Claim and employ its own counsel.
10.2 If Invevo learns of a Claim or potential Claim under Section 10.1(a) Invevo may, in addition to its indemnification obligations, in its sole discretion and at no cost to You (a) modify the Services to no longer infringe or misappropriate; (b) obtain a license for You to continue using Services; or (c) terminate this Agreement and the applicable Order Form(s) upon 30 days’ written notice to You and refund any prepaid subscription fees for the remainder of the then-current Term prorated from the date of termination.
10.3 Invevo’s obligations under Section 10(a) do not apply if the Claim arises from the use, modification or combination of the Services or any part thereof with software, hardware, or data (including Client Data) not provided by Invevo if Services would not infringe without such combination or modification.
11. INDEMNIFICATION BY CLIENT.
11.1 In the event of a third-party claim, proceeding, or suit against Invevo and its affiliates and their respective employees, officers, or directors (each, a “Invevo Indemnitee”) alleging (a) that You failed to comply with applicable laws and regulations in its performance of this Agreement or its Use of the Services; or (b) that Invevo’s hosting or processing of Client Data infringes or misappropriates the third party’s patent, copyright, trademark, or trade secret rights existing under the laws of England and Wales as of the Effective Date, You will defend and indemnify Invevo Indemnitee(s) against any damages, attorneys’ fees and costs finally awarded against any Invevo Indemnitee as a result of, or for amounts paid by any Invevo Indemnitee in settlement of such claim. Upon learning of a claim, proceeding, or suit referred to in this Section 11, the applicable Invevo Indemnitee will (i) promptly notify You in writing of the claim; (ii) give You sole control of the defence and settlement of the claim; and (iii) provide all reasonable assistance with the claim at Your expense. Notwithstanding the foregoing, You may not settle any claim referred to in this Section 11 unless it releases all Invevo Indemnities of all liability for such claim. The applicable Invevo Indemnitee may, at its option and expense and at any time, join in the defence and settlement of a claim referred to in this Section 11 and employ its own counsel.
12. EXCLUSIONS OF CERTAIN DAMAGES; LIMITATIONS OF LIABILITY.
12.1 Subject to Clause 9.4: a) Invevo shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this agreement; and (b) Invevo’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to the total Fees paid during the 12 months immediately preceding the date on which the claim arose.
13. FEEDBACK AND METADATA.
13.1 You hereby grant Invevo a royalty free, worldwide, perpetual, irrevocable, non-exclusive, transferable right to use, modify, distribute and incorporate into the Services any suggestions, enhancement request, recommendations, or other feedback provided by You or any User related to the Services.
14. GOVERNING LAW; JURISDICTION, DISPUTES.
14.1 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
14.2 In the event, that there is a dispute under this Agreement, then both Parties will enter into good faith negotiations between nominated party directors, should those negotiations fail then the Parties will follow the mediation procedure under CEDR Model Mediation . Neither party shall take any Court action for thirty (30) days from the start of the good faith negotiations, unless an emergency injunction is required.
15. FORCE MAJEURE.
15.1 Neither party is liable for any delay or failure to perform during any period in which such performance is impossible or illegal as a result of circumstances beyond such party’s control, including events caused by third parties not under such party’s control, Third-Party Applications and Services, acts of God (for example, flood, fire, earthquakes, epidemics or pandemics), strikes, acts of government, civil unrest, internet disruptions, including those caused by hardware, software, or power systems not in such party’ control, malicious data hacks by third parties, and denial of service attacks.
16. USE OF SUBCONTRACTORS.
16.1 Invevo may in its sole discretion sub-contract parts of the Services to third-parties in a manner consistent with generally accepted industry standards; provided, that it remains responsible for the actions and omissions of such subcontractors.
17. NOTICES.
17.1 Except as otherwise specified in this Agreement, all notices related to this Agreement will be in writing and will be effective for notice purposes only upon (a) personal delivery, including confirmed delivery by courier service; (b) the first business day after faxing; (c) the second business day after mailing; or (d) the day of sending by email. All notices of purported termination of this Agreement or an indemnifiable claim (“Legal Notices”) shall be clearly marked as a “Legal Notice.” All notices to Invevo, including all Legal Notices, should be sent to [email protected] . All notices to You will be sent to the address set out on the Order Form or to the address as notified to Invevo by You.
18. GENERAL
18.1 If there is an inconsistency between any of the provisions in the main body of this Agreement and the Schedules, the provisions in the main body of this Agreement shall prevail. If there is any inconsistency between this Agreement and the Order Form, then the Order form shall take precedence.
18.2 No variation of this Agreement shall be effective unless it is writing and signed by both Parties.
18.3 No failure or delay by a Party to exercise any right or remedy provided under this Agreement will constitute a waiver of that right or remedy.
18.4 If any provision of this Agreement is found to be invalid, illegal or unenforceable, it will be deemed deleted but its deletion shall not affect the rest of the Agreement. If any provision of this Agreement is deemed deleted it shall be re-construed to reflect the Parties' intent.
18.5 Each Party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement. Each Party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
18.6 Whenever used herein, the terms “include”, “includes” and “including” shall mean, “include/includes/including, without limitation.” Unless the context clearly requires otherwise, references to the plural include the singular. All captions are intended solely for convenience and will not affect the meaning of any provision.
18.7 You shall not, without the prior written consent of Invevo, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. Invevo may assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
18.8 Nothing in this Agreement is intended to or shall operate to create a partnership between the Parties, or authorise either party to act as agent for the other, and neither Party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way.
18.9 This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
18.10 You hereby agree that Invevo may, during the Term, identify You as a Invevo customer and use Your name and logo on its website and other marketing materials.
18.11 This Agreement, together with all Schedules and Order Forms represents the Parties’ entire understanding with respect to its subject matter and supersedes all prior and contemporaneous communications and proposals, including Invevo’s response to any RFP and any other promotional material supplied by Invevo
18.12 This Agreement may be executed in one or more counterparts. Electronic signatures, including DocuSign, are acceptable means of signing this Agreement and will be deemed originals.
Data Processing AGREEMENT (schedule two)
This Data Processing Agreement (“Agreement“) forms part of the Contract for
Services (“Principal Agreement“) between You the data controller and Us the data processor
(together as the “Parties”)
WHEREAS
a) The Company acts as a Data Controller.
b) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
c) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
d) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement. This is limited to the name and contact details of the Company’s clients, employees and in some cases, the names of candidates;
1.1.3. “Contracted Processor” means a Subprocessor;
1.1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5. “EEA” means the European Economic Area;
1.1.6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7. “GDPR” means EU General Data Protection Regulation 2016/679 as well as the UK GDPR 2018;
1.1.8. “Data Transfer” means:
1.1.8.1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
1.1.8.2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9. “Services” means the credit and risk management services the Company provides to its customers.
1.1.10. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1. Processor shall:
2.1.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2. not Process Company Personal Data other than on the relevant Company’s documented instructions.
2.2. The Company instructs Processor to process Company Personal Data in order to deliver the Invevo Trade Credit Risk Management solution to the Company’s customers for the duration of the service contract.
3. Processor Personnel
3.1. Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Subprocessing
5.1. Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorised by the Company.
6. Data Subject Rights
6.1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Processor shall:
6.2.1. promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1. Processor shall notify Company without undue delay within 72 hours upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2. Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
8.1. Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Deletion or return of Company Personal Data
9.1. Subject to this section 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
9.2. Processor shall provide written certification to Company that it has fully complied with this section 9 within 10 business days of the Cessation Date.
10. Audit rights
10.1. Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
10.2. Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11. Data Transfer
11.1. The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
12. General Terms
12.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
12.3. The Data Processor acknowledges that any unauthorised access, destruction, alteration, addition or impediment to access or use of that Personal Data when stored in any computer, or the publication or communication of any fact or document by a person which has come to his knowledge or into his possession or custody by virtue of the performance of this Agreement (other than to a person to whom the Data Processor is authorised to publish or disclose the fact or document) may be a criminal offence and/or be likely to cause significant loss or damage to the Data Controller.
12.4. The Data Processor shall indemnify, defend and hold harmless the Data Controller and its respective directors, officers, agents, successors and assigns from any and all Data Protection Losses arising from or in connection with:
(a) any Data Breach;
(b) any breach by the Data Processor, any sub-contractor or sub-processor and/or Data Processor Personnel of the obligations set out in this Agreement;
(c) any breach of the Data Privacy Laws (whether by the Data Controller or the Data Processor) caused by the Data Processor's act or omission; and/or
(d) the Data Processor (or any person acting on its behalf) acting outside or contrary to the lawful Processing Instructions of the Data Controller in respect of the processing of Personal Data.
12.5. Nothing in this clause shall relieve the Data Processor of any liability for the acts or omissions of Data Processor Personnel in relation to the Personal Data.
12.6. In respect of any liability arising under this Agreement the Data Processor's liability shall be limited to the value of the contract.
13. Governing Law and Jurisdiction
13.1. This Agreement is governed by the laws of England and Wales.
13.2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales, subject to possible appeal to the UK High Courts.
