inFlow Inventory software as a service agreement
Agreement
Background and Acceptance
- Archon provides access to its inFlow® Software and related Services to customers to assist them with inventory management and associated activities.
- The Customer wishes to licence and use the Software and Services, and to permit its Authorized Users to use the Software and Services, for the Customer’s business inventory management and associated activities. The Customer acknowledges that Customer and its Authorized Users’ rights to use the Software, Services, Content and Documentation are further subject to Archon’s Acceptable Use Policy and Archon’s Privacy Policy.
- Archon has agreed to provide and the Customer has agreed to take and pay for a licence for non-exclusive rights to use the Software and the Services subject to the terms and conditions of this Agreement.
- By:
- registering and/or subscribing to and using the Services (either under a Subscription Plan or a Free Trial); and/or
- downloading, installing or using the Software; and/or
- clicking on the “Accept” button below the link to this Agreement when registering and/or creating an Account,
Customer accepts the terms of this Agreement.
- By accepting this Agreement, you:
- acknowledge that you have read and understood the terms of this Agreement and agree to be bound by its terms and conditions; and
- acknowledge that where you accept the Agreement on behalf of another party (e.g. an institution, corporation or company), you confirm that you are authorized to, and do in fact, agree to this Agreement on that party’s behalf and that, by agreeing to this Agreement on that party’s behalf, that party is bound by this Agreement.
Definitions and interpretation
- In this Agreement unless the context otherwise requires, the following words and expressions will have the following meanings:
- “Acceptable Use Policy” means those terms of use available at inflowinventory.com which each Authorized User is required to follow, as updated from time to time by Archon;
- “Account” means the Customer’s account to which the Customer may grant access to other persons depending upon the Subscription Plan, such persons being Authorized Users.
- “Account Administrator” means the individual who first registers an Account, and thereafter any individual who is designated as an Account Administrator by an Account Administrator of that Account.
- “Add-On” has the meaning given in Section 5.1;
- “Affiliate” of an entity means any company or other entity which directly or indirectly Controls, is Controlled by or is under common Control with that entity;
- “Authorized Users” means those individuals (who may be referred to as “team members” in the Documentation) who are granted access by an Account Administrator to use the Services of the Account in accordance with the Subscription Plan which the Customer has subscribed to, and includes the individuals who are Account Administrators;
- “B2B Portal” means the inFlow® business-to-business portal or the “Showroom” of the Services which allows Customers who have access to this portal under their Subscription Plan, the ability to showcase their products to their end customers (either publicly or privately); and potentially invoice for and receive payments through inFlow® Pay which is an optional integrated function of this portal provided by a third party by way of a separate agreement between Customer and that third party for Customers who are registered businesses physically located in the United States or Canada;
- “Business Day” means any day other than a Saturday, a Sunday or a public holiday in Ontario, Canada;
- “Business Hours” means 9.00 am to 5:00 pm Eastern Time (ET) Toronto, Ontario, each Business Day;
- “Confidential Information” has the meaning given in Section 11.1 (Confidentiality);
- “Content” means images and videos, audio files, data files, animations and text provided by Archon or relevant licensors, but excluding Customer Data;
- “Control” means the ownership of more than 50 per cent of the issued share capital or other equity interest or the legal power to direct or cause the direction of the general management and policies of an entity;
- “Customer Data” means information the Customer or its Authorized Users input into, or which is input on their behalf, and which is processed by Software and Services. Customer Data expressly excludes the Data that Archon compiles, stores and uses to monitor and improve its Software, Services and Documentation and for the creation of new software, services, products or documentation, including metadata and analyses of Customer Data associated with the use of Archon’s websites, Software, Services, Documentation and Intellectual Property;
- “Customer Systems” means all computer equipment, all associated or interconnected network equipment, routers, semi-conductor chips, software and communication lines, and all other equipment owned, licensed or operated by, or operated on behalf of, Customer that is not Software, Services or Documentation or other Archon Intellectual Property;
- “Data” means information provided or received by either party from the other party or on behalf of the other party;
- “Device” means desktop machine, laptop, mobile telephone or handheld device on which the Services are used;
- “Documentation” means printed or electronic materials and documentation concerning the operation, function, specifications and use of the Services and the Software, including online documentation, user manuals, support FAQs, training materials, and any other instructions in writing provided by Archon or its licensors in relation to the Services and/or the Software;
- “Effective Date” means the earliest date on which this Agreement is accepted by the Customer in accordance with Section 1.4 of this Agreement;
- “Free Trial” means the period, which unless otherwise agreed in writing by Archon is fourteen (14) days, in which a Customer is able to access the Software, Services and Documentation free of any charge under the terms and conditions of this Agreement, the Privacy Policy and the Acceptable Use Policy.
- “Governmental or Regulatory Authority” means any national, federal, provincial, state, county, municipal, quasi-governmental or self-regulatory department, authority, organization, agency, commission, board, bureau, official, minister, Crown corporation, or court or other law, rule or regulation-making entity having jurisdiction over (i) Archon or Customer, respectively, or (ii) any person, property, transaction, activity, event or other matter related to this Agreement, including subdivisions of, political subdivisions of and other entities created by, such entities;
- “Group” means, in relation to a party that party, its subsidiaries, any company of which it is a subsidiary (its holding company) and any other subsidiaries of any such holding company;
- “Initial Term” has the meaning set out in Section 13.1;
- “Insolvency Event” means any one or more of the following:
- where proceedings are commenced in connection with the liquidation, dissolution or winding up of a party, or a party makes an assignment for the benefit of creditors, or files a notice of intention to make or otherwise makes any proposal under bankruptcy and/or insolvency Laws of any applicable jurisdiction, or if an assignment in bankruptcy is filed or presented by a party in respect of its properties or assets, or a proceeding is instituted by or against a party under any present or future Laws relating to the reorganization, arrangement or composition of or in respect of its debts or obligations, or if a custodian, trustee in bankruptcy, interim receiver, monitor, administrator, liquidator or receiver or receiver and manager or any other person with similar powers be appointed for either party or a substantial portion of its properties or assets; or
- any third party enforces a security interest over all, or any part, of the assets of a party;
- “Intellectual Property Rights” means any rights that are or may be granted or recognized under any Law, including common law principles, regarding copyright (including rights in computer software), rights in inventions, patents, know-how, trade secrets, trademarks and trade names, logos, service marks, design rights, rights in get-up, rights in trade dress, database rights and rights in data, integrated circuit topography, semiconductor chip topography rights, the right to sue for passing off, utility models, domain names and all similar rights and, in each case:
- whether registered or unregistered;
- including any applications to protect or register such rights;
- including all reissues, divisions, continuations, continuations-in-part, renewals and extensions of such rights or applications;
- whether vested, contingent or future; and
- wherever existing;
- “
Laws
- ” means:
- any laws, statutes, ordinances, by-laws, rules, and regulations, and executive or legislative proclamations in force;
- any orders, arbitral or administrative judgments or decrees, administrative or judicial decisions which is a binding precedent; and
- any requirements of any regulatory body,
in each case in force at any time during the term of this Agreement, and “Law” shall be construed accordingly;
- “Losses” means all losses, liabilities, damages, costs, claims and expenses howsoever arising (including reasonable legal fees and other professional advisors’ fees, and disbursements and costs of investigation, litigation, settlement, judgment, interest, penalties and remedial actions), and to the extent permitted by Laws administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Governmental or Regulatory Authority, and “Loss” shall be construed accordingly;
- “personal information” means information about an identifiable individual;
- “Permitted Recipients” means personnel of Archon (including members of Archon’s Group and its Sub-contractors) or the Customer who are engaged in the performance, management, receipt or use of the Software, Services and the Documentation as well as the receiving party’s auditors and professional advisers;
- “Privacy Policy” means the Customer Privacy Notice available at inflowinventory.com as updated from time to time by Archon;
- “Renewal Period” has the meaning given to it in Section 13.3.
- “Services” means the inFlow Inventory™ Services and includes use of the Software, all related services, Content and Documentation relating to the inFlow Inventory™ Services, as more particularly described in the Documentation or as otherwise agreed between the parties in writing;
- “Software” means Archon’s software application inFlow® (including all versions and releases for any operating system, platform or device), which may include inFlow® API as an add-on, access to which is provided by Archon as part of the Services;
- “Subscription Fees” means the fees set out in the Subscription Plan or as otherwise agreed between Archon and the Customer in writing;
- “Subscription Plan” means the plan the Customer has subscribed to, which may be one of the plans advertised on Archon’s websites or a customised plan agreed with Archon’s sale team, which sets out key details such as the number of Authorized Users, Services, Subscription Fees, the Support Services, and any other services and/or functionality the Customer may have access to;
- “Subscription Term” means the Initial Term together with any Renewal Period(s);
- “Sub-contractor” means any third party providing Archon with services used in the provision of the Services;
- “Support Hours” means the contact hours set out on the inFlow® website at https://www.inflowinventory.com/contact-support.
- “Support Services” means the support services provided by Archon described in Section 4.2, or as otherwise set out in the Documentation or notified to the Customer by Archon from time to time;
- “Viruses” means anything or device (including any software, code, file or programme) which may:
- prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or
- adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
- In this Agreement, unless the context requires otherwise:
- references to a “party” or to the “parties” are references to a relevant party or the parties to this Agreement;
- references to a section, schedule or appendix are, as the case may be, to a section, schedule or appendix to this Agreement and references to a clause or paragraph are to a clause or paragraph in a schedule;
- except where the context specifically requires otherwise, words indicating:
- one gender shall include any gender; and
- the singular shall include the plural and vice versa;
- a “person” includes a natural person, firm, corporation, company, unincorporated associations, sole proprietorship, a syndicate, unincorporated organization, trust, Governmental or Regulatory Authority, any association or partnership or joint venture (whether or not having a separate legal personality), and where the context requires, any of the foregoing when they are acting as trustee, executor, administrator or other legal representative;
- the singular shall mean and include the plural and vice versa;
- “writing” shall include any modes of reproducing words in a legible or non-transitory form. Notice in writing may not be given by e-mail except in conformance with Section 19;
- “company” shall include any company, corporation or other body corporate, wherever and however incorporated or established.
- the section headings are included for convenience only and shall not affect the interpretation of this Agreement;
- a reference to a Law includes all subordinate legislation or regulation made under it from time to time, and is a reference to it as amended, extended or re-enacted from time to time; and
- any words following the words “includes“, “including“, “for example” and “in particular” are illustrative only and do not limit the generality of any preceding words where a wider construction is possible.
- In this Agreement unless the context otherwise requires, the following words and expressions will have the following meanings:
subscriptions
- Subject to:
- the Customer registering for a Subscription Plan and paying the associated Subscription Fees (except where the Customer has registered for a Free Trial, in which case it does not need to pay any Subscription Fees for the period of the Free Trial), and
- the restrictions set out in this Section 3,
Archon grants to the Customer a non-exclusive, revocable, non-transferable right and licence, without the right to grant sublicences, to use and permit Customer’s Authorized Users to use the Software, Content, Documentation and the Services during the Subscription Term in accordance with the terms and conditions of this Agreement, the Acceptable Use Policy and any other Documentation provided by Archon to the Customer from time to time.
- In relation to the Authorized Users, the Customer undertakes that:
- the maximum number of Authorized Users that it authorizes to access and use the Services shall not exceed the number of “team members” the Customer is entitled to have under its relevant Subscription Plan; and
- it will ensure that each Authorized User shall comply with the Acceptable Use Policy, including that they keep a secure password for the Account keep the password confidential and not let their log in details be used by anyone else.
- Without limiting the above in any way, the Customer shall not (and the Customer shall ensure that the Authorized Users do not):
- use the Software or Services in any unlawful manner (or in any way that facilitates unlawful activity), for any unlawful purpose, or in any manner inconsistent with this Agreement or the Acceptable Use Policy, or act fraudulently or maliciously, for example, by using another user’s account, or by hacking into or inserting malicious code, including Viruses, or harmful data, into the Services or any operating system;
- use the Software or Services for non-commercial, personal, family or household purposes;
- infringe Archon’s Intellectual Property Rights or those of any relevant licensor or any third party in relation to its use of the Services;
- transmit spam any material that is defamatory, offensive or otherwise objectionable in relation to its use of the Services;
- use the Services in a way that could damage, disable, overburden, impair or compromise Archon’s systems or security or interfere with other users;
- collect or harvest any information or data from any of Archon’s systems;
- attempt to decipher any transmissions to or from the servers running any Services; or
- perform any security testing of the Software, Services or the Services’ hosting platform either manually or utilising any automated system.
- Except as expressly set out in this Agreement or as permitted by Laws, the Customer agrees not to (and the Customer shall ensure that the Authorized Users each agree not to):
- copy the Software, Services, Content or Documentation, except for the purposes of the downloading the Documentation onto a Device and then subsequently copying the Documentation onto other Devices for use with the Services, however for the avoidance of doubt this does not permit the Customer or its Authorized Users to copy any of the code within the Services nor any of the text or concepts in the Documentation;
- use the Software or Services to provide Services to third parties (unless the Customer has purchased a Subscription Plan which allows it to use the B2B Portal whereby Customer may use the Software and/or the Services to display their products or services to their customers);
- rent, lease, sub-license, loan, distribute, disclose, or otherwise commercially exploit the Software, Services, Documentation or otherwise make the Software, Services, Documentation available in whole or in part to any third party except for the purposes specified in Section 3.4.2;
- make alterations to, or modifications of, the whole or any part of the Software, Services or Documentation, or permit the Software, Services or Documentation or any part of these to be combined with, or become incorporated in, any other programs; or
- disassemble, decompile, reverse-engineer or create derivative works based on the whole or any part of the Software or the Services or attempt to do any such thing.
- The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Software, the Services, Content and/or Documentation and, in the event of any such unauthorised access or use, promptly notify Archon.
- The Customer acknowledges that:
- it uses the Software and the Services are for its own internal business purposes; and
- commercial use of the Software and the Services is not permitted,
unless the Customer has purchased a Subscription Plan which allows it to use the B2B Portal or unless otherwise agreed with Archon in an executed written document.
- The rights provided under this Section 3 are granted to the Customer and Authorized Users only.
- Subject to:
Services and support
- Archon shall, during the Subscription Term, provide and make the Services available to the Customer on and subject to the terms of this Agreement and the Acceptable Use Policy.
- Archon will, as part of the Services and at no additional cost to the Customer, provide the Customer with Archon’s standard support services (including for example, troubleshooting or answering questions) during the Support Hours, via email, the chat function on its website, or by call-back request (“Support Services“).
- Archon will also, as part of the Services in respect of a paid Subscription and at no additional cost to the Customer provide the Customer with standard onboarding assistance as set out in the Customer’s Subscription Plan, unless otherwise set out in the Documentation or agreed with the Customer as part of their Subscription Plan. After the initial onboarding assistance included in the Customer’s Subscription Plan, any additional training or onboarding assistance required by the Customer will be provided by Archon at a rate notified by Archon.
Additional Services (Add-Ons) and changes to plans
- Subject to Sections 5.2 and 5.3, the Customer may, from time to time during its Subscription Term, purchase additional services provided by Archon (and advertised on its website or otherwise communicated to the Customer), including for example, extra team members/Authorized Users, use of the inFlow® API, serial numbers and the B2B Portal (“Add-Ons“. Access to, and use of, Add-Ons is subject to the terms and conditions of this Agreement.
- If the Customer wishes to purchase Add-Ons, it shall do so by ordering such Add-Ons in its Account settings or by notifying Archon. If Customer notifies Archon, Archon shall evaluate such request for any Add-Ons and respond to the Customer with approval or rejection of the request (such approval not to be unreasonably withheld). Where the Customer selects additional Add-Ons, and Archon approves the request, and Customer’s Account is in good standing, Archon shall activate the requested Add-Ons within ten 10 Business Day of payment for or its approval of the Customer’s request, or within such period notified to the Customer.
- For clarity, where Archon provides deliverables and/or services related to inFlow® or its other proprietary systems and/or software at the request of Customer, including any configuration, reports, templates or similar works, Archon will own the copyright and all intellectual property rights and Customer will be granted the same rights of access and use as is granted to Customer pursuant to Section 3 of this Agreement.
- Where Customer has ordered Add-Ons in its account settings, the fees and taxes will be calculated and paid by way of the Customer’s credit card as part of the ordering process. If Archon has made a request for Add-Ons to Archon, and Archon has approved, the Customer shall, within 30 days of the date of Archon’s invoice, pay to Archon the relevant fees and taxes for such additional Add-Ons as set out in the applicable Documentation or notified to the Customer.
Archon’s obligations
- Archon shall perform the Services:
- with reasonable skill and care; and
- so that they conform in material respects to what is set out in the Documentation.
- The undertaking at Section 6.1 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to Archon’s instructions, or modification or alteration of the Services by any party other than Archon or Archon’s duly authorized contractors or agents. If the Services do not conform with the undertaking in Section 6.1, Archon will, at its expense, use reasonable commercial efforts to correct any such non-conformance, or provide the Customer with an alternative means of accomplishing the performance set out in the Documentation. Such correction or substitution constitutes the Customer’s sole and exclusive remedy for any breach of the undertaking set out in Section 6.1.
- Archon may from time-to-time upgrade the Software and the Services at Archon’s sole discretion to maintain compatibility with new software releases, improve operation of the Software and Services, and/or to correct any failures of the Software and Services to perform substantially in accordance with the Documentation.
- Archon shall perform the Services:
Customer’s obligations
- The Customer shall:
- provide Archon with:
- all necessary cooperation in relation to this Agreement; and
- all necessary access to such information as may be required by Archon, in order to provide the Services, including as to Customer Data, security access information and configuration services;
- comply with all applicable Laws relating to its receipt of the Services from Archon (including any applicable Laws relating to consumer protection, e-commerce, distance selling and unfair contract terms) and as required by Governmental or Regulatory Authority (if applicable);
- ensure that the Authorized Users use the Services in accordance with terms and conditions of this Agreement and the Acceptable Use Policy and shall be liable for any Authorized User’s breach of the Acceptable Use Policy or this Agreement;
- ensure that its network and systems comply with the relevant specifications provided by Archon from time to time; and
- be solely responsible for (i) procuring and maintaining its Devices, Customer Systems and network connections and telecommunications links from the Customer Systems to Archon’s Services, and (ii) all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer Systems and network connections or telecommunications links or caused by the Internet.
- provide Archon with:
- The Customer shall:
Intellectual Property Rights
- The Customer acknowledges and agrees that Archon and/or its licensors own all Intellectual Property Rights in the Software, Services, Content and the Documentation. Except for the licence granted in Section 3.1 above, this Agreement does not grant the Customer any Intellectual Property Rights in respect of the Software, Services, Content or the Documentation.
- The Customer shall not (and shall ensure any Authorized User or third party that it permits to access the Software, Services, Content or Documentation do not) develop applications, software or services similar to the Software or Services or a platform similar to the one used to provide the Software and Services under this Agreement utilizing any information and/or materials that it or they have had access to as a result of this Agreement.
- The Customer retains ownership in any Intellectual Property Rights that it holds in its Customer Data. When the Customer (or its Authorized Users) uploads, submits, stores, sends Customer Data to or through the Software or Services, the Customer grants to Archon a fully paid-up, non-exclusive, royalty free, licence to use, host, store, reproduce, distribute, copy, modify and create derivative works of works (such as translations, adaptations, or other changes Archon makes so that Customer Data works better with the Software and Services) any Customer Data, content and materials provided by the Customer to Archon for the Subscription Term for the purposes of providing (and improving) the Services to the Customer.
- The Customer represents and warrants that:
- it owns all rights to the Customer Data or, alternatively, that it has the right to give Archon the rights described above;
- the Customer Data does not infringe the Intellectual Property Rights, privacy rights, publicity rights, or other legal rights of any third party. Archon disclaims all liability for the Customer or its Authorized Users’ infringement or other violation of third party rights including in third party content; and
- to the extent Customer Data includes Protected Data or personal information, it will comply with Section 12 and all Laws applicable to privacy and/or the collection and use of personal information.
- It is expressly agreed that a breach of this Section 8 by a party could cause irreparable harm to the non-breaching party and that a remedy at law would be inadequate. Therefore, in addition to any and all remedies available at law, the non-breaching party shall be entitled to seek an injunction or other equitable remedies (temporary, preliminary and/or permanent) in the event of any threatened or actual violation of any or all of the provisions of Section 8.
Third party providers and separately licensed code
- The separately licensed code included within the Services is licensed to the Customer under the terms of the applicable third party license agreement(s) set out in the Notices file that is made available at https://www.inflowinventory.com/support/cloud-notices (“Separately Licensed Code“). Notwithstanding any of the terms in this Agreement, or any other agreement the Customer may have with Archon, the terms of such third party license agreement(s) governs the Customer’s use of all Separately Licensed Code.
- The Customer acknowledges that the Services may enable or assist it to access the website content of, correspond with, and/or purchase products and services from, third parties via third-party websites and/or services, and that Customer does so solely at its own risk. Archon makes no representation, warranty or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer with any such third party. Any contract entered into and any transaction completed via any third-party website or services is between the Customer and the relevant third party, and not Archon. With respect to third party websites and/or services, Archon recommends that the Customer refers to the third party’s terms and conditions and privacy policy prior to using the relevant third-party website and/or services. Archon does not endorse or approve any third-party website nor the content of any of the third-party website made available via the Services.
Charges and Payment
- The Customer shall pay the Subscription Fees set out in their Subscription Plan to Archon in accordance with this Section 10.
- The Customer shall, on the Effective Date provide to Archon, valid, up-to-date and complete credit card details or other approved payment method details acceptable to Archon and any other relevant valid, up-to-date and complete contact and billing details required by Archon and, if the Customer provides:
- its credit card details to Archon, the Customer hereby authorises Archon to pass on this information to its chosen payment processor Sub-contractor to bill and deduct the Subscription Fees automatically from such credit card:
- on the Effective Date for the Subscription Fees payable in respect of the Initial Term; and
- unless terminated in accordance with Sections 13.4, 13.5 or 13.6, on each anniversary of the Effective Date for the Subscription Fees payable in respect of the next Renewal Period (which for monthly Subscription Plans, will be each month, and for annual Subscription Plans, will be each year).
- its credit card details to Archon, the Customer hereby authorises Archon to pass on this information to its chosen payment processor Sub-contractor to bill and deduct the Subscription Fees automatically from such credit card:
- If the Customer provides incorrect credit card (or other payment) details, or Archon is unable to bill and deduct the Subscription Fees from the credit card or other payment method provided by the Customer, Archon shall notify the Customer and may allow them a discretionary grace period to pay any overdue Subscription Fees. If following any such discretionary grace period, Archon has still not received payment, Archon may, without liability to the Customer and without limit to any other rights and remedies of Archon, disable the Customer’s Account and access to all or part of the Software, Services, Content and the Documentation, and Archon shall be under no obligation to provide any or all of the Services while the invoice(s) and/or Subscription Fees concerned remain unpaid.
- All amounts and fees stated or referred to in this Agreement:
- shall be payable in US dollars (USD);
- are, non-refundable; and
- are exclusive of applicable taxes and duties, however designated or levied, which shall be added to Archon’s invoice(s) at the appropriate rate(s) and paid by Customer.
- To clarify in respect of Section 10.4.2 above, no refund will be given if the Customer’s Subscription Plan is terminated or cancelled in accordance with this Agreement. Further if the Customer initiates any downgrade in respect of its Subscription Plan or the removal of any Add-On, fee or price reductions, if any, associated with these actions will take effect in the Customer’s next Renewal Period and not before then.Archon shall be entitled to increase the Subscription Fees at any time during the Subscription Term, and in any Renewal Period, upon 90 days’ prior notice to the Customer. If the Customer does not accept the new Subscription Fees for its Subscription Plan, it may cancel or change its Subscription Plan in accordance with the terms and conditions of this Agreement.
Confidentiality
- The Customer and Archon each agree to keep confidential and not to disclose to any third party (other than to the Permitted Recipients, under equivalent obligations of confidentiality) any information relating to the other’s past, present and future research, development, business activities, products, services and technical knowledge, disclosed in connection with the Services, any Data and Documentation and which is identified by the disclosing party as confidential information or which a reasonable person would deem to be confidential under the circumstances (“Confidential Information“).
- The Customer and Archon each agree:
- not to make use of any Confidential Information of the other party for any purpose other than:
- using or providing the Customer Data, the Software, Services, Content and/or Documentation in accordance with this Agreement; or
- as required by relevant Laws;
- not to copy or reproduce any Confidential Information without the disclosing party’s prior written consent except as reasonably needed to perform its obligations under this Agreement. The receiving party agrees to protect the Confidential Information of the disclosing party in the same manner that it protects its own similar Confidential Information, but in no event using less than a reasonable standard of care.
- not to make use of any Confidential Information of the other party for any purpose other than:
- The obligations of confidentiality and non-use set out in this Section 11 shall not apply to any Confidential Information where the receiving party can demonstrate that the Confidential Information concerned:
- is or becomes publicly known through no breach of this Section 11;
- is lawfully received from an independent third party which was not, to the receiving party’s knowledge, under an obligation not to disclose such information;
- is already known to the receiving party with no obligation of confidentiality at the date it was disclosed by or obtained from the disclosing party;
- is disclosed without restriction by the disclosing party to any third party; or
- is independently developed by or for it without use of the other party’s Confidential Information.
- The receiving party may disclose the disclosing party’s Confidential Information if disclosure is required by Law as ordered or required by a Governmental or Regulatory Authority acting within the scope of its proper authority; however, the receiving party shall, to the extent permitted by Law and practicable, notify the disclosing party in advance of such disclosure, and provide the disclosing party with copies of any information anticipated to be disclosed so that the disclosing party may take appropriate action to seek to protect its Confidential Information.
- For the avoidance of doubt, Archon has not and does not agree to treat as confidential any suggestion, feedback, or idea provided by the Customer (“Feedback“), and nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Archon’s right to use, profit from, disclose, publish, or otherwise exploit any Feedback, without compensation to the Customer.
- This Section 11 shall survive termination or expiry of the Agreement.
Data and Protected data
- Archon shall follow its standard archiving procedures for the Customer Data. In the event of any loss or damage to the Customer Data, the Customer’s sole and exclusive remedy shall be for Archon to use reasonable endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by Archon in accordance with its archiving procedure. Notwithstanding the foregoing, Archon shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.
- Where Customer Data includes Protected Data (as defined Schedule 1 – Data Processing Schedule) relating to individuals in the United Kingdom and/or the European Economic Area (“EEA“), the provisions of the Data Processing Schedule in respect of Archon’s processing of such Protected Data will apply to the parties and the parties agree to comply with it.
- Without limit to the Customer’s responsibilities in Schedule 1 – Data Processing Schedule, the Customer shall ensure that:
- there is a legitimate purpose (or purposes) and an appropriate lawful basis for Archon’s use of Protected Data and personal information in performing the Services;
- any Protected Data and personal information provided to Archon is accurate, adequate, relevant and limited to what is necessary for those purposes and the Services;
- the relevant Protected Data and personal information shall not include any special categories of data or any sensitive personal information, except to the extent notified to and approved by Archon in advance, and the Customer shall ensure that it satisfies additional legal conditions required for use of special categories of data or sensitive personal information;
- it promptly informs Archon of any need to update, correct or delete any Protected Data or personal information, or of any exercise by a data subject or an individual of their rights which impact Archon or the Services; and
- without limit to Archon’s obligations under paragraph 2.6.3 of Schedule 1 – Data Processing Schedule, it takes steps to ensure appropriate security of Protected Data and personal information provided to Archon.
Term and termination
- Unless terminated under Sections 13.4, 13.5 or 13.6, this Agreement shall take effect on the Effective Date and continue for the period of:
- one (1) month (for monthly Subscription Plans);
- twelve (12) months (for annual Subscription Plans); or
- the period of the Customer’s Free Trial,
(the “Initial Term” as applicable).
- In relation to Free Trials, unless otherwise terminated under Sections 13.4, 13.5 or 13.6, this Agreement terminates at the end of the Initial Term for Free Trials, unless the Customer signs up for a Subscription Plan at the end of their Free Trial.
- Unless otherwise terminated under Sections 13.4, 13.5 or 13.6, on the expiry of the Initial Term, this Agreement shall automatically renew for a further period of:
- one (1) month for monthly Subscription Plans; or
- twelve (12) months for annual Subscription Plans,
(the “Renewal Period” as applicable).
- The Customer may terminate its Free Trial at any time during Customer’s Free Trial period by providing written notice to Archon or by cancelling in its Account settings.A Customer may terminate its Subscription Plan at any time on thirty (30) days’ advance notice by providing written notice to Archon, or by terminating its Subscription Plan in its Account settings. The Customer’s Subscription Plan will then end at the end of the Initial Term or Renewal Period of such plan in which the last day of thirty (30) days’ advance notice occurs (i.e., for monthly Subscription Plans at the end of the monthly period in which the notice is effective and for annual Subscription Plans, at the end of the relevant twelve month period in which the notice is effective). No refunds will be given for any unused portion of a terminated Subscription Plan.
- Archon may immediately suspend the Customer’s Free Trial or Subscription Plan and/or access or use of the Software and the Services if:
- the Customer fails to pay any amount due under this Agreement;
- the Customer or any of its Authorized Users violates any of the provisions of Sections 3, 7 or 8; or
- it is entitled to terminate the Customer’s Account under the Acceptable Use Policy,
and Archon has provided notice to the Customer of its intention to suspend with particularity and in reasonable detail, the nature of the claimed breach.
- Notwithstanding any other provision of this Agreement, and without limiting any other rights that the parties may have:
- the non-breaching party may, upon written notice to the other, terminate the Agreement (i) immediately on written notice stating, with particularity and in reasonable detail, the nature of the claimed breach if the other party materially breaches its obligations under this Agreement and the breach is not curable, and (ii) if the breach is curable, and the breaching party fails to cure such material breach within 20 days following its receipt of written notice stating, with particularity and in reasonable detail, the nature of the claimed breach, immediately after such period; or
- in compliance with applicable Law, terminate this Agreement if the other party suffers an Insolvency Event.
- On termination or expiry of this Agreement for any reason:
- all licences granted by Archon under this Agreement shall immediately terminate;
- except as set out in Sections 13.7.5 and 13.7.6, each party shall destroy and make no further use of any property and other items (and all copies of them) belonging to the other party, including Confidential Information;
- the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced;
- Archon will stop charging the Customer from the date of termination (so for monthly Subscription Plans, the Customer will not be charged for any month after the month in which termination occurred, and for annual Subscription Plans, the Customer will not be charged for any annual period thereafter);
- Archon may retain (but will not use) the Data that Customer has stored in the Services (i.e., the Customer’s database) in a limited function account for a period of up to three (3) years after expiry or termination of this Agreement (except for Free Trials which do not result in a Subscription, where any Data in the Customer’s database will be deleted promptly after the end of the Free Trial). Customer may make a written request for Archon to delete the Customer’s database prior to the end of the three (3) year period. After this three (3) year period, or earlier if requested by the Customer, the Customer’s database will be deleted and destroyed in accordance with Archon’s data removal and destruction policies and practices, unless otherwise agreed with the Customer in writing;
- if the Account is in good standing and Archon receives, no later than ten (10) Business Days after the date of termination or expiry of this Agreement, a written request from the Customer, for delivery of the most recent back-up of Data in the Customer’s database, Archon shall use reasonable commercial efforts to deliver the back-up to the Customer within 30 Business Days of its receipt of such a written request (provided that the Customer has, at that time, paid all Subscription Fees and charges outstanding at and resulting from termination (whether or not due at the date of termination)) in a .csv file delivered electronically; and
- any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination shall not be affected or prejudiced.
- Unless terminated under Sections 13.4, 13.5 or 13.6, this Agreement shall take effect on the Effective Date and continue for the period of:
Indemnities
- To the maximum extent permitted by Law, the Customer shall defend, indemnify and hold harmless Archon against all Losses arising out of or in connection with the:
- use of the Customer Data by Archon in accordance with the terms of this Agreement;
- contractual or other relationship between Customer and its customers, suppliers and service providers; and/or
- the Customer or its Authorized Users’ use of the Services, Software and/or Documentation other than in accordance with the terms of the Agreement, the Acceptable Use Policy and/or the Documentation, including in respect of any actual or alleged claims that such Customer or its Authorized Users’ use of the Services, Software and/or Documentation infringes any third party Intellectual Property Rights.
- In relation to any claim which gives rise or may give rise to any Loss in respect of which the Customer shall indemnify Archon under Section 14.1:
- Archon shall give the Customer prompt notice of any such claim;
- Archon shall provide reasonable cooperation to the Customer in the defence and settlement of such claim, at the Customer’s expense; and
- the Customer shall be given sole authority to defend or settle the claim, provided it shall do so in a manner which does not adversely affect Archon and regularly updates Archon on the progress of the claim including the terms of any settlement.
- Archon shall indemnify the Customer against any third party claim made against the Customer that the Customer’s use of the Software, Services or Documentation in accordance with this Agreement infringes the third party’s registered patent or copyright or trademark, and shall indemnify the Customer for any amounts awarded against the Customer in judgment or settlement of such claims, provided that:
- Archon is given prompt notice of any such claim;
- the Customer does not make any admission, or otherwise attempt to compromise or settle the claim and provides reasonable co-operation to Archon in the defence and settlement of such claim, at Archon’s expense; and
- Archon is given sole authority to defend or settle the claim.
- In the defence or settlement of any claim, Archon may procure the right for the Customer to continue using the Services, replace or modify the Services so that they become non-infringing or, if such remedies are not reasonably available, terminate this Agreement and the associated Subscription on five (5) Business Days’ notice to the Customer without any additional liability or obligation to pay liquidated damages or other additional costs to the Customer.
- In no event shall Archon, its employees, agents and/or Sub-contractors be liable to the Customer to the extent that the alleged infringement is based on:
- Customer Data; or
- a modification of the Services or Documentation by anyone other than Archon; or
- the Customer’s use of the Services or Documentation in a manner contrary to their intended purpose or to the instructions given to the Customer by Archon; or
- the Customer’s use of the Services or Documentation after notice of the alleged or actual infringement from Archon or any appropriate authority.
- The foregoing states the Customer’s sole and exclusive rights and remedies, and Archon’s (including Archon’s directors’, officers’, employees’, agents’ and Sub-contractors’) entire obligations and liability, for infringement of any Intellectual Property Rights.
- To the maximum extent permitted by Law, the Customer shall defend, indemnify and hold harmless Archon against all Losses arising out of or in connection with the:
Limitation of liability
- Except as expressly provided in this Agreement, the Customer assumes sole responsibility for results obtained from the use of the Software or Services by the Customer, and for conclusions drawn from such use. Archon shall have no liability for any damage caused by errors or omissions in any Content, Documentation, information, Data, instructions or scripts provided to Archon by the Customer in connection with the Services, or any actions taken by Archon at the Customer’s direction.
- Nothing in this Agreement excludes the liability of Archon:
- for death or personal injury caused by Archon’s negligence; or
- for fraud or fraudulent misrepresentation.
- Nothing in this Agreement excludes liability of the Customer for any breach, infringement or misappropriation of Archon’s Intellectual Property Rights.
- Subject to Sections 15.2, 15.5, 15.6 and 15.7, Archon’s aggregate liability (whether in contract, tort (including negligence) or otherwise) in respect of all Losses arising under or in connection with this Agreement shall be limited to an amount equivalent to the Subscription Fees received by Archon in the three (3) month period immediately prior to the event giving rise to the liability.
- Archon’s aggregate liability under the indemnity in Section 14.3 shall be limited to Can$500,000 (five hundred thousand Canadian dollars).
- Archon’s aggregate liability arising in relation to,
- all data protection claims under Section 12 (including any DP Losses as defined in Schedule 1), and
- any and all Losses related to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, access to, or a breach of security of, personal information,
shall be limited to four times the total amount of fees the Customer has paid to the Archon during the one (1) year preceding the event giving rise to the liability.
- Archon shall not under any circumstances be liable to the Customer, whether in contract, tort (including negligence) or otherwise, and whether or not Archon was or should have been aware or advised of the possibility of such loss or damage, for any:
- loss of business or business interruption;
- loss of profits or revenue;
- loss of income or anticipated savings;
- loss or corruption of Customer Data or Customer Systems;
- loss or depletion of goodwill, business opportunity or reputation or similar Losses;
- pure economic loss;
- special, exemplary or punitive damages; or
- any indirect, incidental or consequential loss or damage.
- This Section 15 shall survive termination or expiration of the Agreement.
ARCHON’S Warranties
- Archon warrants that:
- it is a corporation duly incorporated, validly existing under the Laws of the Province of Ontario and its entering into the Agreement has been duly authorised; and
- it has in place the licences or consents required from third parties to enable it to provide the Services.
- THE SOFTWARE, SERVICES, CONTENT AND THE DOCUMENTATION ARE PROVIDED TO THE CUSTOMER ON AN “AS IS” BASIS AND ARCHON DOES NOT GUARANTEE OR WARRANT THAT THE SOFTWARE OR THE SERVICES WILL BE ERROR-FREE, UNINTERRUPTED OR SUITABLE FOR THE CUSTOMER’S PURPOSES. WITHOUT LIMITING THE FOREGOING, TO THE FULLEST EXTENT PERMITTED BY LAWS, NO REPRESENTATIONS, WARRANTIES OR CONDITIONS, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, MERCHANTABLE QUALITY, ORIGINALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE PROVIDED.
- Archon is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of Customer Data over communications networks and facilities, including the Internet. The Customer acknowledges that the Software, Services, Content and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities and that as the Services have not been developed to meet its individual requirements, it is the Customer’s responsibility to ensure that of the Services as described in the Documentation and/or any description of the Services meet its requirements.
- For the avoidance of doubt, the foregoing gives you specific legal rights and does not exclude any rights you may have under applicable Law in the country you are accessing the Services from. For breach of any of the warranties above, or imposed by Law which cannot be excluded, Archon will remit a service fee credit in respect of the Account calculated at ten percent (10%) of the Subscription Fees paid by the Customer for the Services for the month in which the breach occurred. The credit will be provided only towards any outstanding balance for the Services owed by the Customer to Archon, and the remittance of such credit will represent the Customer’s exclusive remedy and Archon’s sole liability for all breaches of any such warranty.
- Except as expressly stated in this Agreement, there are no conditions, warranties, representations or other terms, express or implied, statutory or otherwise that are binding on Archon. Any clause, condition, warranty, representation or other term concerning the supply of the Software, Services, Content or Documentation which might otherwise be implied into, or incorporated in this Agreement whether by statute, common Law or otherwise, is excluded to the fullest extent permitted by Law.
- Archon warrants that:
Assignment
- Neither party may assign, novate or otherwise transfer any benefit or obligation arising under this Agreement without the prior written consent of the other party (not to be unreasonably withheld or delayed). Notwithstanding the foregoing, either party may assign all of its rights and/or obligations under this Agreement:
- to any one of its Affiliates in the event of a bona fide reorganisation, reconstruction, merger or amalgamation of Archon or the Customer (as applicable);
- to any entity that acquires all or substantially all of the assets of such party or to successor in an amalgamation, merger or acquisition of such party,
subject to the assigning party provide the other party notice of the assignment promptly after completion of the transaction giving rise to such an assignment.
- Neither party may assign, novate or otherwise transfer any benefit or obligation arising under this Agreement without the prior written consent of the other party (not to be unreasonably withheld or delayed). Notwithstanding the foregoing, either party may assign all of its rights and/or obligations under this Agreement:
Force majeure
- Archon shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, providing the Services or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including strikes, lock-outs or other industrial disputes (whether involving the workforce of Archon or any other entity), failure of a utility service or transport, failures or fluctuations in electrical power or telecommunications service, telecommunications network or other equipment, expropriation, condemnation of facilities or destruction, in whole or part, of the equipment or property necessary to perform the Services, internet service provider failure or delay, act of God, war, riot, civil commotion, pandemic, epidemic, malicious damage, compliance with any Laws or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of service providers or Sub-contractors.
Notices
- Archon may provide communications and/or notices to the Customer electronically, including via email, instant messaging, through the Customer’s Account for the Services, through the Services portal and/or via its website at [https://www.inflowinventory.com/cloud-notices]; and is effective as of the date sent or posted by Archon unless stated otherwise in the communication.
- The Customer shall provide services related communications and/or notices to Archon via email support@archonsystems.com, or by any other method notified by Archon to the Customer. In respect of any claim for Losses or contract dispute such notice must be marked urgent, and it must also be made by way of courier or personal deliver to Archon’s principal place of business at 260 Carlaw Avenue, Unit 207, Toronto, Ontario, M4M 3L1 to the attention of the Chief Executive Officer.
- Any notice shall be deemed to have been received:
- if sent by email and/or instant message, at the time of transmission delivery confirmed, or, if this time falls outside Business Hours in the place of receipt, when Business Hours resume; or
- if posted on Archon’s website or in an Account, at the time it is posted and made available to the Customer on that website or in the Account.
Third party rights
- For the purposes of any applicable Laws regarding third party contract rights, this Agreement is not intended to and does not give any person who is not a party to it any right to enforce any of its provisions, provided that this does not affect any right or remedy of such a person that exists apart from that legislation. The parties do not intend that there be any third party beneficiaries to this Agreement.
Entire agreement
- This Agreement, the Privacy Policy and the Acceptable Use Policy, constitute the complete and exclusive statement of the agreement between the parties as to the subject matter hereof and supersede and cancel all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter, notwithstanding any other oral or written statement made or provided by either party, including, to, any statement, invoice, sales order, purchase order, or other similar document or record which shall be for Customer’s administrative purposes only and shall not alter the terms or conditions of this Agreement.
- No party shall have any liability or remedy in respect of any representation, warranty or other statement (other than those contained in this Agreement or the Acceptable Use Policy) being false, inaccurate or incomplete unless it was so made fraudulently, wilfully or deliberately.
- Each party acknowledges and agrees that in entering into this Agreement it places no reliance on any representation, warranty or other statement relating to the subject matter of this Agreement other than as expressly set out in this Agreement or the Acceptable Use Policy.
General
- Nothing in this Agreement, and no action taken by the parties under it, shall be deemed to constitute a partnership or joint venture, agency nor a relationship of employer and employee.
- Each of the provisions of this Agreement is severable. If a provision is held to be or becomes illegal, invalid or unenforceable in any respect under the Law of any jurisdiction, then:>
- to the extent that it is illegal, invalid or unenforceable, it shall be deemed not to be included in this Agreement, it shall not affect or impair the legality, validity or enforceability in that jurisdiction of the other provisions of this Agreement, or of that or any provisions of this Agreement in any other jurisdiction; and
- the parties shall use all reasonable endeavours to replace it with a valid and enforceable substitute provision or provisions, with an effect as close as possible to the intended effect of the illegal, invalid or unenforceable provision.
- No right, power or remedy provided by Law or under this Agreement shall be waived, impaired or precluded by:
- any delay or omission to exercise it; or
- any single or partial exercise of it on an earlier occasion; or
- any delay or omission to exercise, or single or partial exercise, of any other such right, power or remedy.
- Any waiver of any right, power or remedy under this Agreement must be in writing and may be given subject to any conditions thought fit by the grantor. No waiver will take effect if the person seeking the waiver has failed to disclose to the grantor every material fact or circumstance which (so far as the person seeking the waiver is aware) has a bearing on its subject matter. Unless otherwise expressly stated, any waiver shall be effective only in the instance and only for the purpose for which it is given.
- Each party shall perform, or procure the performance of, all further acts and things, and shall deliver, or procure the execution and delivery of further documents which are required by or are necessary or reasonably desirable to give effect to the terms of this Agreement.
- Archon may modify any term of this Agreement on notice to Customer. In general, modifications will not apply retroactively and will become effective no sooner than seven (7) days after they are posted. However, changes addressing new functions for the Services or changes made for legal reasons will be effective immediately. If Customer does not agree to the modified terms you should discontinue your use of the Services and terminate your Subscription.
Dispute resolution procedure
- If any dispute arises in connection with this Agreement, a representative of each party with authority to settle the dispute will, within thirty (30) days of a written request from one party to the other, meet online in good faith in an effort to resolve the dispute. If the dispute is not resolved at that meeting, either party may commence legal proceedings. The parties hereby agree to waive any right to a jury trial with respect to any action brought in connection with this Agreement.
- Nothing in Section 23.1 shall prevent either party from seeking urgent injunctive relief.
Governing law and jurisdiction
- This Agreement will be governed by and interpreted in accordance with the Laws of the Province of Ontario without regard to its conflict of laws provisions, and of Canada applicable therein.
- Each party irrevocably submits to the exclusive jurisdiction of the courts of Ontario, Canada in the Greater Toronto Area over any claim, dispute or matter arising under or in connection with this Agreement or its enforceability or the legal relationships established by this Agreement (including non-contractual disputes or claims), for a trial without jury, and waives any objection to proceedings in such courts on the grounds of venue or on the grounds that proceedings have been brought in an inconvenient forum.
Schedule 1 – DATA PROCESSING Schedule
Definitions and Interpretation
- The definitions and rules of interpretation in this paragraph 1 apply throughout this Schedule 1:
- “Applicable Data Protection Law” means the law, enactment, regulation, regulatory policy, by law, ordinance or subordinate legislation relating to the processing, privacy, and use of Personal Data, that applies to the parties and/or the Services, consisting of, (a) the Data Protection Act 2018 (“DPA 2018“) (b) the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “EU GDPR“) (c) the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR“); and (d) any judicial or administrative interpretation of any of the above, and any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time;
- “Applicable Laws” means any applicable: (a) statute, regulation, regulatory requirement, by-law, ordinance, subordinate legislation and Industry Code which applies to the provision of the Services, including any applicable accounting standards and regulations, or other law or mandatory guidance or code of practice (including in each case any judicial or administrative interpretation of it), in force from time to time in any applicable jurisdiction; and (b) judgment of a relevant court of law, and sanction, directive, order or requirement of any regulatory authority (including any Supervisory Authority);
- “Complaint” means a complaint relating to either party’s obligations under Applicable Data Protection Laws relevant to this Schedule, including any compensation claim from a Data Subject and any notice, investigation or other action from a Supervisory Authority or any other regulatory or judicial body of competent jurisdiction;
- “Controller” (or data controller), “Processor” (or data processor), “Data Subject“, “data protection impact assessment“, “international organisation”, “Personal Data” and “processing” all have the meanings given to them in Applicable Data Protection Law (and related terms like “process” shall have corresponding meanings);
- “Data Subject Request” means a request made by a data subject to exercise any right(s) afforded to data subjects under Applicable Data Protection Laws in respect of their own Protected Data;
- “DP Losses” means all liabilities, including: (a) costs (including legal costs), claims, demands, actions, settlements, charges, procedures, expenses, losses and damages; and (b) to the extent permitted by Applicable Laws and Applicable Data Protection Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority or any other relevant regulatory authority; (ii) compensation to a Data Subject ordered by a Supervisory Authority, court or other tribunal of competent jurisdiction; and (iii) the costs of compliance with investigations by a Supervisory Authority or any other relevant regulatory authority;
- “Personnel” means all directors, officers and employees, of Archon who are engaged in the provision of the Services from time to time;
- “Protected Data” means Personal Data received from or on behalf of the Customer, or otherwise obtained or created for the Customer, in connection with this Schedule, and includes the Personal Data set out in Part A of Appendix 1;
- “Security Incident” means an incident which resulted in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, access to, a breach of security of, Protected Data;
- “Sub-Processor” means another processor engaged by Archon for carrying out processing activities in respect of the Protected Data on behalf of the Customer and authorised by the Customer in accordance with paragraph 2.7;
- “Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering the Applicable Data Protection Law;
Data Protection
- Controller / Processor Status and Obligations
- Each party shall comply with Applicable Data Protection Laws and its obligations under this Schedule.
- As at the date of this Schedule, the parties acknowledge and agree that in respect of the Protected Data, the Customer shall be a Controller and Archon shall be a Controller or a Processor depending on the processing activity. If and to the extent:
- Archon processes any Protected Data as Processor on behalf of the Customer, paragraphs 2.1, 2.2, 2.5 to 2.12 (inclusive) of this Schedule shall apply to such processing; and
- Archon processes any Protected Data as Controller, paragraphs 2.1, 2.3, and 2.4 (inclusive) and paragraph 2.12 of this Schedule shall apply to such processing.
- Each party shall implement and maintain, at its own cost and expense, appropriate technical and organisational measures in relation to its processing of Protected Data.
- Each party agrees to provide the other party with information, assistance and co-operation in relation to: (a) any Complaint; or (b) any Data Subject Request in relation to the Protected Data that may be held by both of them.
- The Customer shall ensure that:
- the Customer is entitled to transfer the Protected Data to Archon so that Archon may lawfully process the Protected Data in accordance with this Schedule on the Customer’s behalf; and
- the users and any relevant third parties have been informed of, and, where applicable, have given their consent to, such processing as required by all Applicable Data Protection Law.
- Where Archon processes Protected Data on behalf of the Customer, Archon shall:
- inform the Customer of any requirement under Applicable Laws that would require Archon to process the Protected Data other than only on the Processing Instructions, or if any the Customer instruction does not comply with Applicable Data Protection Laws, unless prohibited by Law;
- require that Personnel processing Protected Data have agreed to keep personal data confidential;
- implement and maintain appropriate technical and organisational measures for the processing of Protected Data at a level of security in respect of Protected Data appropriate to the risks of the processing;
- put in place and maintain appropriate technical and organisational measures to assist the Customer with the Customer’s obligations to respond to Data Subject Requests;
- unless prohibited by Applicable Law inform the Customer if it receives a Data Subject Request and provide the Customer with details of such Data Subject Request at cost to the Customer; and
- at the Customer’s written request, delete Protected Data after the end of the provision of the Services related to processing under this Agreement, unless Laws require storage of the personal data.
- Sub-Processors:
- The Customer agrees that Archon may use Sub-Processors to fulfil its contractual obligations under this Agreement or to provide certain services on its behalf, such as providing support services. A list of Sub-Processors that Archon currently uses is attached in Part B of Appendix 1 of this Schedule, which it may update from time to time.
- Archon shall appoint any new Sub-Processor under a written contract which imposes similar data protection obligations as are contained in this Schedule on the Sub-Processor, for engaging another Processor.
- Archon shall at the Customer’s cost provide reasonable assistance to the Customer to ensure compliance with the Customer’s obligations under Applicable Data Protection Laws with respect to:
- security of processing;
- notification by the Customer of breaches to the Supervisory Authority or Data Subjects; and
- data protection impact assessments and prior consultation with a Supervisory Authority regarding high risk processing,
in each case taking into account the nature of the processing and the information available to Archon.
- Transfers
- Without limit to paragraph 2.9.2 below, the Customer acknowledges and agrees that the Protected Data may be transferred or otherwise processed outside the country where the Customer and the Authorized Users are located in order to carry out the Service and Archon’s obligations under this Schedule.
- Archon shall ensure that any international transfer (and any onward transfer) of Protected Data is effected by way of a legally enforceable mechanism for transfers of Personal Data as permitted under Applicable Data Protection Laws from time to time.
- At the Customer’s written request and cost, but no more than annually, Archon shall provide the Customer with a confidential audit report providing an attestation of compliance with Archon’s security policies and standards. This report will constitute Archon’s Confidential Information under the confidentiality provisions of this Agreement.
- In respect of any Security Incident related to this Schedule, Archon shall notify the Customer of the breach without undue delay after becoming aware of the Security Incident and provide the Customer with details relating to the breach so that the Customer can fulfil any breach reporting obligations it may have under Applicable Data Protection Legislation.
- The Customer shall indemnify and keep indemnified Archon in respect of all DP Losses suffered or incurred by, awarded against or agreed to be paid by, Archon arising from or in connection with any breach by the Customer of its obligations under this Schedule or Applicable Data Protection Laws.
Appendix 1
Part A
Data Processing Details
- Subject-matter of Processing:
The Data accessed from inventory management software and other sources. The scope of this Data covers inFlow® On-Premise and inFlow Inventory™ Services as used by the Customer. - Duration of the Processing:
For the duration of the Services under the Agreement, and the periods noted below.Archon may retain the Data that Customer has stored in the Services (i.e., the Customer’s database) in a limited function account for a period of up to three (3) years after expiry or termination of this Agreement (except for Free Trials which do not result in a Subscription, where any Data in the Customer’s database will be deleted promptly after the end of the Free Trial). After the three (3) year period, the Customer’s database will be deleted and destroyed in accordance with Archon’s data removal and destruction policies and practices, unless otherwise agreed with the CustomerProcessing of Protected Data pertaining to the Authorized Users and the Customer by Archon ceases upon expiry or termination of the Agreement, but may be retained and if necessary used, following expiry or termination to enable Archon to manage its legal matters and for accounting and tax reporting requirements, generally for a period of up to seven (7) years.
- Nature and Purpose of the Processing; Restrictions on Processing:
- Data input by Customer and its Authorized Users related to Customer inventory and sales is stored and processed by the Archon for the purposes of providing its Services to Customer.
- In addition, Archon does:
- carry out research, analysis and/or profiling activity involving any element of Protected Data (including in aggregate form) or any information derived from any processing of such Protected Data; and/or
- process the Protected Data (including in aggregate form) for the purposes of marketing, ‘insights’ or commercialization.
- Type of Personal Data
Personal Data used by Archon to provide its inventory services, IT support and a platform for sales. This may include:- identifiers, such as first name, last name, address, phone number, e-mail address; and
- IP address and geographic location of IP address.
- Categories of Data Subjects:
- Individuals who are Authorized Users
- Grand-customers (i.e., customers of Customer)
- Technical and Organisational Security Measures
- The controls the Archon shall implement include:
- Enforced password format
- Multi-Factor Authentication (MFA) on supported services
- Strong file permission access controls
- Security software updates to all computers and servers
- Data encryption at rest and in transit
- Encrypted VPN access
- SSL Certificates on external websites
- Regularly maintained firewall and anti-virus control
- Critical server infrastructure located in an independent hardened datacentre
- Disaster Recovery capabilities through a recovery centre
- New employee induction process
- Staff vetting where appropriate
- The controls the Archon shall implement include:
Part B
LIST OF SUB-PROCESSORS
Permitted Sub-Processors and Transfers
|
|
|
Microsoft Corporation | Azure, for hosting and processing inFlow Inventory™ account data, and tracking Usage of all inFlow Inventory™ applications and services | USA |
Aircall | Dialler. To call persons who have registered for trials and visitors to marketing website | USA, France |
Drip | Marketing emails if registered for an inFlow® account or any other inFlow® services | USA |
HubSpot | Client Relationship Management. Email, call, book meetings, and track customer lifecycle | USA |
Custify | Customer support and related ticketing | USA, Romania |
ProductBoard | Customer contact to follow up on feature requests | USA |
Zoom | Video meetings | USA |
Slack | Internal Archon communications | USA |
Google Workspace | Email, Calendar and office apps | USA |
Microsoft PowerBI | Database analytics | USA |
FullStory | Record user sessions for user experience improvement purposes | USA |
SendGrid | For sending transactional emails to users and email validation | USA |
Stripe | Credit Card Payment processor for fees and other charges | USA |
Google Analytics | Websites analytics | USA |
Chorus.ai from ZoomInfo Technologies, LLC | Call transcription and analysis | USA |
HotJar | Website usage patterns and optimization | USA, Malta |
Partnerstack | Management of inFlow® referral partners | USA, Canada |
Freshworks | Customer support and related ticketing | USA |
Blackhawk Network (Canada) Ltd. | Customer gifts and rewards | Canada |
Shopify | Online store | USA |
Osano | Privacy compliance and cookie management | USA |
Appendix 2
Standard Contractual Clauses
CONTROLLER-TO-PROCESSOR TRANSFERS
- PURPOSE AND SCOPE
- The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
- The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter “Clauses”).
- These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
- The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
- EFFECT AND INVARIABILITY OF THE CLAUSES
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
- THIRD-PARTY BENEFICIARIES
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8(b), 8(m), (o), (p) and (q);
- Clause 9(a), (c), (d) and (e);
- Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15(a), (d) and (e);
- Clause 16(e)
- Clause 18(a) and (b).
- Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- INTERPRETATION
- Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
- HIERARCHYIn the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
- DESCRIPTION OF THE TRANSFER(S)The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
- OPTIONALNot used
Part B
OBLIGATIONS OF THE PARTIES
- DATA PROTECTION SAFEGUARDSThe data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.Instructions
- The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
- The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
Purpose limitation
- The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
Transparency
- On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
Accuracy
- If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
Duration of processing and erasure or return of data
- Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
Security of processing
- The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
Sensitive data
- Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
Onward transfers
- The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
- the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
Documentation and compliance
- The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
- The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
- The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
- The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
- USE OF SUB-PROCESSORS
- The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
- Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8(l). The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
- The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
- The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
- The data importer shall agree a third -party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
- DATA SUBJECT RIGHTS
- The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
- The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
- In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
- REDRESS
- The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
- refer the dispute to the competent courts within the meaning of Clause 18.
- The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
- The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
- LIABILITY
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
- Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
- The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
- The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
- SUPERVISION
- Where the data exporter is established in an EU Member State: The super visory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
- Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
Part C
LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
- LOCAL LAWS AND PRACTICES AFFECTING COMPLIANCE WITH THE CLAUSE
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
- OBLIGATIONS OF THE DATA IMPORTER IN CASE OF ACCESS BY PUBLIC AUTHORITIESNotification
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
Review of legality and data minimisation
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e)
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
Part D
FINAL PROVISIONS
- NON-COMPLIANCE WITH THE CLAUSES AND TERMINATION
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
- GOVERNING LAWThese Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Portugal.
- CHOICE OF FORUM AND JURISDICTION
- Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
- The Parties agree that those shall be the courts of Portugal.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEX I
- LIST OF PARTIES
Data exporter(s):Name: The entity identified as "the Customer" in the Agreement.Address: The address for the Customer specified in the AgreementContact person's name, position and contact details: The contact details as specified in the Agreement.Activities relevant to the data transferred under these Clauses: The activities specified in the DPA.Role (controller / processor): ControllerData importer(s):Name: "Archon" as identified in the Agreement.Address: The address for Archon specified in the Agreement.Contact person's name, position and contact details: The contact details for Archon specified in the Agreement.Activities relevant to the data transferred under these Clauses: The activities specified in the DPA.Role (controller / processor): Processor
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferredCategories of data subjects are specified in the DPA.Categories of personal data transferredThe personal data is described in the DPA.Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresNone.The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)Continuous.Nature of the processingThe nature of the processing is described in Schedule 1 of the DPA.Purpose(s) of the data transfer and further processingTo provide the Services.The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodNot applicable because the data exporter determines the duration of processing in accordance with the terms of the DPA.For transfers to (sub-) processors, also specify subject matter, nature and duration of the processingThe subject matter, nature and duration of the processing are described in Schedule 1 of the DPA.
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.The data exporter's competent supervisory authority will be determined in accordance with the Applicable Data Protection Laws.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons
The technical and organizational measures (including any certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in the DPA.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The technical and organisational measures that the data importer will impose on sub-processors are described in the DPA.
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors listed in Appendix 1.
ANNEX IV
ADDITIONAL CLAUSES
None.
Appendix 3
Standard Contractual Clauses
Part A
Controller-to-Controller Transfers
- PURPOSE AND SCOPEThe purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
- The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
- These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
- The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
- The Parties:
- EFFECT AND INVARIABILITY OF THE CLAUSES
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
- THIRD-PARTY BENEFICIARIES
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8(n) and Clause 8(t)
- N/A
- Clause 12(a) and (d);
- Clause 13;
- Clause 15(c), (d) and (e);
- Clause 16(e)
- Clause 18(a) and (b).
- Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- INTERPRETATION
- Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
- HIERARCHYIn the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
- DESCRIPTION OF THE TRANSFER(S)The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
- OPTIONALNot used.
Part B
OBLIGATIONS OF THE PARTIES
- DATA PROTECTION SAFEGUARDSThe data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.Purpose limitation
- The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:
- where it has obtained the data subject’s prior consent;
- where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- where necessary in order to protect the vital interests of the data subject or of another natural person.
Transparency
- In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
- of its identity and contact details;
- of the categories of personal data processed;
- of the right to obtain a copy of these Clauses;
- where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8(r).
- Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
- On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
- Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
Accuracy and data minimisation
- Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
- If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
- The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.
Storage limitation
- The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation of the data and all back-ups at the end of the retention period.
Security of processing
- The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
- The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
- In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
- In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
- The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.
Sensitive data
- Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.
Onward transfers
- The data importer shall not disclose the personal data to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:
- it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
- the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
- it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
- it is necessary in order to protect the vital interests of the data subject or of another natural person; or
- where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
Processing under the authority of the data importer
- The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.
Documentation and compliance
- Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
- The data importer shall make such documentation available to the competent supervisory authority on request.
- The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:
- USE OF SUB-PROCESSORSN/A
- DATA SUBJECT RIGHTS
- The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
- In particular, upon request by the data subject the data importer shall, free of charge:
- provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8(r); and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
- rectify inaccurate or incomplete data concerning the data subject;
- erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
- Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.
- The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:
- inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
- implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
- Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
- The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.
- If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.
- REDRESS
- The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
- refer the dispute to the competent courts within the meaning of Clause 18.
- The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
- The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
- LIABILITY
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
- The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
- SUPERVISION
- Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
Part C
LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
- LOCAL LAWS AND PRACTICES AFFECTING COMPLIANCE WITH THE CLAUSES
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
- OBLIGATIONS OF THE DATA IMPORTER IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Notification- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
Review of legality and data minimisation
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
Part D
FINAL PROVISIONS
- NON-COMPLIANCE WITH THE CLAUSES AND TERMINATION
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
- GOVERNING LAWThese Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Portugal.
- CHOICE OF FORUM AND JURISDICTION
- Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
- The Parties agree that those shall be the courts of Portugal.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
Appendix 4
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1
TABLES
Table 1: Parties
Start Date | The date of this Agreement. |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) | |
Parties’ details | Full legal name: | As set out in Annex I to Appendix 2. | As set out in Annex I to Appendix 2. |
Trading name (if different): | The trading name for the Customer specified in the Agreement (if any). | None. | |
Main address (if a company registered address): | As set out in Annex I to Appendix 2. | As set out in Annex I to Appendix 2. | |
Official registration number (if any) (company number or similar identifier): | The registration number for the Customer specified in the Agreement (if any). | The registration number for Archon specified in the Agreement (if any). | |
Key Contact | Full name (optional): | As set out in Annex I to Appendix 2. | As set out in Annex I to Appendix 2. |
Job title: | As set out in Annex I to Appendix 2. | As set out in Annex I to Appendix 2. | |
Contact details including email: | As set out in Annex I to Appendix 2. | As set out in Annex I to Appendix 2. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCS | ☒ | The version of the Approved EU SCCs which this Addendum is appended to including the Appendix Information. | ||||||
OR | ||||||||
☐ | the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: | |||||||
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time Period) | Is personal data received from the Importer combined with personal data collected by the Exporter? | ||
1 | ||||||||
2 | ||||||||
3 | ||||||||
4 |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in the Annexes to the Approved EU SCCs which this Addendum is appended to.
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: | |
☒ | Importer | |
| Exporter | |
| neither Party |
Part 2
MANDATORY CLAUSES
Entering into this Addendum
- Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Term Meaning Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. Appendix Information As set out in Table 3. Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. ICO The Information Commissioner. Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR. UK The United Kingdom of Great Britain and Northern Ireland. UK Data All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. Protection Laws As defined in section 3 of the Data Protection Act 2018. - This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
- If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re- enacted and/or replaced after this Addendum has been entered into.
Hierarchy
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
- Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
- Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
- This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
- this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
- No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
- The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
- References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
- In Clause 2, delete the words:”and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679″;
- Clause 6 (Description of the transfer(s)) is replaced with:”The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- Clause 8.7(i) of Module 1 is replaced with:”it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules 2 and 3 is replaced with:”the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
- References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- References to Regulation (EU) 2018/1725 are removed;
- References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module 1, is replaced with “Clause 11(c)(i)”;
- Clause 13(a) and Part C of Annex I are not used;
- The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- In Clause 16(e), subsection (i) is replaced with:”the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with:”These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with:”Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
- The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised Approved Addendum which:
- makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
- reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
- If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
- its direct costs of performing its obligations under the Addendum; and/or
- its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Version 2.0