Effective as of August 17, 2020, ProductBoard, Inc., have updated its Master Subscription Agreement (“Terms”). For a prior version of our Terms, click here.
This MASTER SUBSCRIPTION AGREEMENT (the “Agreement”) is entered into as of the Effective Date, by and between Customer and ProductBoard, Inc. (“ProductBoard”) a Delaware corporation with offices at 612 Howard St., 4th Floor, San Francisco, CA 94105. Customer and ProductBoard are sometimes referred to herein individually as a “Party” and collectively as the “Parties.”
In consideration of the mutual covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
“Affiliate” of a Party means any entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with, such Party. For purposes of this definition, the “control” of an entity means the direct or indirect ownership or control of more than 50% of the voting interests of such entity.
“Applicable Data Protection Law” means the following data protection law(s): (a) the EU Regulation 2016/679 and any applicable national laws made under it; and (b) the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded).
“Authentication Key” means any access key, application key or authentication key necessary for utilizing an Authorized API.
“Authorized API” means the application programming interfaces developed and enabled by ProductBoard that permit Customer to access certain functionality provided by the Subscription Services.
“Beta Services” means the features and/or functionality of the Subscription Services that may be made available to Customer to try at its option at no additional charge and which are clearly designated as beta, pilot, limited release, non-production, early access, evaluation, labs or by a similar description.
“Confidential Information” means all confidential and proprietary information of a Party (“Disclosing Party”) disclosed to the other Party (“Receiving Party”), whether orally or in writing, that is either marked or designated as confidential at the time of disclosure to the Receiving Party, or that a reasonable person should consider confidential or proprietary given the nature of the information and the circumstances under which it is disclosed. ProductBoard’s Confidential Information shall include the ProductBoard Property and the terms of this Agreement and all Order Forms. Notwithstanding the foregoing, Confidential Information shall not include any information that the Receiving Party can show: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party; (iii) was independently developed by the Receiving Party without reference to any Confidential Information of the Disclosing Party (excluding patentable subject matter which is not subject to this exclusion); or (iv) is received from a third party without breach of any obligation owed to the Disclosing Party.
“Customer” means any individual or entity who enters into an Order Form with Productboard to use the Subscription Services.
“Customer Property” means any content (including text, images, illustrations, charts, tables and other materials) supplied by Customer to ProductBoard, either directly or indirectly (for example, through the Subscription Service or integration with a Third Party Product).
“Documentation” means all documentation and other instructional material made available by ProductBoard regarding the use of the Subscription Services.
“End-Users” means any person or entity other than Customer or Users with whom Customer or Users interact using the Service.
“Order Form” means an ordering document for Subscription Services purchased from ProductBoard that has been executed hereunder by the Parties (or, in the case of an online transaction, which has been electronically accepted by Customer).
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’) where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person.
“Processing/to Process/Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“ProductBoard Property” means (i) the Subscription Services, (ii) the Documentation, and (iii) all content and other materials and software supplied by ProductBoard in connection with, or used by ProductBoard in providing, the Subscription Services.
“Subprocessor” means any third-party data processor engaged by ProductBoard, including ProductBoard’s Affiliates, that receive Customer Property from ProductBoard for Processing on behalf of Customer and in accordance with Customer’s instructions (as communicated by ProductBoard) and the terms of its written subcontract.
“Subscription Services” means the software services and platform provided by ProductBoard, including (i) the web and other user interfaces, applications, and software provided to Users and End-Users, (ii) the Authorized APIs and (iii) any modifications, updates, derivative works, optional modules, custom or standard enhancements, updates, and upgrades to or of any of the foregoing.
“Subscription Term” means the subscription period set forth in the applicable Order Form during which ProductBoard agrees to provide the Subscription Services to Customer.
“Third Party Products” means certain third party applications, systems, or services used by Customer, but not supplied by ProductBoard, that are designed to interoperate with the Subscription Services (for example, third-party ticketing and email services from which the Subscription Services can import Customer Property).
“Users” means all users that are authorized to access Customer’s account on the Subscription Services, including “Makers” and “Contributors.”
2. Subscription Services
(a) Provision of Subscription Services. Subject to the payment of all applicable Fees and for the applicable Subscription Term, ProductBoard hereby grants to Customer a non-sublicensable, non-transferable, non-exclusive right to access and use the Subscription Services in accordance with the terms and conditions of this Agreement and all Order Forms.
(b) Order Forms. Each Order Form for Subscription Services will describe additional mutually agreed-upon limitations on use of the Subscription Service, including, to the extent applicable, Fees, the Subscription Term, the number of and/or class of permitted Users and the permitted scope of use of the Subscription Services. To the extent an Order Form provides for a Subscription Term that automatically renews or provides Customer with pricing for Subscription Upgrades (as defined below), the Parties may confirm, and thereby creating a binding obligation with respect to, such renewal or Subscription Upgrade via email without the need for an additional Order Form executed by the Parties.
(c) Platform Guidelines. Customer hereby acknowledges that it will at all times comply with, and ensure that all of its Users and End-Users comply with, the platform guidelines set forth on Exhibit A, which are hereby incorporated by reference (the “Platform Guidelines”).
(d) Free Trials. If Customer registers for a free trial for the Subscription Services (“Free Trial”), ProductBoard will make the Subscription Services available to Customer and its Users and End-Users on a trial basis free of charge until the earlier of (a) the end of the Free Trial period; (b) the start date of any Subscription Term purchased by Customer; or (c) termination of the Free Trial by ProductBoard in its sole discretion. Additional trial terms and conditions may appear on the Free Trial registration web page. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding. ANY CUSTOMER PROPERTY CUSTOMER SUBMITS TO THE SUBSCRIPTION SERVICES, AND ANY CONFIGURATIONS OR CUSTOMIZATIONS MADE TO THE SUBSCRIPTION SERVICES BY OR FOR CUSTOMER DURING THE FREE TRIAL WILL BE PERMANENTLY LOST UNLESS CUSTOMER PURCHASES THE SAME SUBSCRIPTION SERVICES AS COVERED BY THE FREE TRIAL OR CUSTOMER EXPORTS SUCH CUSTOMER PROPERTY BEFORE THE END OF THE TRIAL PERIOD.
3. Fees and Payment Terms
(a) Fees. Customer will pay ProductBoard all fees specified in or otherwise incurred pursuant to an Order Form (“Fees”) in accordance with this Section 3 and the applicable Order Form. If Customer adds additional Subscription Services during a Subscription Term (a “Subscription Upgrade”), any incremental Fees associated with such Subscription Upgrade will be prorated over the remaining period of the then-current Subscription Term and charged to Customer and due and payable in accordance with Section 3(b). In addition, unless otherwise set forth in an Order Form, Customer will be deemed to have executed a Subscription Upgrade with ProductBoard if its usage of the Subscription Services exceeds the previously purchased usage levels. In any renewal Subscription Term of such Order Form, the Fees will reflect any such Subscription Upgrades. Fees are quoted and payable in United States dollars. Payment obligations are non-cancelable and Fees paid are non-refundable, except as otherwise expressly set forth in this Agreement.
(b) Invoices and Payment. By providing a credit card or other payment method accepted by ProductBoard (“Payment Method”) for the Subscription Services, Customer agrees that ProductBoard is authorized to charge to the elected Payment Method all applicable Fees when due, and any other charges Customer may incur in connection with Customer’s use of the Subscription Services. For all purchased Subscription Services, the Payment Method will be charged on a monthly basis or at the interval indicated in the applicable Order Form. If ProductBoard does not collect a Payment Method from Customer at the time of purchase, ProductBoard will invoice Customer for the charges at the email address on file with ProductBoard. Customer will pay all invoiced amounts within thirty (30) calendar days of the invoice date. Unless otherwise specified in an Order Form, Customer will pay all Fees on an annual, prepaid basis. Overdue invoices are subject to a finance charge of 1.5% per month or the maximum permitted by law, whichever is lower, plus all expenses of collection
(c) Taxes. Customer is solely responsible for the payment of all taxes, assessments, tariffs, duties, or other fees imposed, assessed, or collected by or under the authority of any governmental body arising from ProductBoard’s provision of the Subscription Services hereunder (collectively, “Taxes”), except any taxes assessed upon ProductBoard’s net income. If ProductBoard is required to directly pay Taxes related to Customer’s use or receipt of any Services, Customer agrees to promptly reimburse ProductBoard for any amounts paid by ProductBoard.
(d) Free Trials. If Customer provides billing information when signing up for the Free Trial, Customer will not be charged by ProductBoard until the Free Trial has expired. On the last day of the Free Trial period, unless Customer previously cancelled its Subscription Services by contacting ProductBoard at firstname.lastname@example.org, Customer reserves the right to automatically charge Customer Fees applicable to the type and quantity of Subscription Services provided to Customer during the Free Trial, at ProductBoard’s then-applicable rates.
(e) Credits. ProductBoard may, at its sole discretion, choose to offer credits for the Subscription Services in various ways, including but not limited to, coupons, promotional campaigns, and referrals for ProductBoard services such as training. ProductBoard reserves the right to award credits at its sole discretion. Credits have no monetary or cash value and can only be used by Customer to offset Customer’s subsequent payments of Fees for the Subscription Services. Credits may only be applied to Fees due for the Subscription Services specifically identified by ProductBoard when issuing the credit. Credits can only be used by Customer and are non-transferable. To the extent that Customer has been awarded credits, unless the instrument (including any coupon) states an earlier expiration date, credits shall expire and no longer be redeemable twelve (12) months from the date the credit was issued.
4. Proprietary Rights
(a) Customer Property. As between Customer and ProductBoard, Customer retains all rights, title, and interest in and to the Customer Property, including all patent, copyright, trade secret, trademark or other intellectual property rights embodied in or related to the Customer Property. Except as expressly set out in this Agreement, no right, title, or license under any Customer Property is granted to ProductBoard or implied hereby, and for any Customer Property that is licensed to ProductBoard, no title or ownership rights are transferred to ProductBoard with such license.
(b) ProductBoard Property. As between ProductBoard and Customer, ProductBoard retains all right, title, and interest in and to the ProductBoard Property, including all patent, copyright, trade secret, trademark or other intellectual property rights embodied in or related to the Customer Property. Except as expressly set out in this Agreement, no right, title, or license under any ProductBoard Property is granted to Customer or implied hereby, and for any Customer Property that is licensed to ProductBoard, no title or ownership rights are transferred to Customer with such license.
(c) Licenses to ProductBoard. Customer hereby grants ProductBoard a limited, non-exclusive, non-transferable (except in connection with the permitted assignment of this Agreement), and royalty-free license to access and use the Customer Property made available to ProductBoard or any of its Affiliates, solely as necessary for ProductBoard to provide the Subscription Services to Customer pursuant to this Agreement. Additionally, Customer grants ProductBoard a non-exclusive, revocable license to use Customer’s trademarks and logos to identify Customer as a subscriber of the Subscription Services; provided that, Customer may revoke such consent at any time in its sole discretion. By submitting to ProductBoard any unsolicited suggestions, enhancement requests, comments, feedback or other input relating to the Subscription Services (“Feedback”), Customer, its Users and End-Users (as applicable) grant to ProductBoard a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate such Feedback into the Subscription Services in any manner.
5. Data Privacy and Security
(a) Hosting and Processing. Unless otherwise specifically agreed to in writing by ProductBoard, Customer Property may be hosted by ProductBoard or its Affiliates, or their respective authorized third-party service providers, in the United States, the European Economic Area (“EEA”) or the United Kingdom.
(b) Transfer of Personal Data. To the extent that Personal Data within the Customer Property originates from a User or End-User in the EEA, as further described in the DPA, ProductBoard will ensure that, pursuant to Applicable Data Protection Law, if Personal Data within Customer Property is transferred to a country or territory outside of the EEA (a “non-EEA country”), then such transfer will only take place if: (i) the non-EEA country in question ensures an adequate level of data protection based on a decision by the European Commission; or (ii) one of the conditions listed in Article 46 or 49 GDPR (or its equivalent under any successor legislation) is satisfied; or (iii) the Personal Data is transferred on the basis of binding corporate rules.
(c) Data Processing Agreements. To the extent that the Parties are required to enter into a Data Processing Agreement (given the nature of the Customer Property, location of users and other aspects of the Subscription Services), the Data Protection Agreement entered into by the Parties (“DPA”) shall be (i) the Data Protection Agreement separately entered into by the Parties, or (ii) if no such separate Data Processing Agreement was entered into, the Data Protection Agreement set forth on Exhibit A. In addition, the California Consumer Privacy Act (CCPA) Addendum with ProductBoard can be executed here: https://www.productboard.com/ccpa. The DPA, and upon execution by Customer, the CCPA Addendum (as applicable) shall be hereby incorporated by reference herein and become a part of this Agreement.
(d) Subprocessors. Customer acknowledges and agrees that ProductBoard may use Subprocessors, who may access Customer Property, to provide, secure and improve the Subscription Services. ProductBoard shall be responsible for the acts and omissions of its Subprocessors to the same extent that ProductBoard would be responsible if ProductBoard was performing the services of each Subprocessor directly under the terms of this Agreement. A list of all Subprocessors can be found here: https://www.productboard.com/subprocessors/.
(e) In-Product Cookies. Whenever Customer, Users or End-Users interact with the Subscription Services, ProductBoard automatically receives and records information on its server logs from the browser or device, which may include IP address, “cookie” information, and the type of browser and/or device being used to access the Subscription Services, as further described here: https://www.productboard.com/cookies/. When ProductBoard collects this information, it only uses this data to (i) provide the Subscription Services or (ii) in aggregate form, and not in a manner that would identify Users or End-Users personally.
(a) Confidentiality. During the term of this Agreement and for a period of three (3) years thereafter, each Party agrees to protect the confidentiality of the Confidential Information of the other Party in the same manner that it protects the confidentiality of its own proprietary and confidential information of a like kind; provided that a Receiving Party may disclose Confidential Information of the Disclosing Party with Disclosing Party’s consent or to its Affiliates, officers, directors, employees, subcontractors, agents or prospective financing sources or acquirers who need to know such information in connection with this Agreement and who are bound by written agreements requiring the protection of such Confidential Information. This Section 6 shall supersede any non-disclosure agreement by and between Customer and ProductBoard entered prior to the Effective Date that would purport to address the confidentiality of Confidential Information and such agreement shall have no further force or effect with respect to either Party’s Confidential Information.
(b) Compelled Disclosure. If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.
(c) Return of Confidential Information. At any time upon the request of the Disclosing Party, the Receiving Party will destroy all Confidential Information of the Disclosing Party, including all copies thereof and notes and other materials incorporating such Confidential Information, whether in physical or electronic form; provided, however, the Receiving Party shall not be required to return or destroy electronic copies that are automatically stored in accordance with Receiving Party’s generally applicable backup policies and which are not reasonably accessible by the Receiving Party (“Backup Media”). All Backup Media shall remain subject to the confidentiality obligations set forth herein, notwithstanding the expiration or termination of this Agreement, so long as it remains undeleted.
(d) Remedies. If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information in breach of this Section 6, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the Parties that any other available remedies are inadequate.
7. Warranties; Disclaimers
(a) Mutual Warranties. Each Party represents and warrants that it has the legal power and authority to enter into this Agreement.
(b) ProductBoard Warranties. ProductBoard warrants to Customer that the Subscription Services purchased by Customer will, in all material respects, perform in accordance with the applicable portions of the Documentation. This warranty shall not apply to non-conformities, errors, or problems caused by acts within the control of Customer or any of its Users or End-Users, or arising from Customer’s negligence or improper use of the Subscription Services, from unauthorized modifications made to the Subscription Services, from use of the Subscription Services in an unsupported operating environment or manner, or that arises from Customer’s or any third party’s software or systems (including Third Party Products).
(c) Customer Warranties. Customer warrants that it will not use the Subscription Services for unlawful purposes or in a manner that infringes or otherwise violates the rights of any third party.
(d) Disclaimer. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW BUT EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, (1) THE SUBSCRIPTION SERVICES ARE PROVIDED “AS-IS”; (2) NEITHER PARTY MAKES ANY ADDITIONAL WARRANTY, CONDITION, REPRESENTATION, UNDERTAKING OR GUARANTY OF ANY KIND TO THE OTHER PARTY, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, (3) EACH PARTY HEREBY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, CONDITIONS, REPRESENTATIONS, UNDERTAKINGS AND GUARANTIES, INCLUDING, WITHOUT LIMITATION, ANY WITH RESPECT TO TITLE, MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE, AND (4) PRODUCTBOARD’S LIABILITY UNDER ANY IMPLIED OR STATUTORY WARRANTY, CONDITION, REPRESENTATION, UNDERTAKING OR GUARANTY WHICH CANNOT BE LEGALLY EXCLUDED IS LIMITED IN RESPECT OF THE SUBSCRIPTION SERVICES TO SUPPLYING THE SUBSCRIPTION SERVICES AGAIN OR PAYING THE COST OF SUPPLYING THE SUBSCRIPTION SERVICES AGAIN.
(e) Beta Services. ProductBoard may make Beta Services available to Customer at no charge, and Customer may choose to try such Beta Services in its sole discretion. Beta Services are intended for evaluation purposes and not for production use, are not supported, and may be subject to additional terms that will be presented to Customer. Beta Services are not considered “Subscription Services” under this Agreement for purposes of Section 7 (Warranties; Disclaimer) and Sections 8(a) (Indemnification by ProductBoard); however, all restrictions, ProductBoard’s reservation of rights and Customer’s obligations concerning the Subscription Service, and use of any Third Party Products shall apply equally to Customer’s use of Beta Services. Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one year from the trial start date or the date otherwise specified in writing by ProductBoard. ProductBoard may discontinue Beta Services at any time in its sole discretion and may never make them generally available. Beta Services are provided “AS IS” with no express or implied warranty and are outside the scope of ProductBoard’s indemnification obligations.
(a) Indemnification by ProductBoard. ProductBoard will defend and pay Customer, its employees, directors and officers (the “Customer Indemnified Parties”) from and against any and all costs, damages and expenses (collectively, “Losses”), suffered or incurred by any Customer Indemnified Party, as a result of any claim brought by a third party (“Third Party Claim”) against a Customer Indemnified Party alleging that the use of the Subscription Services in accordance with the terms and conditions of this Agreement infringes any patent, copyright, trademark or trade secret right of such third party (an “Infringement Claim”). Without limiting the foregoing, in the event that any portion of the Subscription Services is likely to, in ProductBoard’s sole opinion, or does become the subject of an Infringement Claim, ProductBoard may, at its option and expense: (i) procure for Customer the right to continue using the allegedly infringing item, (ii) substitute a functionally equivalent non-infringing replacement for such item, or (iii) modify such item to make it non-infringing and functionally equivalent, or (iv) terminate the Agreement and any outstanding Order Forms and refund to customer prepaid unused Fees for the infringing items. ProductBoard shall have no liability for any Infringement Claim to the extent arising from (1) Customer’s use or supply to ProductBoard of any Customer Property; (2) use of the Subscription Services in combination with any software, hardware, network or system not supplied by ProductBoard if the alleged infringement relates to such combination; (3) any modification or alteration of the Subscription Services (other than by ProductBoard); or (4) Customer’s violation of applicable law or third party rights.
(b) Indemnification by Customer. Customer will defend and pay ProductBoard, its employees, directors and officers (the “ProductBoard Indemnified Parties”) from and against any and all Losses, suffered or incurred by any ProductBoard Indemnified Party, arising from any Third Party Claim against an ProductBoard Indemnified Party (i) alleging that any Customer Property or Customer’s use of the Subscription Services beyond the license granted in this Agreement infringes, violates or misappropriates any patent, copyright, trademark or trade secret right of any third party or (ii) arising from Customer’s breach of the Platform Guidelines.
(c) Indemnification Conditions. The Parties’ obligations under this Section 8 are contingent upon the indemnified party (i) giving prompt written notice to the indemnifying party of any claim subject to indemnification under this Section 8, (ii) giving the indemnifying party sole control of the defense or settlement of the claim, and (iii) cooperating in the investigation and defense of such claim(s). The indemnifying party shall not settle or consent to an adverse judgment in any such claim that adversely affects the rights or interests of the indemnified party without the prior express written consent of the indemnified party, which shall not be unreasonably withheld. The rights and remedies set forth in this Section 8 are the sole obligations of the indemnifying party and exclusive remedies available to the indemnified party in the event of an applicable Third Party Claim.
9. Limitation of Liability
(a) Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY EXCEED THE AMOUNTS ACTUALLY PAID BY AND DUE FROM CUSTOMER HEREUNDER DURING THE TWELVE (12) MONTHS PRIOR TO THE DATE ON WHICH SUCH CLAIM OR CAUSE OF ACTION AROSE (“LIABILITY CAP”). THE FOREGOING LIMITATION APPLIES EVEN IF A PARTY’S REMEDIES UNDER THIS AGREEMENT FAIL OF THEIR ESSENTIAL PURPOSE.
(b) Exclusion of Consequential and Related Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY LOST PROFITS, LOSS OF USE OR DATA, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY OTHER INDIRECT, SPECIAL, EXEMPLARY, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NEITHER PARTY SHALL BE RESPONSIBLE OR LIABLE FOR ANY LOSS, DAMAGE OR INCONVENIENCE SUFFERED BY THE OTHER PARTY OR BY ANY THIRD PERSON, TO THE EXTENT THAT SUCH LOSS, DAMAGE OR INCONVENIENCE IS CAUSED BY THE FAILURE OF THE OTHER PARTY TO COMPLY WITH ITS OBLIGATIONS UNDER THIS AGREEMENT.
10. Term and Termination
(a) Term of Agreement. This Agreement commences on the Effective Date and shall remain in effect until terminated in accordance with Section 10(c).
(b) Term of Subscriptions. Customer’s access to the purchased Subscription Services shall commence on the start date specified in the relevant Order Form and continue for the Subscription Term specified on such Order Form. At the expiration of each Subscription Term, the Subscription Term for all purchased Subscription Services will automatically renew for the same period as the renewing Subscription Term, unless either Party elects to not renew by notifying the other Party in writing at least 30 days before such renewal (or at anytime before the renewal date, if the expiring Order Form provides for a month-to-month subscription). Except as otherwise specified in a written notice sent to Customer at least 60 days prior to a renewal (or 30 days, if the expiring Order Form provides for a month-to-month subscription), ProductBoard’s per-unit pricing for any renewal Subscription Term shall not increase by more than five percent (5%) over the renewing Subscription Term. Any introductory or temporary discount offered in a previous Subscription Term does not apply for a renewal Subscription Term. For the avoidance of doubt, the foregoing caps on price increases shall not apply to renewals in which a Customer is transitioning from a month-to-month subscription to a longer subscription.
(c) Termination. Either Party may terminate this Agreement and/or any Order Form by providing written notice to the other Party in the event the other Party materially breaches any of its duties, obligations or responsibilities under this Agreement and fails to: (i) cure such breach within thirty (30) days after receipt by the breaching Party of written notice specifying the breach, or (ii) if the breaching Party is incapable of curing such breach within thirty (30) days, provide the other Party with an acceptable plan for curing such breach within ten (10) days after receipt of such notice and thereafter curing such breach in accordance with such plan. In addition, a Party may terminate this Agreement by providing written notice to the other Party if there are no Order Forms in effect for more than thirty (30) days, continuously.
(d) Effect of Termination. Expiration or termination of one Order Form shall not affect any other Order Forms. In the event of termination of this Agreement, upon Customer’s written request made within thirty (30) days after the effective date of termination, Customer shall be entitled to export the Customer Property to the extent provided for at https://help.productboard.com/en/articles/260222-export-your-features-and-notes-into-csv for up to thirty (30) days from the date such written request is received. After such thirty (30) day period, ProductBoard shall have no obligation to maintain or provide any Customer Property and may thereafter unless legally prohibited, delete all Customer Property in its possession.
(e) Surviving Provisions. The following provisions shall survive the termination or expiration of this Agreement for any reason and shall remain in effect after any such termination or expiration: Sections 1, 3, 4, 6, 7(d), 8, 9, 10(d), 11, and Exhibit A. Termination or expiration of this Agreement shall not affect any obligation accrued or arising prior to such termination or expiration.
11. Miscellaneous Provisions
(a) Relationship. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties, and ProductBoard will be considered an independent contractor when performing any Services hereunder.
(b) Customer Affiliates. An Affiliate of Customer may purchase Services subject to the terms of this Agreement by executing Order Forms with ProductBoard hereunder. By entering into an Order Form hereunder, the Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.
(c) Acquired and Divested Businesses. If Customer has purchased Subscription Services under an Order Form for an unlimited number of Users within the Customer’s enterprise, a particular business unit or division or otherwise (an “ELA”), any entity or business unit acquired by Customer after the applicable Order Form date (an “Acquired Business”), including its employees, shall not be entitled to any Subscription Services provided under such Order Form. In the event an Acquired Business had previously entered into an agreement with ProductBoard (a “Prior Agreement”), its new status as a Customer Affiliate shall not create (i) any entitlement on the part of Customer to terminate a Prior Agreement or any Order Forms, (ii) any obligation of ProductBoard to refund or waive monies paid or payable under either the Prior Agreement or any Order Form, or (iii) any obligation for ProductBoard to extend or apply any favorable pricing in such Prior Agreements to purchases made under any Order Forms or to subsequent purchases made under the Prior Agreement. If an entity or business unit ceases to be owned by Customer during the Subscription Term of any ELA (a “Divested Entity”), the Divested Entity shall not be entitled to any Services provided under such Order Form after the date on which it ceases to be owned or controlled by Customer without ProductBoard’s prior written consent, which shall not be unreasonably withheld.
(d) Entire Understanding. This Agreement (including the DPA and CCPA Addendum (if applicable) and all Exhibits and Order Forms, which are incorporated herein by reference) constitutes the entire agreement between the Parties as to its subject matter, and supersedes all prior proposals, marketing materials, negotiations and other written or oral communications between the Parties with respect to the subject matter of this Agreement. To the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any Order Form, the terms of such Order Form shall prevail. Notwithstanding any language to the contrary therein, all terms and conditions stated in any Customer purchase order or in any other ordering documentation (excluding Order Forms) are hereby rejected. Such terms will not be deemed incorporated into or form any part of this Agreement, and all such terms or conditions are null and void.
(e) Modification; Waiver. Except for ProductBoard’s modification or update of the Documentation or the Subscription Service, or any policies as necessary to comply with applicable law, rules, regulations, no modification of this Agreement, and no waiver of any breach of this Agreement or right under this Agreement, is legally binding against the other Party unless in writing and signed or electronically accepted by both Parties.
(f) Governing Law; Venue. The parties hereto agree that any dispute, claim or controversy arising out of or relating to this Agreement or the breach, termination, enforcement, interpretation or validity hereof or thereof, including the determination of the scope or applicability of this Agreement to arbitrate, shall be determined by final and binding arbitration in San Francisco, California (except for an action for interim equitable relief otherwise permitted under this Agreement and/or unless otherwise agreed by the parties), before a sole arbitrator, in accordance with the laws of the State of California for agreements made in and to be performed in that State. The arbitration shall be administered by JAMS (or its successor) pursuant to its Comprehensive Arbitration Rules and Procedures; provided, however, if the Parties mutually elect, the arbitration can be administered by JAMS pursuant to its Streamlined Arbitration Rules and Procedures instead of its Comprehensive Arbitration Rules and Procedures. The arbitrator’s decision shall be reduced to writing, signed by the arbitrator, and mailed to each of the parties and their legal counsel. All decisions of the arbitrator shall be final and binding. The arbitrator or a court of appropriate jurisdiction may issue a writ of execution to enforce the arbitrator’s judgment. Judgment may be entered upon such a decision in accordance with applicable law in any court having jurisdiction thereof. The Parties will pay their own costs (including, without limitation, attorneys’ fees) and expenses in connection with such arbitration.
(g) Assignment. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior express written consent of the other Party; provided, however, a Party may assign this Agreement in its entirety, together with all rights and obligations hereunder, without consent of the other Party, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets related to this Agreement. Any attempt by a Party to assign its rights or obligations under this Agreement in breach of this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.
(h) Notices. Except for notification methods expressly permitted under the Platform Guidelines, all notices under this Agreement to Customer shall be in writing and shall be delivered to the addresses first set forth in the Order Form(s). Notices to ProductBoard shall be addressed to: ProductBoard, Inc., Attn: Legal Department, 612 Howard St., 4th Floor, San Francisco, CA 94105, with a copy to email@example.com. Either Party may change its address for notice by giving notice of such address change in the manner provided herein. All communications and notices to be made or given pursuant to this Agreement shall be in the English language.
(i) Anti-Corruption. Customer acknowledges and agrees that it has not received or been offered any illegal bribe, kickback, payment, gift or thing of value from any ProductBoard employees, agent or representative in connection with this Agreement, other than reasonable gifts and entertainment provided in the ordinary course of business. Customer will promptly notify ProductBoard if it offers or receives any such improper payment or transfer in connection with this Agreement.
(j) Force Majeure. Except for performance of a payment obligation, neither Party shall be liable under this Agreement for delays, failures to perform, damages, losses or destruction, or malfunction of any equipment, or any consequence thereof, caused or occasioned by, or due to fire, earthquake, flood, water, the elements, labor disputes or shortages, utility curtailments, power failures, explosions, civil disturbances, governmental actions, epidemics, shortages of equipment or supplies, unavailability of transportation, acts or omissions of third parties, or any other cause beyond its reasonable control. In the event any of the foregoing events results in ProductBoard not being able to provide the Subscription Services for a period of more than thirty (30) days, then either Party may terminate the Agreement upon written notice to the other Party.
(k) Export Control. The Subscription Service and related technical data and services (collectively, “Controlled Technology”) may be subject to the import and export laws of the United States, specifically the U.S. Export Administration Regulations (EAR), and the laws of any country where Controlled Technology is imported or re-exported. Customer agrees to comply with all applicable export and re-export control laws and regulations and will not export or re-export any Controlled Technology in contravention to U.S. law, nor to any prohibited country, entity, or person for which an export license or other governmental approval is required. All Controlled Technology is generally prohibited for export or re-export to Cuba, North Korea, Iran, Syria, Sudan, and any other country subject to relevant trade sanctions.
(l) Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.
(1) Unless otherwise specified in an Order Form, (i) each User will be assigned a unique user identification name and password (“User ID”) for access to and use of the Subscription Services; and (ii) User IDs are intended for use by the designated Users only and cannot be shared. Customer agrees to provide accurate, current and complete account and User information. Customer is responsible for ensuring the security and confidentiality of all User IDs assigned to Customer and its Users. As a part of the Subscription Service, Users are given the ability to add other Users to their accounts and/or projects and, as a creator or administrator of such account and/or project, enable other Users or End-Users to access or modify Customer Property included in such account or project (including by embedding Customer Property in an iframe or creating a shareable link to such Customer Property). Customer is solely responsible for managing which Users and End-Users have access to such Customer Property and for any actions taken by such Users and End-Users with respect to such account and/or project and Customer Property.
(2) Except for uses that are expressly permitted (for example, in the Documentation or in an Order Form), Customer will not, and will ensure that Users and End-Users do not: (i) sell, resell, rent, lease, or otherwise distribute any portion of the Subscription Service; (ii) use the Subscription Services other than in accordance with the Documentation or in a manner that interferes with, unduly burdens, or disrupts the integrity, performance, or availability of the Subscription Service (for example, by conducting load tests or penetration tests without ProductBoard’s prior written consent); (iii) attempt to gain unauthorized access to the Subscription Services or to ProductBoard’s or its third party suppliers’ related systems or networks; (iv) access any portion of the Subscription Services for the purpose of building a similar or competitive product or service, or monitor the Subscription Services for any benchmarking or competitive purpose; (v) introduce, disseminate, or otherwise enable any viruses, Trojan horses, spyware, worms, malware, spam, or malicious code using the Subscription Service; (vi) copy, modify, translate, or create a derivative work of any ProductBoard Property; (vii) reverse engineer, disassemble, or decompile any software included in the ProductBoard Property, except as required under applicable law; (viii) except for contact information consisting of first name, last name, IP address and email address for which Customer has obtained necessary rights of access and use from the individual, Customer agrees not to submit other Personal Data or any sensitive personal information (including government issued identification numbers, financial account information, payment card information, and personal health information) to the Subscription Services; or (ix) alter, remove or violate any copyright or other intellectual property notice appearing in connection with the Subscription Services. Customer may not access the Subscription Services if it is a direct competitor of ProductBoard, except with ProductBoard’s prior written consent.
(3) Customer shall use the Authorized APIs in accordance with the Documentation, and will promptly correct any usage of Authorized APIs that does not comply with the Documentation. Authentication Keys must be restricted to use by authorized personnel of Customer who have a need to use it for purposes of integrating the Subscription Services with other web applications. Customer is solely responsible for maintaining the security of all Authentication Keys and for all activities that occur using any Authentication Key issued to Customer and must promptly notify ProductBoard of any unauthorized use. The Authentication Keys are the property of ProductBoard and may be revoked by ProductBoard in connection with any permitted suspension of Customer’s right to use an Authorized API.
(4) A high-speed Internet connection is required for proper transmission of the Subscription Services. Customer responsible for procuring and maintaining the network connections that connect Customer’s network to the Subscription Services, including, but not limited to, “browser” software that supports protocols used by ProductBoard, including Secure Socket Layer (SSL) protocol or other protocols accepted by ProductBoard, and to follow procedures for accessing services that support such protocols. ProductBoard is not responsible for notifying Customer or its Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Customer Property, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by ProductBoard. ProductBoard assumes no responsibility for the reliability or performance of any connections as described in this section.
(5) ProductBoard will process and investigate proper notices of alleged copyright or other intellectual property infringement related to material submitted through Customer’s account, and will respond appropriately, following the guidelines of the Online Copyright Infringement Liability Limitation Act and other applicable intellectual property laws.
(6) Customer acknowledges that as between Customer and ProductBoard, Customer has exclusive control and responsibility for determining what data Customer, Users and End-Users submit to the Subscription Services; for obtaining all necessary consents and permissions for all Personal Data submitted by Customer, Users and End-Users to ProductBoard; and for all Processing activities of such Personal Data conducted by ProductBoard in accordance with Customer’s instructions.
(7) ProductBoard reserves the right to monitor the use of the Subscription Services for security and operational purposes and make modifications to the features and functionality of the Subscription Services during the Subscription Term. ProductBoard may immediately suspend or throttle access to the Subscriptions Services if (i) ProductBoard reasonably believes that a User or Customer is in breach of this Agreement; (ii) a User or Customer engages in excessive utilization of the Subscription Services which affects, or could reasonably likely (in ProductBoard’s opinion) affect, system availability or performance, or (iii) if ProductBoard in good faith suspects that any third party has gained unauthorized access to the Subscription Services using a credential issued by ProductBoard to Customer or its Users. In addition, ProductBoard may temporarily suspend access to the Subscription Services during planned downtime for upgrades and maintenance (of which ProductBoard will use commercially reasonable efforts to provide Users notice in accordance with paragraph 9 below). ProductBoard shall not be liable to Customer, its Users, End-Users or any other third party for any such modification, suspension or discontinuation of Customer’s rights to access and use the Subscription Services.
(8) ProductBoard may use data concerning Customer’s, its Users’ or End Users’ use of the Subscription Services in an aggregated and anonymous manner (“Usage Information”), including but not limited to compiling statistical and performance information related to the operation of the Subscription Services. In addition and notwithstanding anything to the contrary, ProductBoard shall have the right to use Customer Property to improve the Subscription Service and to develop additional offerings. The foregoing shall not limit, in any way, ProductBoard’s confidentiality obligations as set forth in Section 6 of the Agreement. Customer agrees that ProductBoard may make such information publicly available, provided that (i) such information does not incorporate any Customer Property and (ii) such use does not identify Customer or any Users or End Users either directly or indirectly. ProductBoard retains all intellectual property rights in Usage Information.
(10) Customer is solely responsible for obtaining and maintaining all rights, licenses, and credentials necessary to use Third Party Products. In addition, Customer is solely responsible for installing, operating, updating, or otherwise maintaining the operation of such Third Party Products. To the maximum extent permitted by applicable law, ProductBoard does not provide any warranties, guaranties or indemnification regarding any Third Party Products, whether or not such products or services are designated by ProductBoard as “certified,” “validated” or otherwise. ProductBoard does not have any responsibility or liability for any exchange of data or other interaction occurring directly between Customer or its Users and any provider of a Third Party Product. If the availability of all or a portion of the Subscription Services depends on the corresponding availability of Third Party Products, ProductBoard will not be liable to Customer if changes in Third Party Products cause the unavailability of all or a portion of the Subscription Services. However, ProductBoard will use commercially reasonable efforts to update the Subscription Services to ensure continued interoperation with Third Party Products. Further, Customer acknowledges and agrees that if it gives a Third Party Product access to its ProductBoard account, Customer shall serve as the controller of such information and the Third Party Service Provider serves as the processor for purposes of those data laws and regulations that apply to Customer. In no case are such Third Party Service Providers ProductBoard’s Subprocessors.
ProductBoard Data Processing Agreement
This Data Processing Agreement (the “DPA”) is made between ProductBoard as the data processor (the “Data Processor”) and the Subscriber as the data controller (the “Data Controller”) to reflect the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Agreement. To the extent of any conflict between the DPA and the Agreement, the DPA shall govern.
- Capitalized terms used in this DPA shall have the meanings given to them in the Agreement and below:
- Applicable Data Protection Law: means the following data protection law(s): (i) where Data Controller is established in a European Economic Area (“EEA”) member state or where Data Controller’s Agents or End-Users access the Services from an EEA member state: GDPR; and (ii) where Data Controller is established in Switzerland, the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded).
- Standard Contractual Clauses means Schedule 3 of this DPA forming part of this DPA.
- Sub-processor: means any third party data processor engaged by Data Processor, who receives Personal Data from Data Processor for processing on behalf of Data Controller and in accordance with Data Controller’s instructions (as communicated by Data Processor) and the terms of its written subcontract.
- Supervisor: means any data protection supervisory authority with competence over Data Controller’s and Data Processor’s Processing of Personal Data.
- Capitalized terms used in this DPA shall have the meanings given to them in the Agreement and below:
- Pursuant to the Agreement the Data Controller is granted a license to access and use the Service. In providing the Service, Data Processor will engage, on behalf of Data Controller, in the Processing of Personal Data submitted to and stored within the Service by Data Controller.
- The parties are entering into this DPA to ensure that the Processing by Data Processor of Personal Data, within the Service by Data Controller and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.
- OWNERSHIP OF THE SERVICE DATA
- As between the parties, all Service Data Processed under the terms of this DPA and the Agreement shall remain the property of Data Controller. Under no circumstances will Data Processor act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Service under any Applicable Data Protection Law.
- OBLIGATIONS OF DATA PROCESSOR
- The parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 of this DPA and in the Agreement.
- As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows:
- to process Personal Data in accordance with Data Controller’s documented instructions as set out in the Agreement and this DPA or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);
- to ensure that all staff and management of any member of the Processor are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- to implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a “Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected;
- to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller’s Service Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach;
- to comply with the requirements of Section 5 (Use of Sub-processors) when engaging a Sub-processor;
- taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
- upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
- upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 9 (Return and Destruction of Personal Data);
- to comply with the requirements of Section 6 (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
- to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Schedule 2 to this DPA.
- Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
- USE OF SUB-PROCESSORS
- Data Controller agrees (also for the purpose of Clause 11 of the Standard Contractual Clauses) that Data Processor may appoint Sub-processors to assist it in providing the Service and Processing Personal Data provided that such Sub-processors:
- agree to act only on Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller’s Processing instructions to Data Processor); and
- agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the Security Standards described in Schedule 2.
- In the event that Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-Processor as described in Section 5.2, it shall inform Data Processor immediately. In such event, Data Processor will either (a) instruct the Sub-Processor to cease any further processing of Data Controller’s Personal Data, in which event this DPA shall continue unaffected, or (b) allow Data Controller to terminate this DPA (and any related services DPA with Data Processor) immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Data Controller as of the effective date of termination.
- In addition, and as stated in the Agreement, the Service provides links to integrations with Other Services, including, without limitation, certain Other Services which may be integrated directly into Data Controller’s account or instance in the Service. If Data Controller elects to enable, access or use such Other Services, its access and use of such Other Services is governed solely by the terms and conditions and privacy policies of such Other Services, and Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Other Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Data Controller and the provider of such Other Services. Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Data Controller’s enablement, access or use of any such Other Services, or Data Controller’s reliance on the privacy practices, data security processes or other policies of such Other Services. The providers of Other Services shall not be deemed Sub-processors for any purpose under this DPA.
- Data Controller agrees (also for the purpose of Clause 11 of the Standard Contractual Clauses) that Data Processor may appoint Sub-processors to assist it in providing the Service and Processing Personal Data provided that such Sub-processors:
- The parties acknowledge that Data Processor may use external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which Data Processor provides its data processing services.
- Data Processor shall provide responsive and detailed information to Data Controller’s requests for information (including any requests by Data Controller under instruction from Data Subjects), which may include responses to relevant information security and audit questionnaires.
- At Data Controller’s written request, Data Processor will provide Data Controller with a confidential summary of the Report (“Summary Report”) so that Data Controller can reasonably verify Data Processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute Data Processor’s Confidential Information under the confidentiality provisions of Data Processor’s Agreement.
- INTERNATIONAL DATA EXPORTS
- Data Controller acknowledges that Data Processor and its Sub-processors may maintain data processing operations in countries that are outside of the EEA and Switzerland. As such, both Data Processor and its Sub-processors may Process Personal Data in non-EEA and non-Swiss countries. This will apply even where Data Controller has agreed with Data Processor to host Personal Data in the EEA if such non-EEA Processing is necessary to provide support-related or other services requested by Data Controller.
- The Standard Contractual Clauses will apply to the Processing of Personal Data by Data Processor under the Agreement. Upon the incorporation of this DPA into the Agreement, the Data Controller and the Data Processor are agreeing to the Standard Contractual Clauses and all appendices attached thereto. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- The Standard Contractual Clauses apply only to Personal Data that is transferred from the EEA or Switzerland to outside the EEA or Switzerland, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to binding corporate rules for processors.
- OBLIGATIONS OF DATA CONTROLLER
- As part of Data Controller receiving the Service under the Agreement, Data Controller agrees and declares as follows:
- it is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired and the Processing of Personal Data by Data Controller, including instructing Processing by Data Processor in accordance with this DPA, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Law, particularly with respect to the collection, security, protection and disclosure of Personal Data;
- that if Processing by Data Processor involves any “special” or “sensitive” categories” of Personal Data (as defined under Applicable Data Protection Law), Data Controller has collected such Personal Data in accordance with Applicable Data Protection Law;
- that Data Controller will inform its Data Subjects:
- about its use of data processors to Process their Personal Data, including Data Processor, to the extent required under Applicable Data Protection Law; and
- that their Personal Data may be Processed outside of the European Economic Area;
- That it shall notify to the Data Controller the contact details of EU representative of the Data Controller, if applicable; and of the data protection officer of the Data Controller, if appointed;
- that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Data Controller, and to give appropriate instructions to Data Processor in a timely manner; and
- that it shall respond in a reasonable time to enquiries from a Supervisor regarding the Processing of relevant Personal Data by Data Controller.
- As part of Data Controller receiving the Service under the Agreement, Data Controller agrees and declares as follows:
- RETURN AND DESTRUCTION OF PERSONAL DATA
- Upon the termination of Data Controller’s access to and use of the Service, Data Processor will up to thirty (30) days following such termination permit Data Controller to export its Service Data, at its expense, in accordance with the capabilities of the Service. Following such period, Data Processor shall have the right to delete all Service Data stored or Processed by Data Processor on behalf of Data Controller in accordance with Data Processor’s deletion policies and procedures. Data Controller expressly consents to such deletion.
- This DPA will remain in force as long as Data Processor Processes Personal Data on behalf of Data Controller under the Agreement.
- LIMITATION ON LIABILITY
- UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS DPA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA DATA CONTROLLER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DATA PROCESSOR), BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.
- NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DPA OR THE TERMS, DATA PROCESSOR’S AGGREGATE LIABILITY TO DATA CONTROLLER OR ANY THIRD PARTY ARISING OUT OF THIS DPA AND ANY LICENSE, USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE LIMITATIONS SET FORTH IN THE TERMS.
- FOR THE AVOIDANCE OF DOUBT, THIS SECTION SHALL NOT BE CONSTRUED AS LIMITING THE LIABILITY OF EITHER PARTY WITH RESPECT TO CLAIMS BROUGHT BY DATA-SUBJECTS.
- This DPA may not be amended or modified except by a writing signed by both parties hereto. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential and each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. Data Controller may not, directly or indirectly, by operation of law or otherwise, assign all or any part of its rights under this DPA or delegate performance of its duties under this DPA without Data Processor’s prior consent, which consent will not be unreasonably withheld. Data Processor may, without Data Controller’s consent, assign this DPA to any affiliate or in connection with any merger or change of control of Data Processor or the sale of all or substantially all of its assets provided that any such successor agrees to fulfil its obligations pursuant to this DPA. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the parties and their respective successors and assigns. This DPA and the Agreement constitute the entire understanding between the parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the parties relating to that subject-matter.
- GOVERNING LAW AND JURISDICTION
- This DPA shall be governed by the laws of the State of California without regard to conflict of laws principles. The parties hereby expressly agree to submit to the exclusive personal jurisdiction of the federal and state courts of the State of California, San Francisco County, for the purpose of resolving any dispute relating to this DPA.
Schedule 1: Subject Matter and Details of the Data Processing
Data Processor’s provision of the Services and related technical support to the Data Controller.
Duration of the Processing
The applicable Subscription Term (as defined in the Agreement) plus the period from expiry of such Subscription Term until deletion of all Service Data by the Data Processor in accordance with the DPA.
Nature and Purpose of the Processing
The Data Processor will process Service Data, which qualify as Personal Data, submitted, stored, sent or received by the Data Controller, Users or End-Users (both as defined in the Agreement) via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the DPA.
Categories of Data
Personal data submitted, stored, sent or received by the Data Controller, Users or End-User via the Services may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data.
Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: Users including Data Processor’s employees and contractors; Users including Data Processor’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with Users and End-Users.
Schedule 2: Security Measures
- Physical Access Controls: Data Processor shall take reasonable measures to prevent physical access, such as security personnel and secured buildings and factory premises, to prevent unauthorized persons from gaining access to Personal Data, or ensure third parties operating data centers on its behalf are adhering to such controls.
- System Access Controls: Data Processor shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
- Data Access Controls: Data Processor shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.
- Transmission Controls: Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
- Input Controls: Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed. Data Processor shall take reasonable measures to ensure that (i) the Personal Data source is under the control of Data Controller; and (ii) Personal Data integrated into the Service is managed by secured transmission from Data Controller.
- Data Backup: Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by Data Processor.
- Legal Separation: Data from different Data Processor’s subscriber environments is logically segregated on Data Processor’s systems to ensure that Personal Data that is collected for different purposes may be Processed separately.
Schedule 3: Standard contractual clauses
The entity identified as the “Data Controller” in the DPA (the ‘data exporter’) and the entity identified as the “Data Processor” in the DPA (the ‘data exporter’, each a ‘party’; together ‘the parties’), have agreed on the following Contractual Clauses (the ‘Clauses’) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1 Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in the GDPR;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5 Obligations of the data importer
Note: Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6 Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7 Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9 Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10 Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 Sub-processing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12 Obligation after the termination of personal data-processing services
1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses
The data exporter is using certain services of data importer as described in the Agreement.
The data importer is a provider of certain services as described in the Agreement.
The personal data transferred concern are described in Schedule 1 of the DPA.
Categories of data
The personal data transferred concern are described in Schedule 1 of the DPA.
Special categories of data (if appropriate)
The personal data transferred do not concern any special categories of data unless expressly agreed otherwise between the data exporter and the data importer.
The personal data transferred will be subject to the processing activities as described in Schedule 1 of the DPA.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are described in Schedule 2 of the DPA.