Updated Aug 10, 2021
Each time you use the Services, the then-current version of the Terms will apply. If you use the Services after a modification of these Terms, you agree to be bound by the Terms as modified.
These Terms contain important information regarding your rights with respect to the Services, including your relationship with us, and include an arbitration provision that may limit your ability to pursue claims against us in court. Please read them carefully and review them regularly.
When you use the Services, you represent that you are (i) at least the age of majority in the jurisdiction where you reside or (ii) if you have not reached the age of majority in the jurisdiction where you reside, that you have received permission to use the Services from your parent or legal guardian.
You represent that any information you submit to us when using the Services is accurate, truthful, and current. You also represent that your use of the Services does not violate any applicable law or regulation.
In order to use the Services, you will be required to register for an account (“Account”). As the person who registered for the Account (the “Account Owner”), you are entitled to certain administrative permissions as set out in the Services. As part of the Account creation process, you will be asked to provide a username and password unique to the Account (“Login Information”). You are responsible for the confidentiality and use of your Login Information and agree not to transfer or disclose your Login Information to any third party other than an individual with express authority to act on your behalf. You are solely responsible for any activities occurring under your Account. If you suspect any unauthorized use of your Account, you agree to notify us immediately. We reserve the right to discontinue offering the Services, including by terminating your Account, at any time pursuant to these Terms. You have no ownership right to your Account, and our liability if you are unable to access the Services, if any, is limited by these Terms.
Accounts come in two primary groups: 1) Organizational Accounts, and 2) Individual Accounts. Organizational Accounts can be linked to a certain number of Individual Accounts as set out in your access plan.
As the Account Owner of an Account opened on behalf of an organization (an “Organizational Account”), you may grant access to the Services to certain individuals (“Authorized Users”), subject to the limits of any plan for which you enroll. When registering for an Organizational Account, administering such Account, and when accessing or otherwise using the Services, you represent or warrant that the information you enter for your organization is correct. You further acknowledge and agree that the Organizational Account Owner is responsible for all activity conducted by all Authorized Users. Each Authorized User must have their own Login Information and use of a single individual Account by several end users shall be considered a material breach of this Agreement, and CompanyCam reserves the right to terminate the Organizational Account for cause due to such breach.
As the Account Owner of an individual Account, you are responsible for your own actions. If you choose to add any users, you will become an Organizational Account for purposes of these Terms. If you have accepted an invitation to join the Services by your organization, and your Account becomes linked to such Organizational Account, you acknowledge that the administrators of the Organizational Account to which you are linked may have access to all activity/data logged or generated in your Account. You further acknowledge that you have no individual rights in your Account if you are linked below an Organizational Account, and that the Organizational Account’s Account Owner may revoke your permission to access your Account or any Organizational Content as such Account Owner sees fit. Finally, you acknowledge that any and all Content you upload or otherwise supply to the Services shall become the property of your Organizational Account Owner immediately upon its acceptance by the Services, and you hereby assign all right, title, or interest in such Content to such Account Owner.
In the event you have a paid account, fees are non-refundable except as required by law or in our sole discretion. If we terminate your Account without cause, we may refund you the fees for the unused portion of your subscription. If you sign up for our annual or monthly prepaid plans, and cancel those plans later, you are not entitled to a refund for the unused portion of your subscription period. You agree to pay all applicable fees when due and, if such fees are being paid via credit card or other electronic means, you authorize us to charge such fees using your selected payment method. By default, customer accounts are set to auto-renew and we may automatically charge you for such renewal on or after the renewal date associated with your account unless you have cancelled the Service prior to its renewal date. We may revise fee rates for the Service from time to time and will provide you with email notice of any changes in fees at least thirty (30) days prior to your Service renewal date. You are responsible for providing complete and accurate billing information to CompanyCam. We may suspend or terminate your use of the Service if fees become past due. You are responsible for all taxes (excluding taxes on our net income), and we will charge tax if required to do so by law.
You are authorized to access the Site and our application for the sole purpose of viewing and using the Services on your computer or device. We authorize you to copy materials from the Services to your device’s local or cloud storage solely for the purpose of viewing and using the Services. You may not use the Service for any illegal or unauthorized purpose. You agree to comply with all laws, rules, and regulations (for example, federal, state, local and provincial) applicable to your use of the Service and your User Content (defined below), including but not limited to, copyright laws.
You may not decompile, disassemble, rent, lease, loan, sell, sublicense, or create derivative works from the Site, the Services, or any data thereon. You may not use any robot, spider, or other automatic device or manual process to monitor or copy the Site or its content without our prior written permission. Your failure to abide by these conditions will immediately terminate your right to access the Site or to use the Services and may give rise to legal action related to the protection of our intellectual property rights or the intellectual property rights of third parties.
Third Party Sites
The Site may contain links to third party applications or websites we do not operate, control, or maintain (“Third Party Sites”). We do not endorse any Third Party Sites, and we make no representation or warranty in any respect regarding the Third Party Websites. Any links to Third Party Sites on the Services are provided solely for your convenience. If you do access any Third Party Sites, you do so at your own risk and waive any and all claims against us regarding the Third Party Sites or our links thereto.
You agree that we have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services, and related systems (for example, anonymous and aggregated information concerning user behavior and use of the Services), and we will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Site Services and for other development, diagnostic and corrective purposes in connection with the Site and Services and other of our offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business.
The CompanyCam Services belong in their entirety to us. We grant only that limited license herein to you. User Content (as defined below) belongs to you, and we take no ownership interest in it. The CompanyCam name and logo are our trademarks, and may not be copied, imitated or used, in whole or in part, without our prior written permission. In addition, all page headers, custom graphics, button icons, and scripts are our service marks, trademarks, and/or trade dress, and may not be copied, imitated or used, in whole or in part, without prior written permission from us.
You agree not to use any part of the Services to take any action or actions that (including with respect to any User Content): (i) are patently offensive in any manner (as determined in our sole discretion), (ii) involve commercial activities without our prior written consent, such as contests or sweepstakes, (iii) are contrary to our public image, goodwill, or reputation, (iv) infringe on our or any third party’s intellectual property rights, (v) violate any law or any third party’s legal rights, or (vi) “frame” or “mirror” any part of the Site without our prior written consent.
User Content Generally
When you post content and information to the Site or in connection with the Services (“Content”), including photos or other information about the projects you are undertaking, you represent and warrant to us that (i) you own or have the necessary rights to use and share the Content, (ii) the posting of the Content does not violate any rights of any person or entity, and (iii) you have no agreement with or obligations to any third party that would prohibit your use of the Site or Services in the manner so used. You agree to pay all royalties, fees, and any other monies owing to any person or entity by reason of any Content posted by you to the Site or through the Services. You acknowledge and agree that we may, in our sole discretion, remove Content at any time and for any reason, or for no reason at all. If you are an Authorized User of an Organizational Account, you also acknowledge and agree that any Content uploaded to the Services shall immediately become the property of such Organizational Account, and you assign all right, title, and interest in such Content to the Organizational Account Owner upon posting the Content to the Services.
You agree not to include any personally-identifiable information about yourself or any other person in any User Content except as requested or required by CompanyCam.
By posting or storing any Content in the Services, you give us and our affiliates a perpetual, nonexclusive, irrevocable, royalty-free, sublicensable and transferable worldwide license to all intellectual property rights you own or control to use, transmit, reproduce, commercialize, distribute, modify, create derivative works from, and otherwise exploit such Content for any and all purposes and without further notice to you, attribution, and without the requirement of any permission or payment to you or any other person or entity, except as otherwise expressly provided herein. You also authorize and appoint us as your attorney in fact and agent with full power to enter into and execute any document or undertake any action we may consider appropriate to use or enforce the grant of rights and waivers set forth in these Terms.
From time to time, you may be asked to provide feedback on the Services or the Platform, whether by a survey or by giving a written testimonial (“Feedback”). Feedback shall include any communications directed to us related to the Services, including without limitation suggestions for new features or functionality or comments, questions, or other suggestions. If you choose to give such Feedback, you agree that all such Feedback shall belong entirely to us, including any ideas, know-how, concepts, techniques, or other intellectual property rights contained in such Feedback, and you hereby assign all right, title, and interest in such Feedback to us. We shall be free to use any Feedback, with or without attribution (subject to our obligations to protect your privacy) or compensation to the provider.
The Services include a content-sharing platform (the “Platform”) whereby content-creating users (“Creators”) can create and share certain Content with other users subject to the sharing permission set by the Creator in the Platform. By sharing Content, you represent and warrant that you have all necessary permission to share the Content in its form. If the Content is a photograph, you represent that all personally identifiable information has been removed from the photograph. At times, entering project information into the Services and Platform may require sharing the personal information of third parties, such as clients. You agree that only such personal information as is necessary has been uploaded to the Services and Platform, and that you have permission from the subject to share their information with whoever has permission to see such personal information inside the Services.
Losses of Stored Content
Although it is our intention for the Service to be available as much as possible, there will be occasions when the Service may be interrupted, including, without limitation, for scheduled maintenance or upgrades, for emergency repairs, for unscheduled downtime, for system and server failures, or due to failure of telecommunications links and/or equipment. Consequently, we encourage you to maintain your own backup of your Content. In other words, we are not a backup service and you agree that you will not rely on the Service for the purposes of Content backup or storage. We will not be liable to you for any modification, suspension, or discontinuation of the Services, or the loss of any Content. You also acknowledge that the Internet may be subject to breaches of security and that the submission of Content or other information may not be secure.
We respect the intellectual property rights of others. The Digital Millennium Copyright Act of 1998 (the “DMCA”) provides a complaint procedure for copyright owners who believe that any material posted online or in an app infringes their rights under U.S. copyright law. If you believe that your work has been improperly copied and posted, please provide us with the following information: (i) name, address, telephone number, email address and an electronic or physical signature of the copyright owner or of the person authorized to act on his/her behalf; (ii) a description of the copyrighted work that you claim has been infringed; (iii) a description of where on the Site the material that you claim is infringing is located; (iv) a written statement that you have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law; and (v) a statement by you, made under penalty of perjury, that the above information in your notice is accurate and that you are the copyright owner or authorized to act on the copyright owner’s behalf. These requirements must be followed to give us legally sufficient notice of infringement. Send copyright infringement complaints to the following email address: email@example.com. We suggest that you consult your legal advisor before filing a DMCA notice with our copyright agent. There can be penalties for false claims under the DMCA.
You agree that the Services are available on an “as is” basis, without any warranty, and that you use the Services at your own risk. We disclaim, to the maximum extent permitted by law, any and all warranties, whether express or implied, including, without limitation, (a) warranties of merchantability or fitness for a particular purpose, (b) warranties against infringement of any third party intellectual property or proprietary rights, © warranties relating to delays, interruptions, errors, or omissions in the Services or on the Site, (d) warranties relating to the accuracy or correctness of data on the Services, and (e) any other warranties otherwise relating to our performance, nonperformance, or other acts or omissions.
We do not warrant that the Site or the Services will operate error-free or that they are free of computer viruses and/or other harmful materials. If your use of the Site or the Services results in the need for servicing or replacing equipment or data, we are not responsible for any such costs.
Some jurisdictions do not allow the exclusion or limitation of certain categories of damages or implied warranties; therefore, the above limitations may not apply to you. In such jurisdictions, our liability is limited to the greatest extent permitted by law.
Limitation of Liability
Any liability we have to you in connection with these Terms, under any cause of action or theory, is strictly limited to, in aggregate for all violations, $100. Without limiting the previous sentence, in no event shall we or any of our affiliates be liable to you for any indirect, special, incidental, consequential, punitive, or exemplary damages arising out of or in connection with, these Terms. The foregoing limitations apply whether the alleged liability is based on contract, tort, negligence, strict liability, or any other basis, even if we or our affiliates have been advised of the possibility of such damages.
You agree to indemnify and hold us harmless for any breach of security or any compromise of your Account.
Some jurisdictions do not allow the exclusion or limitation of incidental or consequential; therefore, the above limitations may not apply to you. In such jurisdictions, our liability is limited to the greatest extent permitted by law.
You agree to indemnify and hold harmless us, our affiliates and our and their officers, directors, partners, agents, and employees from and against any loss, liability, claim, or demand, including reasonable attorneys’ fees (collectively, “Claims”), made by any third party due to or arising out of your use of the Services in violation of these Terms, any breach of the representations and warranties you make in these Terms, or your User Content. You agree to be solely responsible for defending any Claims against or suffered by us with counsel subject to our reasonable approval and further subject to our right to participate with counsel of our own choosing.
Electronic Signatures and Notices.
Certain activities on the Services may require you to make an electronic signature. You understand and accept that an electronic signature has same legal rights and obligations as a physical signature.
If you have an Account, you agree that we may provide you any and all required notices electronically through your Account or other electronic means. You agree that we are not responsible for any delivery fees charged to you as a result of your receipt of our electronic notices.
These Terms are governed by Nebraska law, without giving effect to conflicts of law principles. You agree that, to the extent applicable and expressly subject to the dispute resolution provisions below, to submit to the exclusive jurisdiction of the state and federal courts located in Lancaster County, Nebraska in circumstances where these Terms permit litigation in court. We may assign, transfer, delegate, or otherwise hypothecate our rights under these Terms in our sole discretion. If we fail to enforce a provision of these Terms, you agree that such a failure does not constitute a waiver to enforce the provision (or any other provision hereunder). If any provision of these Terms is held or made invalid, the invalidity does not affect the remainder of these Terms. We reserve all rights not expressly granted in these Terms and disclaim all implied licenses.
Please read this section carefully. It contains procedures for mandatory binding arbitration and a class action waiver.
Any controversy or claim arising out of or relating to this contract, or the breach thereof, shall be settled by arbitration administered by the American Arbitration Association in accordance with its Commercial Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. Any such arbitration shall take place in Lancaster County, Nebraska. All aspects of the arbitration proceeding, including but not limited to the award of the arbitrator and compliance therewith, shall be strictly confidential. You agree to maintain confidentiality unless otherwise required by law. This paragraph shall not prevent a party from submitting to a court of law any information necessary to enforce this Section, to enforce an arbitration award, or to seek injunctive or equitable relief.
Waiver of Jury Trial & Class Actions
THE PARTIES HEREBY WAIVE THEIR CONSTITUTIONAL AND STATUTORY RIGHTS TO GO TO COURT AND HAVE A TRIAL IN FRONT OF A JUDGE OR A JURY, instead electing that all claims and disputes shall be resolved by arbitration under these terms. Arbitration procedures are typically more limited, more efficient and less costly than rules applicable in a court and are subject to very limited review by a court. In the event any litigation should arise between you and us in any state or federal court in a suit to vacate or enforce an arbitration award or otherwise, YOU WAIVE ALL RIGHTS TO A JURY TRIAL, instead electing that the dispute be resolved by a judge. ALL CLAIMS AND DISPUTES WITHIN THE SCOPE OF THIS SECTION MUST BE ARBITRATED OR LITIGATED ON AN INDIVIDUAL BASIS AND NOT ON A CLASS BASIS, AND CLAIMS OF MORE THAN ONE USER CANNOT BE ARBITRATED OR LITIGATED JOINTLY OR CONSOLIDATED WITH THOSE OF ANY OTHER USER.
If any part or parts of these Terms are found under the law to be invalid or unenforceable by a court of competent jurisdiction, then such specific part or parts shall be of no force and effect and shall be severed and the remainder shall continue in full force and effect.
Notice for California Users. Under California Civil Code Section 1789.3, California Website users are entitled to the following specific consumer rights notice: The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 N. Market Blvd., Suite S‑202, Sacramento, California 95834, or by telephone at (800) 952‑5210.
Data Protection Addendum
The customer agreeing to these terms (“Customer”) has entered into a Terms of Service Agreement with CompanyCam, Inc., a Delaware corporation (“CompanyCam”) under which CompanyCam has agreed to provide services to Customer (as amended from time to time, the “Agreement”).
This Data Protection Addendum, including its applicable Appendices (the “Addendum”) is considered a part of the Agreement and will take effect on the Addendum Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, CompanyCam’s deletion of all Customer Personal Data as described in this Addendum.
For purposes of this Addendum, the terms below shall have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this Addendum shall have the meanings set forth in the Agreement.
“Addendum Effective Date” means the date on which the parties agreed to this Addendum.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
“Audit Reports” has the meaning given in Section 5.04.4 (Audit Reports).
“CCPA” means the California Consumer Privacy Act of 2018.
“Customer Personal Data” means any personal data or personal information of data subjects contained within the data provided to or accessed by CompanyCam by or on behalf of Customer or Customer end users in connection with the Services.
“EEA” means the European Economic Area.
“EU” means the European Union.
“European Data Protection Legislation” means the GDPR and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein and Norway and the United Kingdom, applicable to the processing of Customer Personal Data under the Agreement.
“GDPR” means Regulation (EU) 2016⁄679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data of EU data subjects and on the free movement of such data, and repealing Directive 95/46/EC.
“Global Data Protection Legislation” means the European Data Protection Legislation, CCPA, and LGPD as applicable to the processing of Customer Personal Data under the Agreement.
“Information Security Incident” means a breach of CompanyCam’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in CompanyCam’s possession, custody or control. “Information Security Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“LGPD” means the Brazilian General Data Protection Law.
“Security Documentation” means all documents and information made available by CompanyCam under Section 5.04.1 (Audits).
“Security Measures” has the meaning given in Section 5.01.1 (CompanyCam’s Security Measures).
“Services” means the services and/or products to be provided by CompanyCam to Customer under the Agreement.
“Standard Contractual Clauses” or “Clauses” mean the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
“Subprocessors” means third parties authorised under this Addendum to process Customer Personal Data in relation to the Services.
“Term” means the period from the Addendum Effective Date until the end of CompanyCam’s provision of the Services.
“Transfer Solution” means the Standard Contractual Clauses or another solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR.
The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this Addendum have the meanings given in the GDPR and LGPD, as applicable, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses. The terms “personal information”, “Business”, and “Service Provider” have the meanings set forth in the CCPA.
2. Processing of Data
2.1. Roles and Regulatory Compliance; Authorization.
2.1.1. Processor and Controller Responsibilities. This Addendum only applies to the extent that we are processing Customer Personal Data on behalf of Customer. If the European Data Protection Legislation, LGPD, or CCPA apply to the processing of Customer Personal Data, the parties acknowledge and agree that:
- the subject matter and details of the processing are described in Appendix 1;
- CompanyCam is a processor of that Customer Personal Data under the European Data Protection Legislation or LGPD, and/or a Service Provider with respect to that Customer Personal Data under the CCPA, as applicable;
- Customer is a either a controller or processor of that Customer Personal Data under European Data Protection Legislation or LGPD, and/or a Business with respect to that Customer Personal Data under the CCPA, as applicable; and
- each party will comply with the obligations applicable to it under the applicable Global Data Protection Legislation with respect to the processing of that Customer Personal Data.
2.1.2. Authorization by Third Party Controller. If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to CompanyCam that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of CompanyCam as another processor and its consent to CompanyCam’s onward transfers of Customer Personal Data to its Subprocessors, have been authorized by the relevant controller.
3. Scope of Processing
3.1 Customer’s Instructions. By entering into this Addendum, Customer instructs CompanyCam to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as authorised by the Agreement, including this Addendum and its Appendices; and © as further documented in any other written instructions given by Customer and acknowledged in writing by CompanyCam as constituting instructions for purposes of this Addendum.
3.2 CompanyCam’s Compliance with Instructions. CompanyCam will only process Customer Personal Data in accordance with Customer’s instructions described in Section 3.01 (including with regard to data transfers) (“Customer’s Instructions”) unless the applicable Global Data Protection Legislation to which CompanyCam is subject requires other processing of Customer Personal Data by CompanyCam, in which case CompanyCam will notify Customer (unless that law prohibits CompanyCam from doing so on important grounds of public interest).
4. Data Deletion
Unless otherwise set forth in the Agreement, upon expiration of the Term, Customer instructs CompanyCam to delete all Customer Personal Data (including existing copies) from CompanyCam’s systems as required by and in accordance with applicable law as soon as reasonably practicable, unless applicable law prevents CompanyCam from deleting such data. To the extent that Customer is bound by laws or regulations that would require CompanyCam to retain Customer Personal Data after expiration of the Term and Customer does not inform CompanyCam of such retention obligations, Customer shall be solely liable for any deletion of such data by CompanyCam in accordance with this Article 4.
5. Data Security
5.1. CompanyCam’s Security Measures, Controls and Assistance.
5.1.1. CompanyCam’s Security Measures. CompanyCam will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Personal Data as described in Appendix 2 (the “Security Measures”). CompanyCam may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
5.1.2. Security Compliance by CompanyCam Staff. CompanyCam will grant access to Customer Personal Data only to employees, contractors and Subprocessors who need such access for the scope of their performance, and are subject to appropriate confidentiality arrangements.
5.1.3. CompanyCam’s Security Assistance. CompanyCam will (taking into account the nature of the processing of Customer Personal Data and the information available to CompanyCam) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Customer Personal Data under Global Data Protection Legislation, including Articles 32 to 34 (inclusive) of the GDPR and Articles 6 and 46 of the LGPD, by:
- implementing and maintaining the Security Measures in accordance with 5.01.1 (CompanyCam’s Security Measures);
- complying with the terms of Section 5.02 (Information Security Incidents); and
- providing Customer with the Security Documentation in accordance with the Agreement, including this Addendum.
5.2. Information Security Incidents.
5.2.1. Information Security Incident Notification. If CompanyCam becomes aware of an Information Security Incident, CompanyCam will: (a) notify Customer of the Information Security Incident without undue delay after becoming aware of the Information Security Incident; and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm and prevent a recurrence.
5.2.2. Details of Information Security Incident. Notifications made pursuant to this Section 5.02 (Information Security Incidents) will describe, to the extent reasonably practicable, details of the Information Security Incident, including (i) the nature of the Information Security Incident including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) the name and contact details of the data protection officer or other contact point where more information can be obtained, (iii) the likely consequences of Information Security Incident; (iv) steps taken, or proposed to be taken, to mitigate the potential risks and steps CompanyCam recommends Customer take to address the Information Security Incident including, where appropriate, measures to mitigate its possible adverse effects.
5.2.3. Notification. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Information Security Incident(s).
5.2.4. No Acknowledgement of Fault by CompanyCam. CompanyCam’s notification of or response to an Information Security Incident under this Section 5.02 (Information Security Incidents) will not be construed as an acknowledgement by CompanyCam of any fault or liability with respect to the Information Security Incident.
5.3. Customer’s Security Responsibilities and Assessment.
5.3.1. Customer’s Security Responsibilities. Customer agrees that, without prejudice to CompanyCam’s obligations under Section 5.01 (CompanyCam’s Security Measures, Controls and Assistance) and Section 5.02 (Information Security Incidents):
- Customer is solely responsible for its use of the Services, including:
- making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data;
- securing the account authentication credentials, systems and devices Customer uses to access the Services;
- securing Customer’s systems and devices CompanyCam uses to provide the Services; and
- backing up its Customer Personal Data.
- CompanyCam has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of CompanyCam’s and its Subprocessors’ systems (for example, offline or on-premises storage).
5.3.2. Customer’s Security Assessment.
Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures and CompanyCam’s commitments under this Article 5 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the applicable Global Data Protection Legislation.
Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by CompanyCam as set out in 5.01.1 (CompanyCam’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Personal Data.
5.4. Reviews and Audits of Compliance
5.4.1. Audits. Customer may audit CompanyCam’s compliance with its obligations under this Addendum up to once per year. In addition, to the extent required by the applicable Global Data Protection Legislation, including where mandated by Customer’s supervisory authority, Customer or Customer’s supervisory authority may perform more frequent audits (including inspections). CompanyCam will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services.
5.4.2. Objections to Third Party Auditor. If a third party is to conduct the audit, CompanyCam may object to the auditor if the auditor is, in CompanyCam’s reasonable opinion, not suitably qualified or independent, a competitor of CompanyCam, or otherwise manifestly unsuitable. Such objection by CompanyCam will require Customer to appoint another auditor or conduct the audit itself.
5.4.3. Request for Audit. To request an audit, Customer must submit a detailed proposed audit plan to CompanyCam at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. CompanyCam will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise CompanyCam security, privacy, employment or other relevant policies). CompanyCam will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 5.04 (Reviews and Audits of Compliance) shall require CompanyCam to breach any duties of confidentiality.
5.4.4. Audit Reports. If the requested audit scope is addressed in an SSAE 16/18/ISAE 3402 Type 2, AICPA SOC 2 (SOC for Service Organizations: Trust Services Criteria), ISO, NIST or similar audit report performed by a qualified third party auditor (“Audit Reports”) within twelve (12) months of Customer’s audit request and CompanyCam confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
5.4.5. Conduct of Audit. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and CompanyCam’s health and safety or other relevant policies, and may not unreasonably interfere with CompanyCam business activities.
5.4.6. Conditions of Audit. Customer will promptly notify CompanyCam of any non-compliance discovered during the course of an audit and provide CompanyCam any audit reports generated in connection with any audit under this Section 5.04 (Reviews and Audits of Compliance), unless prohibited by The applicable Global Data Protection Legislation or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. The audit reports and any CompanyCam information shared during the audit process are Confidential Information of the parties under the terms of the Agreement.
5.4.7. Expenses of Audit. Any audits are at Customer’s expense. Customer shall reimburse CompanyCam for any time expended by CompanyCam or its Subprocessors in connection with any audits or inspections under this Section 5.04 (Reviews and Audits of Compliance) at CompanyCam’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
5.4.8. Standard Contractual Clauses. The parties agree that this Section 5.04 (Reviews and Audits of Compliance) shall satisfy CompanyCam’s obligations under the audit requirements of the Standard Contractual Clauses applied to Data Importer under Clause 5(f) and to any Sub-processors under Clause 11 and Clause 12(2).
6. Impact Assessments and Consultations
CompanyCam will (taking into account the nature of the processing and the information available to CompanyCam) reasonably assist Customer in complying with its obligations under The applicable Global Data Protection Legislation in respect of data protection impact assessments and prior consultation, including, if applicable, Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:
6.1. Audit Reports and Security Measures. Making available for review copies of the Audit Reports or other documentation describing relevant aspects of CompanyCam’s information security program and the security measures applied in connection therewith; and
6.2 Additional Information. Providing the information contained in the Agreement including this Addendum.
7. Data Subject Rights
7.1. Customer’s Responsibility for Requests. During the Term, if CompanyCam receives any request from a data subject in relation to Customer Personal Data, CompanyCam will, at its sole discretion, (i) advise the Customer of the request, (ii) advise the data subject to submit his or her request to Customer, and/or (iii) notify the data subject that his or her request has been forwarded to the Customer. Customer will be responsible for responding to any such request.
7.2. CompanyCam’s Data Subject Request Assistance. CompanyCam will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfil its obligation under The applicable Global Data Protection Legislation to respond to requests by data subjects, including if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights set out in in Chapter III of the GDPR, Articles 18 and 19 of the LGPD, or Section 1798.105 of the CCPA. Customer shall reimburse CompanyCam for any such assistance beyond providing self-service features included as part of the Services at CompanyCam’s then-current professional services rates, which shall be made available to Customer upon request.
8. Data Transfers
8.1 Data Storage and Processing Facilities.
CompanyCam may, subject to Section 8.02 (Transfers of Data Out of the EEA), store and process Customer Personal Data anywhere CompanyCam or its Subprocessors maintains facilities.
8.2 Transfers of Data Out of the EEA.
8.2.1. CompanyCam’s Transfer Obligations. If the storage and/or processing of Customer Personal Data (as set out in Section 8.01 (Data Storage and Processing Facilities)) involves transfers of Customer Personal Data out of the EEA or Switzerland, and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), CompanyCam will make such transfers in accordance with a Transfer Solution, and make information available to Customer about such Transfer Solution upon request.
8.2.2. Customer’s Transfer Obligations. In respect of Transferred Personal Data, Customer agrees that if under European Data Protection Legislation CompanyCam reasonably requires Customer to use another Transfer Solution offered by CompanyCam (other than the Standard Contractual Clauses, which are attached hereto as Appendix 3 and incorporated by reference to the extent that Customer is transferring Customer Personal Data out of the EAA or Switzerland to CompanyCam) and CompanyCam reasonably requests that Customer take any action (which may include execution of documents) required to give full effect to such solution, Customer will do so.
8.3 Disclosure of Confidential Information Containing Personal Data.
If Customer has entered into Standard Contractual Clauses as described in Section 8.02 (Transfers of Data Out of the EEA), CompanyCam will, notwithstanding any term to the contrary in the Agreement, make any disclosure of Customer’s Confidential Information containing personal data, and any notifications relating to any such disclosures, in accordance with such Standard Contractual Clauses. For the purposes of the Standard Contractual Clauses, Customer and CompanyCam agree that (i) Customer will act as the data exporter on Customer’s own behalf and on behalf of any of Customer’s entities and (ii) CompanyCam or its relevant Affiliate will act on its own behalf and/or on behalf of CompanyCam’s Affiliates as the data importers.
9.1 Consent to Subprocessor Engagement. Customer generally authorizes the engagement of any other third parties as Subprocessors and authorizes onward transfer of Customer Personal Data to any Subprocessors engaged by CompanyCam. If Customer has entered into Standard Contractual Clauses as described in Section 8.02 (Transfers of Data Out of the EEA), the above authorizations will constitute Customer’s prior written consent to the subcontracting by CompanyCam of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses.
9.3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, CompanyCam will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in the Agreement (including this Addendum) with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor. CompanyCam shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
9.4. Opportunity to Object to Subprocessor Changes.
When any new Subprocessor is engaged during the Term, CompanyCam will, at least 30 days before the new Subprocessor processes any Customer Personal Data, notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform).
Customer may object to any new Subprocessor by providing written notice to CompanyCam within ten (10) business days of being informed of the engagement of the Subprocessor as described above. In the event Customer objects to a new Subprocessor, Customer and CompanyCam will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to CompanyCam.
10. Processing Records
Customer acknowledges that CompanyCam is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which CompanyCam is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to CompanyCam, and will ensure that all information provided is kept accurate and up-to-date.
11.1 Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this Addendum, and the Standard Contractual Clauses if entered into as described in Section 8.02 (Transfers of Data Out of the EEA) combined will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement, subject to Section 11.02 (Liability Cap Exclusions).
11.2 Liability Cap Exclusions. Nothing in Section 11.01 (Liability Cap) will affect any party’s liability to data subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by the European Data Protection Legislation.
Customer acknowledges and agrees that CompanyCam may create and derive from processing related to the Services anonymised and/or aggregated data that does not identify Customer or any natural person, and use, publicise or share with third parties such data to improve CompanyCam’s products and services and for its other legitimate business purposes.
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by CompanyCam to Customer may be given (a) in accordance with the notice clause of the Agreement; (b) to CompanyCam’s primary points of contact with Customer; and/or © to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
14. Effect of These Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.
Appendix 1: Subject Matter and Details of the Data Processing
This Appendix 1 is incorporated into the Addendum, and also forms part of the Standard Contractual Clauses (if such Standard Contractual Clauses are applicable to Customer).
- Data Importer: The Data Importer (or Service Provider/Processor) is CompanyCam, a provider of a productivity solutions.
- Data Exporter: The Data Exporter (or Business/Controller) is the Customer that is a party to the Addendum.
- Subject Matter: CompanyCam’s provision of the Services to Customer as set forth in the Agreement and the Addendum.
- Duration of the Processing: The Term plus the period from the expiry of the Term until deletion of all Customer Personal Data by CompanyCam in accordance with the Addendum.
- Nature and Purpose of the Processing: CompanyCam will receive, process, and store Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Agreement and the Addendum, to communicate with Customer and its end users, to provide customer service, to monitor, maintain, and improve the Services, and to otherwise fulfill its obligations under the Agreement.
- Categories of Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- ID data
- Connection data
- Localization data
- Other electronic data submitted, stored, sent, or received by an end user (which may include special categories of personal data under the GDPR, or sensitive personal data under the LGPD, to the extent that such data is submitted, stored, sent, or received by an end user; CompanyCam does not request or require any sensitive or special categories of personal data for provision of the Services)
- Information related to invoices or payments made for the CompanyCam service
- Usage information
- Data Subjects:
- Employees, agents, advisors, and/or freelancers of Customer (who are natural persons), and/or individuals about whom data is provided to CompanyCam via the Services by (or at the direction of) Customer
- End users authorized by Customer to use the Services
Appendix 2: Security Measures
This Appendix 2 is incorporated into the Addendum, and also forms part of the Standard Contractual Clauses (if such Standard Contractual Clauses are applicable to Customer).
As from the Addendum Effective Date, CompanyCam will implement and maintain the following technical and organizational Security Measures. CompanyCam may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
- Production database access is limited to three admins as well as traffic coming from the production applications servers
- Data is encrypted in transit
- Access requires VPN and server account logins to access
- Servers do not have public IP address and can only be accessed manually via a browser-based terminal. Browser-based terminal requires VPN and server account logins
- Public requests to server are routed through multiple firewalls and http traffic (port 80, 443) can only reach servers through these multiple firewalls
- Data encrypted in transit
- Access to servers is provided via a service which issues temporary credentials for use of that server at time of access. No permanently stored credentials can alone access the servers
- Production: Access limited to three admins. Emergency access can be granted to select dev team leads
- Beta: Access limited to admins and temporarily available to select devs on request
- QA: Must have server and VPN login
- Secrets are encrypted at rest and during transit with only admins and select automated processes being given the access to decrypt data
- Secrets, such as tokens and passwords are tied to machine users and not actual people
- Happens in an ephemeral container within a private subnet, which has no routes to public Internet.
- Connections between deployment container and servers happen via private vpc routes
- Deployments are triggered via an API which also requires an access token to be passed in request header
- Only master branch can be deployed to production environment, enforced via automation
- All use of cloud services is logged
- Our cloud services are automatically scanned for malicious activity
Appendix 3: Standard Contractual Clauses
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection the Customer accepting the Clauses pursuant to the Addendum (the “Data Exporter”)
CompanyCam, Inc. (the “Data Importer”)
HAVE AGREED on the following Standard Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data Importer is located in the United States. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
Clause 1: Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
© ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2: Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3: Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4: Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
© that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5: Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
© that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6: Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7: Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8: Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9: Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10: Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11: Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12: Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Sign up for a free account.
Get your team up and running in less than 3 minutes.
No credit card required Available on iOS, Android, and Web