License and Services Agreement
Add a Title
Please read this License & Services Agreement (this “Agreement”), together with Exhibit A (Data Processing Addendum), carefully because it is a legal agreement between you (“Customer”, “you”, “your”) and Marathon Data, LLC a Delaware limited liability company with its principal place of business at 1258 Upper Happy Valley Rd., Lafayette, CA 94549 and operating from the website www.MarathonDataCo.com (“Marathon”, “we”, “us”, “our”) effective as of the date you accept this Agreement (the “Effective Date”). Marathon and Customer are referred to collectively in this Agreement as the “Parties” or individually as a “Party.”
This Agreement governs Customer’s access to and use of the proprietary hosted software suite (the “Marathon Platform”), supplementary consulting services (“Professional Services”), and any other software, products, interfaces, technology, user manuals or documentation, or related services that we provide you (the foregoing collectively, the “Services”).
Marathon will provide the Services to you only if you accept this Agreement. If you do not accept this Agreement, you may not use the Services. If you click on the “Continue” button below or use the Services, you are indicating that you understand and accept the terms of this Agreement. If you are entering into this Agreement on behalf of a company or other legal entity, you represent that you have the authority to bind such entity to this Agreement, and in that case “you” or “your” will refer to such entity. collectively, the “Services”).
Customer materials and data
As between Customer and Marathon, Customer owns and retains all right, title and interest in and to all information, data, content and other materials, in any form or medium, that is provided, or otherwise uploaded, by or on behalf of Customer through the Services (the “Customer Materials.”) For clarity, “Customer Materials'' excludes Feedback. Marathon may Use, display and modify, and authorize others to do so, the Customer Materials to provide and improve the Marathon products and services during the Term and develop or derive data or insights in deidentified form from (i) any Customer Materials or (ii) Customer’s and/or its Authorized Users’ use of the Services, including, without limitation, any usage data or trends with respect to the Services (“Service Information”).
Representations and Warranties
— Each Party represents and warrants to the other Party that: (i) it has full power and authority to enter into this Agreement; and (ii) the execution, delivery and performance of this Agreement by it have been duly authorized by all necessary actions and do not violate its organizational documents.
— By Customer. Customer represents and warrants that Marathon’ use of the Customer Materials will not violate any applicable laws or regulations or infringe or violate any Intellectual Property Rights or other rights of any third party or cause a breach of any agreement or obligations between Customer and any third party.
Term
— Trial Period. Beginning on the Effective Date, a trial period will commence during which time you may use certain aspects of the Marathon Platform, including the Brand Health Dashboard, free of charge (the “Trial Period”).
— Conclusion of Trial Period; Subsequent Agreement. The Trial Period will continue until terminated upon the mutual determination of the Parties,. Customer agrees, upon expiration of the Trial Period Term, to negotiate in good faith a subsequent paid subscription agreement with Marathon regarding Customer’s Use of the Services (“Subsequent Agreement”), provided that Customer is not obligated to enter into a Subsequent Agreement.
Termination
— Termination. Either Party may terminate this Agreement, effective on written notice to the other, if the other Party materially breaches this Agreement, and, if able to be cured, such breach remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach. Marathon may further terminate this Agreement immediately upon written notice to Customer in the event that Customer breaches Sections 1(b)-(e), Section 7, or infringe or otherwise violates Marathon’ Intellectual Property Rights in and to the Services. Either Party may terminate this Agreement with thirty (30) days’ prior written notice to the other Party for any reason (or no reason).
— Effect of Termination; Survival. Upon expiration or termination of the Agreement: (i) Customer and its Authorized Users shall immediately terminate use of the Services; all amounts due to Marathon, if any, shall be immediately due and payable; and (iii) each Party will promptly return (or destroy) all Confidential Information of the other Party in its possession or control, except for any archived electronic communications which may be stored confidentially. The rights and obligations of Marathon and Customer contained in Sections 1, 2, 5(b), and 7-10 will survive any expiration or termination of this Agreement.
Payment terms
You agree to pay any fees due from you to us regarding your Use of the Services pursuant to a Subsequent Agreement (“Fees”) monthly in arrears using the payment method that we specify in the Subsequent Agreement or to you in writing from time to time. The Fees will be a mutually agreed upon amount between you and us.
Confidentiality
Confidential Information. As used herein, “Confidential Information” means any information that one Party (the “Disclosing Party”) provides to the other (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information, including the Services. The Receiving Party will not use or disclose any Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its rights under this Agreement; provided that Marathon may use and modify Confidential Information of Customer in deidentified form for purposes of developing and deriving Service Information. The Receiving Party may disclose Confidential Information of the Disclosing Party only: (i) to those of its employees, contractors, agents and advisors who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by written agreements with use and nondisclosure restrictions at least as protective of the Confidential Information as those set forth in this Agreement, or (ii) as such disclosure may be required by the order or requirement of a court, administrative agency or other governmental body, subject to the Receiving Party providing to the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or otherwise contest the disclosure. The terms and conditions of this Agreement will constitute Confidential Information of each Party but may be disclosed on a confidential basis to a Party’s advisors, attorneys, actual or bona fide potential acquirers, investors or other sources of funding (and their respective advisors and attorneys) for due diligence purposes. Confidential Information will not include any information that: (i) is or becomes generally known to the public through no breach of this Agreement by the Receiving Party; (ii) is rightfully known by the Receiving Party at the time of disclosure without an obligation of confidentiality; (iii) is independently developed by the Receiving Party without access to or use of any Confidential Information of the Disclosing Party that can be evidenced in writing; or (iv) is rightfully obtained by the Receiving Party from a third-party without restriction on use or disclosure.
Customer Data. Marathon agrees to implement all appropriate technical and organizational security measures in order to protect Personal Data (as defined in the Data Protection Addendum ("DPA") appended to this Agreement as Exhibit A) against accidental or unlawful destruction, against unauthorized or unlawful disclosure or access, and against accidental loss, alteration, or damage. The terms of the DPA shall govern the Parties' obligations in relation to the treatment of Personal Data.
Disclaimer, limitation of liability
— Disclaimer. The services are provided “as is.” Marathon makes no warranty or representation regarding the services. To the maximum extent law permits, Marathon hereby disclaims all warranties and representations, whether express or implied, including any implied warranties of merchantability, fitness for a particular purpose or non-infringement, and warranties arising out of course of dealing or usage of trade. Without limiting the foregoing, Marathon hereby disclaims any warranty that use of the services or any third-party website, service, plug-in or resource accessed through the services will be available, error-free, or uninterrupted.
— Exclusion of damages. Except for (I) breach of section 7, (ii) customer’s breach of section 1, or (iii) either party’s infringement of the other’s intellectual property rights (“excluded claims”), neither party will be liable to the other for any indirect, incidental, special, exemplary, punitive or consequential damages, any loss of income, data, profits, revenue or business interruption, or the cost of cover or substitute services, arising out of or connected with this agreement.
— Limitation of liability. Except for excluded claims, in no event will either party’s total liability to the other party or its authorized users (if any) in connection with this agreement exceed the fees actually paid by customer to Marathon in the six (6) month period preceding the event giving rise to the claim or one hundred dollars ($100), whichever is greater.
— Applicability. The limitations and exclusions in this section apply whether liability arises from a claim based on contract, warranty, tort (including negligence), strict liability or otherwise, and whether or not such party was advised of the possibility of such loss or damage. The parties hereby acknowledge and agree that the limitations of liability in this section are an essential part of the basis of the bargain between the parties and will apply even if the remedies available hereunder fail their essential purpose.
Indemnification
Marathon will defend Customer against any claim, suit or proceeding brought by a third-party (“Claims”) alleging that Customer’s Use of the Services infringes or misappropriates such third party’s Intellectual Property Rights and will indemnify and hold harmless Customer against any damages and costs awarded against Customer or agreed in settlement by Marathon (including reasonable attorneys’ fees) resulting from such Claim. Marathon’s preceding obligations will not apply if the underlying Claim arises from: (i) Customer’s breach of this Agreement, negligence, willful misconduct or fraud; (ii) any Customer Materials; (iii) Customer’s failure to use any enhancements, modifications, or updates to the Services that Marathon provides; (iv) modifications to the Services by anyone other than Marathon; or (v) combinations of the Services with software, data or materials not provided by Marathon. Customer will defend, indemnify and hold harmless Marathon from and against any damages and liabilities (including court costs and reasonable attorneys’ fees) awarded in a final judgment against Marathon, and amounts agreed to in settlement with respect to each of the foregoing, to the extent arising from a Claim against Marathon that: (i) the Customer Materials or its use by Marathon in accordance with this Agreement infringes, misappropriates or violates a third-party’s Intellectual Property Rights, or rights of publicity or privacy, or result in the violation of any applicable law or regulation; (ii) is based on Customer’s or an Authorized User’s use of the Services to the extent such use was not in accordance with this Agreement; or (iii) is based on the manufacture, sale, distribution or marketing of any Customer’s products or services. Each Party’s obligations under this Section 9 depend on: (i) the Party seeking defense and indemnity (the “Indemnified Party”) providing the other Party (the “Indemnifying Party”) with prompt written notice of such Claim (with sufficient time for the Indemnifying Party to respond without prejudice); (ii) the Indemnifying Party having the exclusive right to defend or settle the Claim; and (iii) the Indemnified Party providing all reasonably necessary cooperation to the Indemnifying Party, at the Indemnifying Party’s expense, in the defense and settlement of such Claim. The Indemnified Party may participate in the defense of any Claim at its own expense.
Miscellaneous
Neither Party may assign, transfer or sublicense this Agreement, by operation of law or otherwise, without the other Party’s prior written consent, except to a successor entity in the event of a reorganization, merger, acquisition, or “change of control” transaction, and any attempt by either Party to do so, without such consent, will be void. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the Parties and their respective successors and permitted assigns. “Including” means “including, without limitation.” If any provision of this Agreement is held invalid, illegal or unenforceable, that provision will be enforced to the maximum extent permitted by law, given the fundamental intentions of the Parties, and the remaining provisions of this Agreement will remain in full force and effect. This Agreement is the complete and exclusive agreement between the Parties with respect to its subject matter and supersedes all prior or contemporaneous agreements, communications and understandings, both written and oral, with respect to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the Parties. Nothing in this Agreement will be construed to create a partnership, joint venture or agency relationship between the Parties. Neither Party will have the power to bind the other or to incur obligations on the other’s behalf without such other Party’s prior written consent. This Agreement will be governed by and construed in accordance with the laws of the State of Delaware without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the U.S. District Court for the District of Delaware and the Parties irrevocably consent to the personal jurisdiction and venue therein. All notices required to be sent hereunder will be in writing (email being sufficient).
Exhibit A: Data Processing Addendum
Data Processing Addendum
This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the terms and conditions of the Agreement by and between Customer and Marathon.
1. Subject Matter and Duration.
1.1 Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Marathon execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
1.2 Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Marathon will Process Customer Personal Data until the relationship terminates as specified in the Agreement.
2. Definitions. For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
2.1 “Customer Personal Data” means Personal Data Processed by Marathon on behalf of Customer.
2.2 “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; the United Kingdom Data Protection Act 2018; and the Virginia Consumer Data Protection Act (in each case, as amended, adopted, or superseded from time to time).
2.3 “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
2.4 “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.5 “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Marathon.
2.6 “Services” means the services that Marathon performs under the Agreement.
2.7 “Subprocessor(s)” means Marathon's authorized vendors and third party service providers that Process Customer Personal Data.
3. Processing Terms for Customer Personal Data.
3.1 Documented Instructions. Marathon shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Marathon will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
3.2 Authorization to Use Subprocessors. To the extent necessary to fulfill Marathon's contractual obligations under the Agreement, Customer hereby authorizes Marathon to engage Subprocessors. Customer acknowledges that Subprocessors may further engage vendors.
3.3 Marathon and Subprocessor Compliance. Marathon shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for Marathon's Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
3.4 Right to Object to Subprocessors. Where required by Data Protection Laws, Marathon will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
3.5 Confidentiality. Any person authorized to Process Customer Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.
3.6 Personal Data Inquiries and Requests. Where required by Data Protection Laws, Marathon agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
3.7 Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, Marathon agrees to provide reasonable assistance and information to Customer where, in Customer’s judgement, the type of Processing performed by Marathon requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Customer shall reimburse Marathon for all non-negligible costs Marathon incurs in performing its obligations under this Section.
3.8 Demonstrable Compliance. Marathon agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.
3.9 California Specific Terms. To the extent that Marathon's Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to Marathon for the limited and specific purpose of Marathon providing the Services to Customer in accordance with the Agreement and this Addendum. Marathon shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Marathon; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that Marathon (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Marathon Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by Marathon.
3.10 Service Optimization. Where permitted by Data Protection Laws, Customer agrees that Marathon may Process Customer Personal Data: (i) for its internal uses to build, or improve the quality of, its products and services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity
3.11 Aggregation and De-Identification. Marathon may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
4. Information Security Program. Marathon shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.
5. Security Incidents. Upon becoming aware of a Security Incident, Marathon agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
6. Cross-Border Transfers of Customer Personal Data.
6.1 Cross-Border Transfers of Customer Personal Data. Customer authorizes Marathon and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
6.2 EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Marathon in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
7. Audits and Assessments. Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Marathon's policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be: (i) conducted during Marathon's regular business hours; (ii) with reasonable advance notice to Marathon; (iii) carried out in a manner that prevents unnecessary disruption to Marathon's operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction.
8. Customer Personal Data Deletion. At the expiry or termination of the Agreement, Marathon will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Marathon's data retention schedule), except where Marathon is required to retain copies under applicable laws, in which case Marathon will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
9. Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Customer’s practices with respect to the Processing of Customer Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) Marathon Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.
10. Processing Details.
10.1 Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
10.2 Duration. The Processing will continue until the expiration or termination of the Agreement.
10.3 Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement.
10.4 Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Marathon is the performance of the Services.
10.5 Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.
Exhibit 1 to the data processing addendum
Data Processing Addendum
This Exhibit 1 forms part of Exhibit A and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit 1 have the meaning set forth in Exhibit A.
The parties agree that the following terms shall supplement the Standard Contractual Clauses:
1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:
A. List of Parties
Data Exporter: Customer.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: Customer’s Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Controller.
Data Importer: Marathon.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: Marathon's Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Processor.
B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses.
Categories of personal data transferred: The categories of personal data transferred under the Clauses.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties knowledge, no sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
Nature of the processing: The Services.
Purpose(s) of the data transfer and further processing: The Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Data importer will provide its list of subprocessors upon data exporter’s written request.
C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D. Additional Data Transfer Impact Assessment Questions:
Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?
Not to data importer’s knowledge.
Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:
As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.
Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:
No.
Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:
No.
E. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
F. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.
3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:
Data importer shall use commercially reasonable efforts to implement and maintain technical and organisational measures designed to protect personal data in accordance with the Addendum.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.
4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.