Data Processing Addendum

This Data Processing Addendum (DPA) is made between [DATA PROCESSOR NAME] and [CUSTOMER NAME] and applies to the Processing of Personal Data by Provider on behalf of Client (Client Personal Data) in order to provide Cloud Services and other services agreed in the [Services Agreement].

AFFILIATE ADOPTION AGREEMENT

This Affiliate Adoption Agreement (this "Agreement"), dated as of the Adoption Effective Date in the signature block below, is between [ENTITY NAME], whose principal place of business is at [ENTITY ADDRESS] ("Program Owner"), and [AFFILIATE NAME], whose principal place of business is at [AFFILIATE ADDRESS] ("Partner Affiliate").

BACKGROUND

(A) Program Owner and ${OriginalPartner_name} ("Existing Partner") have, as the original parties, entered into the Program Owner for Work Education Commercial Partner Agreement(s), including the Product Schedule(s) and the Education Partner Program Guide ("Program Guide") (collectively, and as may be amended from time to time by Program Owner and Existing Partner, the "Existing Partner Contracts"). The Existing Partner Contracts govern Existing Partner's participation in and resale and/or supply of certain Products under the Education Partner Program ("Program").

(B) Program Owner and Partner Affiliate wish to enter into agreements pursuant to which Program Owner will allow Partner Affiliate to participate in the Program under the Existing Partner Contracts (except as amended pursuant to this Agreement), subject to Partner Affiliate meeting the requirements for participation in the Program as described in the Existing Partner Contracts (including the Program Guide).

(C) Program Owner and Existing Partner have acknowledged and agreed in the Existing Partner Contracts that Partner Affiliate may participate in the Program under certain circumstances defined in the Existing Partner Contracts (including the Program Guide).

Accordingly, in consideration of the mutual promises contained in this Agreement, Program Owner and Partner Affiliate hereby agree as follows:

Amendment to [AGREEMENT NAME]

This amendment to the [AGREEMENT NAME] dated [EFFECTIVE DATE OF AGREEMENT] (the "Agreement") is made on [AMENDMENT EFFECTIVE DATE] between [PARTY A NAME], a [CORPORATE JURISDICTION] corporation with its principal place of business at [PARTY A ADDRESS] (the "[PARTY A ABBREVIATION]") and [PARTY B NAME], a [CORPORATE JURISDICTION] corporation with its principal place of business at [PARTY B ADDRESS] (the "[PARTY B ABBREVIATION]").

[COMPANY NAME]

Board Resolution

At the meeting of the Board of Directors of [COMPANY NAME] on [MEETING DATE], the following resolutions were proposed and approved by the board.

Carrier Service Agreement

This Carrier Service Agreement is entered into between [PARTY A NAME] with its principal place of business [PARTY A ADDRESS] ("[PARTY A]") and [PARTY B NAME] its principal place of business [PARTY B ADDRESS] ("[PARTY B]").

RECITALS:

A. [PARTY A] provides telecommunications services and equipment identified on [ATTACHMENT], attached to this agreement.

B. [PARTY B] desires to purchase, on the terms and conditions of this agreement, telecommunications services from [PARTY A].

Secretary's Certificate / Incumbency

Filing Form: [FORM AND ACCESSION NUMBER]

File Date: 

Exhibit: 

EXECUTION VERSION

[PARTY A NAME], as [PARTY A FILING CAPACITY],

and

[PARTY B NAME], as [PARTY B FILING CAPACITY].

Subscription and Support Agreement

This Subscription and Support Agreement is entered into between [PARTY A NAME] with its principal place of business [PARTY A ADDRESS] ("[PARTY A]") and [PARTY B NAME] its principal place of business [PARTY B ADDRESS] ("[PARTY B]")

The parties agree to the terms of this agreement.

Supply Agreement

This Supply Sales Agreement is made on [AGREEMENT DATE] (the "Effective Date") between [PARTY A NAME], [whose principal place of residence is at / a [CORPORATE JURISDICTION] corporation with its principal place of business at [PARTY A ADDRESS]] (the "[PARTY A ABBREVIATION]") and [PARTY B NAME], [whose principal place of residence is at / a [CORPORATE JURISDICTION] corporation with its principal place of business at] [PARTY B ADDRESS]] (the "[PARTY B ABBREVIATION]").

(The capitalized terms used in this agreement, in addition to those above, are defined in section [DEFINITIONS].)

Support and Maintenance Agreement

This Support and Maintenance is entered into between [PARTY A NAME] with its principal place of business [PARTY A ADDRESS] ("[PARTY A]") and [PARTY B NAME] its principal place of business [PARTY B ADDRESS] ("[PARTY B]")

The parties agree to the terms of this agreement.

Trademark License Agreement

This Trademark License Agreement is made on [EFFECTIVE DATE] (the "Effective Date") by and between [LICENSOR NAME] [whose principal place of residence is at/a [CORPORATE JURISDICTION] corporation with its principal place of business at] [LICENSOR ADDRESS] (the "Licensor") and [LICENSEE NAME], a [CORPORATE JURISDICTION] corporation with its principal place of business at [LICENSEE ADDRESS] (the "Licensee").

 Personal Data Processing

Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Provider is the Processor and that Provider will engage Sub-processors pursuant to the requirements set forth in this agreement.

Scope of ProcessingProvider will process Customer Data in accordance with Customer’s Instructions. Customer instructs Provider to process Customer Data to:

provide the Services (which includes the detection, prevention, and resolution of security and technical issues) and

respond to customer support requests.

Processing Restrictions. Provider will only process Customer Data in accordance with this Agreement and will not process Customer Data for any other purpose. 

Other Services. Customer acknowledges that if it installs, uses, or enables additional products that interoperate with the Services but are not part of the Services itself, then the Services may allow such Additional Products to access Customer Data as required for the interoperation of those Additional Products with the Services. The Agreement does not apply to the processing of data transmitted to and from such other Additional Products. Such separate Additional Products are not required to use the Services and may be restricted for use as determined by Customer’s system administrator in accordance with the Agreement.

 Personal Data Processing

Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Provider is the Processor and that Provider will engage Sub-processors pursuant to the requirements set forth in this agreement.

Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

Provider’s Processing of Personal Data. Provider shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes:

processing in accordance with this agreement[ and applicable Order Form (s)];

processing initiated by Users in their use of the Services; and

processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

Details of the Processing. The subject-matter of Processing of Personal Data by Provider is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 4 (Details of the Processing) to this DPA.

  Subprocessors

Authorization. Customer authorizes Provider to engage subcontractors (“Subprocessors”) to process Customer Personal Data. A list of the current Subprocessors is set out in the appropriate exhibit to this agreement.

Notification of Changes. Provider shall notify Customer in advance of any changes to the list of Subprocessors as set out in that exhibit.

Customer Objection. Within 30 days after Provider's notification of the intended change, Customer can object to the addition of a Subprocessor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer's objection must be in writing and include any specific reasons for its objection and options to mitigate. If Customer does not object within such period, the Subprocessor may be commissioned to Process Customer Personal Data.

Right to Terminate. If Customer legitimately objects to the addition of a Subprocessor and Provider cannot reasonably accommodate Customer's objection, Provider shall notify Customer. Customer may, in that case, terminate the affected Services by giving Provider written notice within one month of Provider's notice. Provider shall refund a prorated portion of any pre-paid charges for the period after that termination date.

Subprocessor Obligations. Provider shall impose substantially similar data protection obligations as set out in this agreement on any approved Subprocessor before the Subprocessor begins processing any Customer Personal Data.

 Processor may not authorize any third party to process the Data.

 Transborder Data Processing

 By signing this agreement, Customer is entering into the EU Standard Contractual Clauses, as referred to in the appropriate exhibit to this agreement, with Subprocessors (“Data Importers”) established outside either the European Economic Area or countries considered by the European Commission to have adequate protection. Data Importers that are also Provider affiliates are "Provider Data Importers".

 If Customer notifies Provider about another Controller and Provider does not object within 30 days after Customer's notification, Customer agrees on behalf of such other Controller (s), or if unable to agree, will procure agreement of such Controller (s), to be additional data exporter (s) of the EU Standard Contractual Clauses concluded between Provider Data Importers and Customer. Provider has procured that the Provider Data Importers accept the agreement of such other Controllers. Customer agrees and, if applicable, procures the agreement of other Controllers that the EU Standard Contractual Clauses, any claims arising from them, are subject to the terms set forth in the Agreement, including the exclusions and limitations of liability. In case of conflict, the EU Standard Contractual Clauses will prevail.

 If Provider engages a new Subprocessor that is an Provider Data Importer, Provider shall procure such new Provider Data Importer's agreement with the EU Standard Contractual Clauses and Customer on its behalf and/or on behalf of other Controllers, if applicable, agrees in advance to such Provider Data Importer being an additional data importer under the EU Standard Contractual Clauses. If Customer is unable to agree for a Controller, Customer shall procure the agreement of such Controller. If the new Data Importer is not an Provider company (Third Party Data Importer), at Provider's discretion, (i) Customer shall either enter into separate EU Standard Contractual Clauses as provided by Provider or (ii) an Provider Data Importer shall enter into a written agreement with such Third Party Data Importer which imposes the same obligations on the Third Party Data Importer as are imposed on the Provider Data Importer under the EU Standard Contractual Clauses.

 Sub-Processors

 Appointment of Sub-processors. Provider may retain any of its Affiliates Sub-processors. Provider and any Affiliates may engage third-party Sub-processors in connection with the provision of the Services. Provider and any Provider Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this agreement relating to the protection of Customer Data to the extent applicable to the nature of the services provided by such Sub-processor.

 List of Current Sub-processors and Notification of New Sub-processors. A list of current Sub-processors is set out in the appropriate exhibit to this agreement. Upon request, Provider shall make available to Customer an updated list of Sub-processors for the SCC Services with the identities of those Sub-processors and their country of location (“Updated Sub-processor List”).

 Objection Right for New Sub-processors. Customer may object to Provider’s use of a new Sub-processor by notifying Provider in writing within 10 business days after receipt of an Updated Sub-processor List. If Customer objects to a new Sub-processor, as permitted in the preceding sentence, Provider will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Provider is unable to make available such change within a reasonable period of time, but not more than 30 days, Customer may, upon written notice to Provider, terminate the applicable Order Forms that relate only to those Services that Provider cannot provide without the use of the objected-to new Sub-processor. Provider shall refund to Customer any prepaid fees covering the remainder of the term of those Order Forms following the effective date of termination of those terminated Services, without imposing a penalty for such termination on Customer.

 Sub-processor Agreements. Provider shall, upon Customer’s reasonable request, provide Customer copies of the Sub-processor agreements.  Customer acknowledge that, before providing such copies, Provider may redact commercial information or other clauses unrelated to Provider’s obligations to provide Services to Customer under this agreement.

 Liability. Provider is liable for the acts and omissions of its Sub-processors to the same extent Provider would be liable if performing the services of each Sub-processor directly under the terms of this agreement.

 Personnel Processing Data

Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Data Processor shall ensure that such confidentiality obligations survive the termination of the Data Processor of the personnel processing data.

Reliability. Data Processor shall take commercially reasonable steps to ensure the reliability of any SFDC personnel engaged in the Processing of Personal Data.

Limitation of Access. Data Processor shall ensure that Data Processor’s access to Personal Data is limited to personnel performing Services in accordance with the agreement.

Data Protection Officer. Data Processor has appointed a data protection officer. The appointed person may be reached at [email address].

Data Security. [PARTY B] shall implement appropriate safeguards to prevent unauthorized access to, use of, or disclosure of the Protected Information. 

Data Security. [PARTY B] shall implement reasonable safeguards to prevent unauthorized access to, use of, or disclosure of the disclosing party's Data.

 Data Security. Data Processor shall maintain administrative, physical and technical safeguards designed for the protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. Data Processor will not materially decrease the overall security of the Services during a subscription term.

 Data Security. Data Processor shall use all technical, physical and organizational measures necessary to comply with all applicable laws and:

to prevent unauthorized persons from gaining access to Confidential Information and to data processing systems by which Confidential Information is processed (“access control”);

to prevent Confidential Information from being read, copied, modified or removed without authorization (“storage control”);

to prevent unauthorized input into the memory and the unauthorized examination, modification, and erasure of stored Confidential Information (“memory control”);

to prevent Confidential Information and data processing systems from being used by unauthorized persons with the use of data transmission facilities (“user control”);

to prevent Confidential Information from being read, copied, modified or erased without authorization during the transmission of the Confidential Information or the transport of storage media;

to ensure efficient and effective processing of all customer data inquiries including but not limited to "opt-out" and “unsubscribe” specifications, data access requests, data rectification requests and all like requests; and

to ensure proper customer identification prior to processing customer data inquiries.

Data Security

Data Protection. [PARTY B] shall implement appropriate safeguards to prevent unauthorized access to, use of, or disclosure of Protected Information.

Network Security. [PARTY B] shall maintain network security conforming to generally recognized industry standards and the network security practices it uses for its own internal network, including at a minimum, 

network firewall provisioning,

intrusion detection, and

vulnerability assessments conducted at least three times each calendar year by independent third party assessors.

Data Security. [PARTY B] shall protect the integrity, and accessibility of the Protected Information using administrative, technical, and physical measures conforming to generally recognized industry standards and the best practices the [PARTY B] applies to its own data and processing environment, including at a minimum,

password protection systems, 

timely application of patches, and

fixes and updates to operating systems.

Data Storage

Designated Target Servers. [PARTY B] shall store, process, and maintain all the Protected Information only on designated target servers.

Portable or Laptop Storage. [PARTY B] will not store, process, or maintain any of the Protected Information on, or transfer any Protected Information to, any portable or laptop computing device or portable storage medium, unless that device or storage medium is part of [PARTY B]'s designated backup and recovery processes and encrypted according to paragraph [DATA ENCRYPTION].

Data Transmission[PARTY B] shall ensure that all electronic transmission or exchange of system and application data with the disclosing party and with any third parties designated by the [PARTY B] takes place using secure means, including using HTTPS, SFTP, or an equivalent.

Data Encryption

Backup Data. [PARTY B] shall use commercially supported encryption solutions to encrypt all of the Protected Information, as part of [PARTY B]s designated backup and recovery processes.

PII on Portable Devices. [PARTY B] shall use commercially supported encryption solutions to encrypt all personally identifiable information, as defined under current legislation, that is stored on portable or laptop computing devices or portable storage mediums.

Encryption Standards. [PARTY B] shall use encryption solutions with at least a 128-bit key length for symmetric encryption, and at least a 1024-bit key length for asymmetric encryption.

Confidentiality Obligations. [PARTY B] shall treat the Protected Information as Confidential Information subject to the confidentiality obligations under section [CONFIDENTIALITY OBLIGATIONS].

Handling of Data on End of Agreement. Within 30 days after the expiration or termination of this agreement, [PARTY B] shall

erase, destroy, or otherwise render unrecoverable all Protected Information, and

give [PARTY A] written certification that the Protected Information is erased, destroyed, or otherwise unrecoverable.

Data Security

Use Only for the Purpose. [PARTY B] shall implement appropriate safeguards to prevent unauthorized access to, use of, or disclosure of Protected Information.

Network Security. [PARTY B] shall maintain network security conforming to generally recognized industry standards and the network security practices it uses for its own internal network, including at a minimum, 

network firewall provisioning,

intrusion detection, and

vulnerability assessments conducted at least three times each calendar year by independent third party assessors.

Data Security. [PARTY B] shall protect the integrity, and accessibility of the Protected Information using administrative, technical, and physical measures conforming to generally recognized industry standards and the best practices the [PARTY B] applies to its own data and processing environment, including at a minimum,

password protection systems, 

timely application of patches, and

fixes and updates to operating systems.

Data Storage

Designated Target Servers. [PARTY B] shall store, process, and maintain all the Protected Information only on designated target servers.

Portable or Laptop Storage. [PARTY B] will not store, process, or maintain any of the Protected Information on, or transfer any Protected Information to, any portable or laptop computing device or portable storage medium, unless that device or storage medium is part of [PARTY B]'s designated backup and recovery processes and encrypted according to paragraph [DATA ENCRYPTION].

Data Transmission[PARTY B] shall ensure that all electronic transmission or exchange of system and application data with the disclosing party and with any third parties designated by the [PARTY B] takes place using secure means, including using HTTPS, SFTP, or an equivalent.

Data Encryption

Backup Data. [PARTY B] shall use commercially supported encryption solutions to encrypt all of the Protected Information, as part of [PARTY B]s designated backup and recovery processes.

PII on Portable Devices. [PARTY B] shall use commercially supported encryption solutions to encrypt all personally identifiable information, as defined under current legislation, that is stored on portable or laptop computing devices or portable storage mediums.

Encryption Standards. [PARTY B] shall use encryption solutions with at least a 128-bit key length for symmetric encryption, and at least a 1024-bit key length for asymmetric encryption.

Confidentiality Obligations. [PARTY B] shall treat the Protected Information as Confidential Information subject to the confidentiality obligations under section [CONFIDENTIALITY OBLIGATIONS].

Limits on Data Distribution. Unless [PARTY A] gives its written consent, [PARTY B] will not distribute, repurpose, or share Protected Information to or with any third parties, or to or with the receiving party's applications, environments, or business units that are outside the scope of this agreement.

Notification of Security Breaches 

Compliance with Notification Laws. [PARTY B] shall comply with all applicable Laws regarding the notification of individuals in the event of unauthorized release of personally identifiable information and notification other unauthorized data and information disclosures.

Procedure After Unauthorized Disclosure. Within 24 hours of discovering any breach of [PARTY B]'s security obligations or of any other event requiring notification under applicable Law, [PARTY B] shall notify [PARTY A], and any other individuals Law requires to be notified, of the breach or other event by telephone and e-mail.

Indemnification Related to Unauthorized Disclosure. [PARTY B] shall indemnify and defend [PARTY A] and its Representatives, against any losses arising out of claims related to any unauthorized disclosure or other events requiring notification under applicable Law.

Handling of Data on End of Agreement. Within 30 days after the expiration or termination of this agreement, [PARTY B] shall

erase, destroy, or otherwise render unrecoverable all Protected Information, and

give [PARTY A] written certification that the Protected Information is erased, destroyed, or otherwise unrecoverable.

Audits

Right to Audit on Notice. On 10 Business Days' written notice to [PARTY B], [PARTY A] may, or may appoint an audit firm (the "Auditors") to, audit [PARTY B], and the [PARTY B]'s sub-vendors or Affiliates that provide a service for the processing, transport, or storage of the Protected Information, for compliance with the data security obligations under this section.

Scope of Audit. [PARTY A] shall include in its notice of an upcoming audit the scope, date, and time of the audit, and any deliverables the disclosing party reasonably requests for the audit.

Onsite Audit 

Need for Onsite Audit. If the deliverables [PARTY A] requests cannot reasonably be removed from [PARTY B]'s premises,[PARTY B] shall provide [PARTY A] or the Auditors access to [PARTY B]'s premises, and if necessary, a personal site guide for [PARTY A] or the Auditors while on [PARTY B]'s premises.

Audit Accommodations. If an onsite audit is necessary, [PARTY B] shall provide [PARTY A] or the Auditors with private accommodation on [PARTY B]'s premises for data analysis and meetings, including a reasonable workspace, appropriate lighting, electrical, printer, and internet connectivity.

Access to Employees. [PARTY B] shall make designated employees or contractors available for interviews in person or over the phone during the time frame specified for the audit.

Receiving Party Self-Audit. In lieu of [PARTY B] or the Auditors performing the audit, if [PARTY B] has an external audit firm that performs a certified Type II SAS 70 review, [PARTY A] may

review the controls tested and the results of the audit by [PARTY B]'s audit firm, and

request additional controls to be added to the audit by [PARTY B]'s audit firm, to test the controls that have an impact on the Protected Information.

Audit Expenses. [PARTY A] shall bear all expenses in connection with audits, unless an audit reveals material noncompliance with contract specifications, in which case [PARTY B] shall bear the expenses.

Industry Standards. For the purpose of this section [DATA SECURITY], generally recognized industry standards include the current standards and benchmarks listed and maintained by the

Center for Internet Security (available at http://www.cisecurity.org),

Payment Card Industry/Data Security Standards (PCI/DSS) (available at http://www.pcisecuritystandards.org/),

National Institute for Standards and Technology (available at http://csrc.nist.gov),

Federal Information Security Management Act (FISMA) (available at http://csrc.nist.gov),

ISO/IEC 27000-series (available at http://www.iso27001security.com/), and

Organization for the Advancement of Structured Information Standards (OASIS) (available at http://www.oasis-open.org/).

 Technical and Organizational Measures

Security MeasuresProvider shall maintain and implement reasonable and appropriate technical and organizational measures in relation to the security of the Hosted System, the Provider Infrastructure, and the Services. Customer acknowledges that those reasonable and appropriate technical and organizational measures are detailed below.

 Security Standards. Provider shall maintain and implement those security practices that are (i) at least as stringent as the minimum security practices detailed at [website address], and (ii) required by the terms of this agreement.

 Technical and Organizational Measures

Security MeasuresProvider shall maintain and implement appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix 2 to the Standard Contractual Clauses. Such measures include, but are not be limited to:

the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),

the prevention of Personal Data Processing systems from being used without authorization (logical access control),

ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),

ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),

ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control),

ensuring that Personal Data is Processed solely in accordance with the Instructions (control of instructions),

ensuring that Personal Data is protected against accidental destruction or loss (availability control).

Access to Security Policy. Upon Data Controller’s request, Data Processor shall provide a current Personal Data protection and security policies relating to the security measures.

 Controller Compliance. Data Processor will facilitate Data Controller’s compliance with the Data Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures described under Appendix 2, (ii) complying with the terms of Personal Data Breaches; and (iii) providing the Controller with information in relation to the Processing in accordance with audits rights.

Data Subject Rights and Requests

Obligation to Notify. Provider will, to the extent permitted by law, inform Customer of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Provider regarding Client Personal Data.

Responses to Data Subjects. Customer shall be responsible to respond to such requests of Data Subjects. Provider will reasonably assist Client in responding such Data Subject requests.

Indemnification by Customer. If a Data Subject brings a claim directly against Provider for a violation of their Data Subject rights, Customer will indemnify Provider for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that Provider has notified Customer about the claim and given Customer the opportunity to cooperate with Provider in the defense and settlement of the claim.

Claims by Customer. Subject to the terms of the Agreement, Customer may claim from Provider amounts paid to a Data Subject for a violation of their Data Subject rights caused by Provider's breach of its obligations under GDPR

 Data Subject Rights and Requests

Provider Obligation to Notify. Provider shall, to the extent legally permitted, promptly notify Customer if Provider receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”).

Provider Obligation to Assist. Provider shall assist Customer by appropriate technical and organizational measures, to the extent possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Provider shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Provider is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.

Customer Payment of Costs. To the extent legally permitted, Customer shall be responsible for any costs arising from Provider’s provision of such assistance.

 Notification of Security Breaches

Compliance with Notification Laws. [PARTY A] shall comply with all applicable Laws regarding the notification of individuals in the event of an unauthorized release of personally identifiable information and notification other unauthorized data and information disclosures.

Procedure After Unauthorized Disclosure. Within 24 hours of discovering any breach of the [PARTY A]'s security obligations or of any other event requiring notification under applicable Law, [PARTY A] shall notify [PARTY B], and any other individuals Law requires to be notified, of the breach or other events by telephone and e-mail.

Indemnification Related to Unauthorized Disclosure. [PARTY A] shall indemnify and defend [PARTY B] against any losses arising out of claims related to any unauthorized disclosure or other events requiring notification under applicable Law.

 Notification of Unauthorized Disclosure

Notice of Disclosure. The [PARTY B] shall immediately report to the [PARTY A] any unauthorized or improper use or disclosure of Protected Health Information, including without limitation, any security or privacy incident or breach involving the Protected Health Information (“Incident”) without unreasonable delay, and not more than twenty-four (24) hours after the [PARTY B] becomes aware of the Incident by the [PARTY B] or its workforce, agents or subcontractors, and to provide the [PARTY A] with notice and a report containing all information necessary to permit the [PARTY A] to timely comply with HIPAA notification provisions and its implementing rules or any other applicable reporting law, if necessary.

Incident Report. The incident report shall identify
(a) the known facts and circumstances related to the Incident;
(b) the individuals affected;
(c) the Protected Health Information that is known to be the subject of the Incident;
(d) the persons who are known to have information about the Incident; and
(e) the corrective action that Business Associate took or will take to mitigate any deleterious effects of the Incident and to prevent future incidents.

 Data Breach. In the event of any unauthorized access or theft of [PARTY B] data, [PARTY A] shall promptly notify [PARTY B] and do all such acts and things as [PARTY B] considers reasonably necessary to remedy or mitigate the effects of the data breach. The parties shall coordinate and cooperate in good faith on developing the content of any related public statements or any required notices.

 Definitions

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

"Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Authorized Affiliate" means any of Customer's Affiliate (s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and FF, but has not signed its own Order Form with FF and is not a "Customer" as defined under the Agreement.

"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Data Protection Law" means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement.

"Data Subject" means an identified or identifiable natural person.

"EEA" means the European Economic Area, namely the European Union Member States along with Iceland, Lichtenstein and Norway.

"European Subprocessor" means a Subprocessor that is physically processing Personal Data in the EEA or Switzerland.

"Personal Data" means any information relating to a Data Subject. For the purposes of this DPA, it includes only personal data entered by Customer or its Authorized Users into or derived from their use of the Cloud Service. It also includes personal data supplied to or accessed by the Provider or its Subprocessors in order to provide support under the Agreement. Personal Data is a sub-set of Customer Data.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

"Security Breach" means a confirmed (1) accidental or unlawful destruction, loss, alteration, or disclosure of Customer Personal Data or Confidential Data, or (2) similar incident involving Personal Data for which a Data Processor is required under applicable law to provide notice to the Data Controller.

"Standard Contractual Clauses" also referred to the "EU Model Clauses" means the (Standard Contractual Clauses (processors)) or any subsequent version thereof released by the Commission (which will automatically apply). The current Standard Contractual Clauses are located at http://ec.europa.eu/justice/data-protection/international- transfers/files/clauses_for_personal_data_transfer_processors_c2010-593.doc.

"Subprocessor" means an Affiliate of the Provider and third parties engaged by the Provider of its Affiliates to process personal data.

"Third Country Subprocessor" means any Subprocessor incorporated outside the EEA and outside any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international- transfers/adequacy/index_en.htm

General Provisions

Amendment. This agreement may be amended only by a written instrument executed by [TITLE OR POSITION OF AUTHORIZED INDIVIDUAL] of each party.

Amendment

Before the Effective Time. Before the Effective Time, this agreement may be amended by either the Parent Board of Directors or Company Board of Directors.

After the Effective Time.  After the Effective Time, this agreement may only be amended by the Parent Board of Directors or Company Board of Directors with the prior written approval by the Company Shareholders, if such approval is required by the [APPLICABLE STATUTE].

Method of Amendment. This agreement can be amended only by a written instrument signed on behalf of both parties. 

Amendment. This agreement can be amended only by a writing signed by both parties.

Amendment. This agreement may be amended only by written consent of the Company and Stockhoolders of at least [66%] of the outstanding shares of Common Stock. Any consent will only be effective in the specific instance and purpose for which it was given and shall not constitute continuing consent.

Amendment. This agreement may be amended only by a written instrument executed by the party against whom the amendment is to be enforced.

Amendment. [PARTY A] may amend the terms and conditions of this agreement at any time by reasonable notice, including without limitation by posting revised terms on its website at the URL [URL].

Assignment and Successors

Assignment. Neither party may assign this agreement or any of their rights or obligations under this agreement without the prior written consent of the other party.

Successors. This agreement benefits and binds the parties and their respective heirs, successors, and permitted assigns.

Assignment. Neither party may assign this agreement or any of their rights or obligations under this agreement without the other party's written consent.

Assignment

[PARTY B] Requires [PARTY A]'s Consent. [PARTY B] may not assign this agreement or any of its rights or obligations under this agreement without [PARTY A]'s written consent.

[PARTY A] May Give Notice to Assign. [PARTY A] may assign this agreement or any of its rights or obligations under this agreement, by giving [PARTY B] notice.

Assignment. [PARTY B] may not assign this agreement or any of its rights or obligations under this agreement without [PARTY A]'s prior written consent. [PARTY A] may assign this agreement or any of its rights and obligations under this agreement, effective upon Notice to [PARTY B],

to any subsidiary or affiliate, or

in connection with any sale, transfer, or other disposition of all or substantially all of its business or assets but only if the assignee assumes all of [PARTY A]'s obligations.

Notices

Method of Notice. The parties shall give all notices and communications between the parties in writing by (i) personal delivery, (ii) a nationally-recognized, next-day courier service, (iii) first-class registered or certified mail, postage prepaid[, (iv) fax][ or (v) electronic mail] to the party's address specified in this agreement, or to the address that a party has notified to be that party's address for the purposes of this section.

Receipt of Notice. A notice given under this agreement will be effective on

the other party's receipt of it, or

if mailed, on the earlier of the other party's receipt of it and the [fifth] Business Day after mailing it. 

Governing Law. This agreement shall be governed, construed, and enforced in accordance with the laws of the State of [GOVERNING LAW STATE], without regard to its conflict of laws rules.

Governing Law.

Applicable Law. This agreement will be governed by and construed in accordance with the substantive laws in force in:

the State of California, if a license to the Software is purchased when you are in the United States, Canada, or Mexico; or

Japan, if a license to the Software is purchased when you are in Japan, China, Korea, or other Southeast Asian country where all official languages are written in either an ideographic script (e.g., hanzi, kanji, or hanja), and/or other script based upon or similar in structure to an ideographic script, such as hangul or kana; or

England, if a license to the Software is purchased when you are in any jurisdiction not described above.

Jurisdiction. The respective courts of Santa Clara County, California when California law applies, Tokyo District Court in Japan, when Japanese law applies, and the competent courts of London, England, when the law of England applies, shall each have non-exclusive jurisdiction over all disputes relating to this agreement.

United Nations Convention on Contracts. This agreement will not be governed by the conflict of law rules of any jurisdiction or the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded.

Governing Law and Consent to Jurisdiction and Venue

Governing Law. This agreement, and any dispute arising out of the [SUBJECT MATTER OF THE AGREEMENT], shall be governed by laws of the State of [GOVERNING LAW STATE].

Consent to Jurisdiction. Each party hereby irrevocably consents to the [exclusive, non-exclusive] jurisdiction and venue of any [state or federal] court located within [VENUE COUNTY] County, State of [VENUE STATE] in connection with any matter arising out of this [agreement / plan] or the transactions contemplated under this [agreement / plan].

Consent to Service. Each party hereby irrevocably

agrees that process may be served on it in any manner authorized by the Laws of the State of [GOVERNING LAW STATE] for such Persons, and 

waives any objection which it might otherwise have to service of process under the Laws of the State of [GOVERNING LAW STATE].

Waiver. The failure or neglect by a party to enforce any of rights under this agreement will not be deemed to be a waiver of that party's rights. 

Severability. If any part of this agreement is declared unenforceable or invalid, the remainder will continue to be valid and enforceable.