MASTER SUBSCRIPTION AGREEMENT

THIS MASTER SUBSCRIPTION AGREEMENT (“AGREEMENT”) IS BETWEEN YOU AND CHILI PIPER, INC., A DELAWARE CORPORATION AND THIS AGREEMENT GOVERNS YOUR ACQUISITION AND USE OF OUR SERVICES.

BY STARTING USING OUR SERVICES (OR BY CLICKING TO ACCEPT, EXECUTING AN ORDER FORM THAT REFERENCE, OR OTHERWISE AGREEING TO THIS MASTER SUBSCRIPTION AGREEMENT WHEN SUCH OPTION IS MADE AVAILABLE TO YOU), YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT EFFECTIVE AS OF THE DATE OF SUCH ACTION. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THIS AGREEMENT, IN WHICH CASE THE TERMS “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT ACCESS OR USE THE SERVICES.

You may not access the Services if You are Our direct competitor, except with Our prior written consent. In addition, You may not access the Services for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.

This Agreement was last updated on 12/20/2022. 

1. DEFINITIONS

“Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Documentation” means the Service Description, user guides, blog posts, and other technical and operations documents and specifications for the Services located on the domain chilipiper.com, as updated from time to time. You acknowledge that You have had the opportunity to review the Documentation.

“Malicious Code” means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

“Services” means the products and services made available by Us online via the customer login link at https://www.chilipiper.com and/ or other web pages designated by Us, including associated offline components, as described in the Documentation. “Services” exclude Third-Party Applications.

“Subscription” means a subscription to the Services based on the Services offerings and prices listed at https://www.chilipiper.com/pricing/.

“Order Form” means the invoice or online form used for placing orders, including the type and number of Subscriptions.

“Subscription Tier” means the applicable tier level at the associated price for respective Services offerings as listed at https://www.chilipiper.com/pricing/.

“Subscription Term” means the term of a Subscription as set forth in the applicable Order Form.

“Service Description” means the description of the features, functions, pricing, limitations, and restrictions (including acceptable use policies and the service terms for specific Services) associated with a Service and located at https://www.chilipiper.com, as updated from time to time.

“Third-Party Applications” means online applications and offline software products that are provided by entities or individuals other than Us and are clearly identified as such, and that interoperate with the Services.

“Users” means individuals who are authorized by You to use the Services, for whom subscriptions to a Service have been ordered. Users may include but are not limited to Your employees, consultants, contractors and agents, and third parties with which You transact business.

“We,” “Us” or “Our” means Chili Piper, Inc.

“You” or “Your” means the company or other legal entity for which you are accepting this Agreement, and Affiliates of that company or entity.

“Your Data” means all electronic data or information submitted by You to, or made available by You to and collected by Us as part of, the Purchased Services.

“Your Systems” means the systems, tools or applications (including those developed by, or licensed from, a third party) made available by You to the Services.

2.PROVISION OF SERVICES

We shall make the purchased Services available to You pursuant to this Agreement and the relevant Order Forms during a Subscription Term. You agree that Your purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written public comments made by Us regarding future functionality or features.

3.SUBSCRIPTIONS.

Unless otherwise specified in the applicable Order Form, (i) Services are purchased as Subscriptions, and where applicable, at the referenced Subscription Tier in the Order Form and may be accessed by no more than the specified number of Users specified in the Order Form, (ii) additional Subscriptions may be added during the applicable Subscription Term at the same pricing as that for the pre-existing Subscriptions thereunder, prorated for the remainder of the Subscription Term in effect at the time the additional Subscriptions are added, and (iii) the added Subscriptions shall terminate on the same date as the pre-existing Subscriptions. Unless otherwise specified in the applicable Order Form, Subscriptions are for designated Users only and cannot be shared or used by more than one User but may be reassigned to new Users replacing former Users who no longer require ongoing use of the Services. 

4. USE OF THE SERVICES

4.1. Our Responsibilities.

We shall: (i) provide Our basic support for the purchased Services to You at no additional charge, and/or upgraded support if purchased separately, (ii) use commercially reasonable efforts to make the purchased Services available 24 hours a day, 7 days a week, except for: (a) planned downtime (of which We shall give at least 8 hours notice via the purchased Services and which We shall schedule to the extent practicable during the hours from 9:00 p.m. to 6:00 a.m. Eastern Time), or (b) any unavailability caused by circumstances beyond Our reasonable control, including without limitation, acts of God, acts of government, floods, fires, earthquakes, civil unrest, acts of terror, strikes or other labor problems (other than those involving Our employees), Internet service provider failures or delays, or denial of service attacks, and (iii) provide the purchased Services only in accordance with applicable laws and government regulations.

4.2. Your Responsibilities.

You shall: (i) be responsible for Users’ compliance with this Agreement, (ii) be responsible for the accuracy, quality and legality of Your Data and of the means by which You acquired Your Data, (iii) be responsible for ensuring that Your Systems meet the specifications set forth in the Documentation, (iv) be responsible for providing Us with the right to access and use Your Data and Your Systems, solely as necessary for Us to provide the Services in accordance with this Agreement, (v) use commercially reasonable efforts to prevent unauthorized access to or use of the Services, and notify Us promptly of any such unauthorized access or use, and (vi) use the Services only in accordance with the Documentation and applicable laws and government regulations. You shall not: (a) make the Services available to anyone other than Users, (b) sell, resell, rent or lease the Services, (c) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use the Services to store or transmit Malicious Code, (e) interfere with or disrupt the integrity or performance of the Services or third-party data contained therein, or (f) attempt to gain unauthorized access to the Services or their related systems or networks.

4.3. Usage Limitations.

Services may be subject to other limitations, such as, for example, limits on disk storage space, API usage and other limitations as specified in the Documentation.

5. DATA PROTECTION

5.1. Our Protection of Your Data.

We shall design, engineer and maintain appropriate administrative, physical, and technical safeguards, in accordance with industry practice, for protection of the security, confidentiality and integrity of Your Data. We shall not: (a) modify Your Data, (b) disclose Your Data except as compelled by law in accordance with Section 6.3 (Compelled Disclosure) or as expressly permitted in writing by You, or (c) access Your Data except to provide the Services and prevent or address service or technical problems, or at Your request in connection with customer support matters.

5.2. Our Limited Rights to Your Data and Systems.

Subject to the limited rights granted by You hereunder, We acquire no right, title or interest from You or Your licensors under this Agreement in or to Your Data or Your Systems, including any intellectual property rights therein.

5.3. Processing subject to EU General Data Protection Regulation

Notwithstanding the aforementioned, if you as a data controller are subject to the EU General Data Protection Regulation, Regulation (EU) 2016/679, Parties have agreed to enter into a data processor agreement prior to any processing of Your Data. The data processor agreement is attached to this Agreement (Exhibit A) and together with its annexes, forms an integral part of this Agreement.

6. CONFIDENTIALITY

6.1. Definition of Confidential Information.

As used herein, “Confidential Information” means all confidential information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Your Confidential Information shall include Your Data and Your Systems; Our Confidential Information shall include the Services; and Confidential Information of each party shall include the terms and conditions of this Agreement and all Order Forms, as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information (other than Your Data and Your Systems) shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party. For the avoidance of doubt, the non-disclosure obligations set forth in this “Confidentiality” section apply to Confidential Information exchanged between the parties in connection with Your evaluation of additional services offered by Us from time to time.

6.2. Protection of Confidential Information.

The Receiving Party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) (i) not to use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. Neither party shall disclose the terms of this Agreement or any Order Form to any third party other than its Affiliates and their legal counsel and accountants without the other party’s prior written consent.

6.3. Compelled Disclosure.

The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.

7. THIRD-PARTY APPLICATIONS

The Services may contain features designed to interoperate with Third-Party Applications (e.g., Salesforce, Google, LinkedIn or Twitter applications). To use such features, You may be required to obtain access to such Third-Party Applications from their providers. If the provider of any such Third-Party Application ceases to make the Third-Party Application available for interoperation with the corresponding Service features on reasonable terms, We may cease providing such Service features without entitling You to any refund, credit, or other compensation.

8. FEES AND PAYMENT FOR PURCHASED SERVICES

8.1. Fees.

Applicable fees are due upon your acceptance of the Order Form and in accordance with the billing frequency stated in the applicable Order Form. Except as otherwise specified herein or in an Order Form, (i) payment obligations are non-cancelable and fees paid are non-refundable, and (ii) the number of Subscriptions purchased cannot be decreased during the relevant Subscription Term stated on the Order Form.

Unless specified otherwise in the applicable Order Form, Subscriptions require a three month minimum commitment and Subscription fees are based on annual periods that begin on the Subscription start date and each anniversary thereof. Except as provided in this Section 8.1 below, Subscriptions added in the middle of a monthly period, will be charged for that full monthly period and the monthly periods remaining in the Subscription Term.

If You exceed the usage of such Subscription Tier for three (3) consecutive months, You hereby agree that We may increase Your Subscription fees for such Subscription to the applicable Subscription Tier for the remainder of the Subscription Term.

8.2. Invoicing and Payment.

If You provide credit card information to Us, You authorize Us to charge such credit card for all Subscriptions listed in the Order Form for the initial Subscription Term and any renewal Subscription Term(s) as set forth in Section 13.2 (Term of Purchased Subscriptions). Such charges shall be made in advance of any Subscription Term, either annually or in accordance with any different billing frequency stated in the applicable Order Form. If the Order Form specifies that payment will be by a method other than a credit card, We will invoice You in advance and otherwise in accordance with the relevant Order Form. You are responsible for providing complete and accurate billing and contact information to Us and notifying Us of any changes to such information.

8.3. Overdue Charges & Suspension of Service.

If any charges are not received from You by the due date, then at Our discretion, (a) such charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid, and/or (b) we may suspend Our services to You until such charges are paid in full. We will give You at least 5 days’ prior notice that Your account is overdue, in accordance with Section 14.1 (Manner of Giving Notice), before suspending services to You.

8.4. Payment Disputes.

We shall not exercise Our rights under Section 8.3 (Overdue Charges & Suspension of Service) if You are disputing the applicable charges reasonably and in good faith and are cooperating diligently to resolve the dispute.

8.5. Taxes.

Unless otherwise stated, Our fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including but not limited to value-added, sales, use or withholding taxes, assessable by any local, state, provincial, federal or foreign jurisdiction (collectively, “Taxes”). You are responsible for paying all Taxes associated with Your purchases hereunder. If We have the legal obligation to pay or collect Taxes for which You are responsible under this paragraph, the appropriate amount shall be invoiced to and paid by You, unless You provide Us with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, We are solely responsible for taxes assessable against Us based on Our income, property and employees.

9. PROPRIETARY RIGHTS

9.1. Reservation of Rights in Services.

Subject to the limited rights expressly granted hereunder, We reserve all rights, title and interest in and to the Services, including all related intellectual property rights. No rights are granted to You hereunder other than as expressly set forth herein.

9.2. Restrictions.

You shall not: (i) permit any third party to access the Services except as permitted herein or in an Order Form, (ii) create derivate works based on the Services except as authorized herein, (iii) copy, frame or mirror any part or content of the Services, other than copying or framing on Your own intranets or otherwise for Your own internal business purposes, (iv) reverse engineer the Services, or (v) access the Services in order to: (a) build a competitive product or service, or (b) copy any features, functions or graphics of the Services.

9.3. Your Applications and Code.

If You, a third party acting on Your behalf, or a User creates applications or program code using the Services, You authorize Us to host, copy, transmit, display and adapt such applications and program code, solely as necessary for Us to provide the Services in accordance with this Agreement. Subject to the above, We acquire no right, title or interest from You or Your licensors under this Agreement in or to such applications or program code, including any intellectual property rights therein.

9.4. Suggestions.

We shall have a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the Services any suggestions, enhancement requests, recommendations or other feedback provided by You, including Users, relating to the operation of the Services.

9.5. Federal Government End Use Provisions.

We provide the Services, including related software and technology, for ultimate federal government end use solely in accordance with the following: Government technical data and software rights related to the Services include only those rights customarily provided to the public as defined in this Agreement. This customary commercial license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Software) and, for Department of Defense transactions, DFAR 252.227-7015 (Technical Data – Commercial Items) and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software Documentation). If a government agency has a need for rights not conveyed under these terms, it must negotiate with Us to determine if there are acceptable terms for transferring such rights, and a mutually acceptable written addendum specifically conveying such rights must be included in any applicable contract or agreement.

10. WARRANTIES AND DISCLAIMERS

10.1. Our Warranties.

We warrant that: (i) We have validly entered into this Agreement and have the legal power to do so, (ii) the Services shall perform materially in accordance with the Documentation, and (iii) subject to Section 7 (Third-Party Applications), the functionality of the Services will not be materially decreased during a Subscription Term. For any breach of a warranty above, Your exclusive remedy shall be as provided in Section 13.3 (Termination for Cause) and Section 13.4 (Refund or Payment upon Termination) below.

10.2. Your Warranties.

You warrant that You have validly entered into this Agreement and have the legal power to do so.

10.3. Disclaimer.

EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

10.4. Beta Services.

From time to time We may invite You to try, at no charge, Our products or services that are not generally available to Our customers (“Beta Services”). You may accept or decline any such trial in Your sole discretion. Any Beta Services will be clearly designated as beta, pilot, limited release, developer preview, non-production or by a description of similar import. Beta Services are provided for evaluation purposes and not for production use, are not supported, may contain bugs or errors, and may be subject to additional terms. BETA SERVICES ARE NOT CONSIDERED “SERVICES” HEREUNDER AND ARE PROVIDED “AS IS” WITH NO EXPRESS OR IMPLIED WARRANTY. We may discontinue Beta Services at any time in Our sole discretion and may never reinstate them.

11. MUTUAL INDEMNIFICATION

11.1. Indemnification by Us.

We shall defend You against any claim, demand, suit, or proceeding made or brought against You by a third party alleging that the use of the Services as permitted hereunder infringes or misappropriates the intellectual property rights of a third party (a “Claim Against You”), and shall indemnify You for any damages, attorney fees and costs finally awarded against You as a result of, and for amounts paid by You under a court-approved settlement of, a Claim Against You; provided that You: (a) promptly give Us written notice of the Claim Against You; (b) give Us sole control of the defense and settlement of the Claim Against You (provided that We may not settle any Claim Against You without your prior approval unless the settlement unconditionally releases You of all liability); and (c) provide to Us all reasonable assistance, at Our expense. In the event of a Claim Against You, or if We reasonably believe the Services may infringe or misappropriate, We may in Our discretion and at no cost to You: (i) modify the Services so that they no longer infringe or misappropriate, without breaching Our warranties under Section 10.1 (Our Warranties) above, (ii) obtain a license for Your continued use of the Services in accordance with this Agreement, or (iii) terminate Your Subscriptions for such Services upon 30 days’ written notice and refund to You any prepaid fees covering the remainder of the term of such User subscriptions after the effective date of termination.

11.2. Indemnification by You.

You shall defend Us against any claim, demand, suit or proceeding made or brought against Us by a third party alleging that Your Data, Our use of Your Systems to provide the Services in accordance with this Agreement, or Your use of the Services in breach of this Agreement, infringes or misappropriates the intellectual property rights of a third party or violates applicable law (a “Claim Against Us”), and shall indemnify Us for any damages, attorney fees and costs finally awarded against Us as a result of, or for any amounts paid by Us under a court-approved settlement of, a Claim Against Us; provided that We: (a) promptly give You written notice of the Claim Against Us; (b) give You sole control of the defense and settlement of the Claim Against Us (provided that You may not settle any Claim Against Us unless the settlement unconditionally releases Us of all liability); and (c) provide to You all reasonable assistance, at Your expense.

11.3. Exclusive Remedy.

This Section 11 (Mutual Indemnification) states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section.

12. LIMITATION OF LIABILITY

12.1. Limitation of Liability.

NEITHER PARTY’S LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) SHALL EXCEED THE LESSER OF $50,000 OR THE AMOUNT PAID BY YOU HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT, PROVIDED THAT IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) EXCEED THE TOTAL AMOUNT PAID BY YOU HEREUNDER. THE FOREGOING SHALL NOT LIMIT YOUR PAYMENT OBLIGATIONS UNDER SECTION 8 (FEES AND PAYMENT FOR PURCHASED SERVICES).

12.2. Exclusion of Consequential and Related Damages.

IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.

13. TERM AND TERMINATION

13.1. Term of Agreement.

This Agreement commences on the date You accept it and continues until all Subscriptions granted in accordance with this Agreement have expired or been terminated.

13.2. Term of Purchased Subscriptions.

Subscriptions purchased by You are activated upon your acceptance of the applicable Order Form and, subject to your payment obligations related to the applicable Order Form, shall continue for the Subscription Term specified therein. Except as otherwise specified in the applicable Order Form, all Subscriptions shall automatically renew for additional periods equal to the expiring Subscription Term or one year (whichever is shorter), unless either party gives the other notice of non-renewal at least 30 days before the end of the relevant subscription term. When a credit card is on file, upon the completion of a Subscription Term, unless you provide notice of non-renewal as provided above, you authorize us to automatically charge such credit card for the renewal of the Subscription Term. The per-unit pricing during any such renewal term shall be the same as that during the prior term unless We have given You written notice of a pricing change at least 30 days before the end of such prior term, in which case the pricing change shall be effective upon renewal and thereafter.

13.3. Termination for Cause.

A party may terminate this Agreement for cause immediately  upon written notice to the other party thereof: (i) if the other party materially breaches its obligations under this Agreement and, after receiving written notice identifying such material breach in reasonable detail, fails to cure such material breach within 30 days from the date of its receipt such notice; provided, however, in the case of a material breach that cannot reasonably be cured within such 30-day period (which shall necessarily exclude, for the avoidance of doubt, any payment default), the non-breaching party may terminate this Agreement following such 30-day period only if the breaching party shall have failed to commence substantial remedial actions within such 30-day period and to use reasonable efforts to pursue the same; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

13.4. Refund or Payment upon Termination.

Upon any termination for cause by You, We shall refund You any prepaid fees covering the remainder of the term of all subscriptions after the effective date of termination. Upon any termination for cause by Us, You shall pay any unpaid fees covering the remainder of the term of all Order Forms after the effective date of termination. In no event shall any termination relieve You of the obligation to pay any fees payable to Us for the period prior to the effective date of termination.

13.5. Exporting Your Data upon Termination.

For a period of 30 days after the effective date of termination of a Purchased Services subscription, You will be able to access Your Data for purposes of exporting Your Data. After such 30-day period, We shall have no obligation to maintain or provide access to any of Your Data and shall thereafter, unless legally prohibited, delete all of Your Data in Our systems or otherwise in Our possession or under Our control. Therefore, You must export Your Data within 30 days after the effective date of termination or Your Data will be permanently lost.

13.6. Surviving Provisions.

Section 6 (Confidentiality), 8 (Fees and Payment for Purchased Services), 9 (Proprietary Rights), 10.3 (Disclaimer), 11 (Mutual Indemnification), 12 (Limitation of Liability), 13.4 (Refund or Payment upon Termination), 13.5 (Exporting Your Data upon Termination), this 13.6 (Surviving Provisions), 14 (Notices, Governing Law and Jurisdiction) and 15 (General Provisions) shall survive any termination or expiration of this Agreement.

14. NOTICES, GOVERNING LAW AND JURISDICTION

14.1. Manner of Giving Notice.

Except as otherwise specified in this Agreement, all notices, permissions and approvals hereunder shall be in writing and shall be deemed to have been given upon: (i) personal delivery or (ii) the first business day after sending by email (provided email shall not be sufficient for notices of termination or an indemnifiable claim), certified or registered mail (in each case, return receipt requested) or nationally recognized overnight courier (with all fees pre-paid). Billing-related notices to You shall be addressed to the relevant billing contact designated by You. All other notices to You shall be addressed to the relevant Services system administrator designated by You.

14.2. Governing Law and Jurisdiction.

This Agreement shall be interpreted, construed and enforced in all respects in accordance with the laws of the State of New York except for its conflicts of laws principles. Each party irrevocably consents and submits to the exclusive jurisdiction of the courts of any state or Federal court sitting in the Manhattan Borough of the City of New York in the State of New York, in connection with any action to enforce the provisions of this Agreement, to recover damages or other relief for breach or default under this Agreement, or otherwise arising under or by reason of this Agreement.

14.3. Waiver of Jury Trial.

Each party hereby waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement.

15.GENERAL PROVISIONS

15.1. Export Compliance.

The Services, other technology We make available, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied-party list. You shall not permit Users to access or use Services in a U.S.-embargoed country (currently Cuba, Iran, North Korea, Sudan or Syria) or in violation of any U.S. export law or regulation.

15.2. Anti-Corruption.

You have not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Our employees or agents in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If You learn of any violation of the above restriction, You will use reasonable efforts to promptly notify Us (admin@chilipiper.com).

15.3. Relationship of the Parties.

The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.

15.4. No Third-Party Beneficiaries.

There are no third-party beneficiaries to this Agreement.

15.5. Waiver.

No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right.

15.6. Severability.

If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.

15.7. Attorney Fees.

You shall pay on demand all of Our reasonable attorney fees and other costs incurred by Us to collect any fees or charges due Us under this Agreement following Your breach of Section 8.2 (Invoicing and Payment).

15.8. Assignment.

Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without consent of the other party, to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party. A party’s sole remedy for any purported assignment by the other party in breach of this paragraph shall be, at the non-assigning party’s election, termination of this Agreement upon written notice to the assigning party. In the event of such a termination, We shall refund to You any prepaid fees covering the remainder of the term of all subscriptions after the effective date of termination. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.

15.9. Entire Agreement.

This Agreement, including all exhibits and addenda hereto and all Order Forms, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and either signed or accepted electronically. To the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any exhibit or addendum hereto or any Order Form, the terms of such exhibit, addendum or Order Form shall prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in Your purchase order or other order documentation (excluding Order Forms) shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void.

EXHIBIT A - DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Addendum”) amends and forms part of the Master Subscription Agreement (“Agreement”) between Chili Piper, Inc. (“Chili Piper”) and Customer. To the extent Chili Piper and Customer do not have a written agreement governing their relationship, this Addendum governs the Processing of Personal Information between Chili Piper and Customer. For the purposes of this Addendum, Chili Piper and Customer shall be referred to as “Parties” and individually as “Party.” In the event of a conflict between the terms of the Agreement and this Addendum, the terms of this Addendum govern.

1. Definitions

1.1. “Applicable Data Protection Laws” means all laws and regulations applicable to Chili Piper’s Processing of Customer Personal Information under the Agreement or the parties business relationship and this Addendum, including but not limited to the GDPR and CCPA.

1.2. “CCPA” means the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, as amended, and inclusive of all implementing regulations, as adopted.

1.3. “Data Security Incident” means a discovered, actual unauthorized access to, destruction of, loss of, alteration of, exfiltration of, theft of, or disclosure of Customer Personal Information transmitted, collected, stored, controlled, or otherwise in the possession of Chili Piper used for Processing under the Agreement or the Parties’ business relationship and this Addendum.

1.4. “Data Subject” shall have the same meaning as “data subject” or “consumer” under any Applicable Data Protection Laws.

1.5. “EU-SCCs” has the meaning set forth in Section 12.2.

1.6. “GDPR” means EU General Data Protection Regulation 2016/679. 

1.7. “Controller” shall have the same meaning as “controller” or “business” under any Applicable Data Protection Laws.

1.8. “Customer Personal Information” means any information provided by Customer that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject, and includes “personal information” or “personal data” as defined in any Applicable Data Protection Laws.

1.9. “Process,” “Processed,” or “Processing” means any operation or set of operations that are performed on Customer Personal Information or on sets of Personal Information, automated or manual.

1.10. “Processor” shall have the same meaning as “processor”, “service provider” or non “third party” under any Applicable Data Protection Laws.

1.11. “Sale” and “Sell” shall have the same meaning as “sale” and “sell” under any Applicable Data Protection Laws.

1.12. “Services” shall mean the services provided by Chili Piper to Customer pursuant to the Agreement or any other business understanding between the Parties.

1.13. “Standard Contractual Clauses” means the contractual clauses promulgated by the European Parliament and European Council on June 4, 2021 (Commission Implementing Decision) (EU) 2021/914, available for Customer upon request. If adopted, the Standard Contractual Clauses will be incorporated as Schedule 1 to this Addendum.  

1.14. “Sub-Processor” means any person (including any third party, but excluding an employee of Chili Piper) appointed by or on behalf of Chili Piper to Process Customer Personal Information.

1.15. “UK-SCCs” has the meaning set forth in Section 12.2.

2. Services Provided / Scope of Addendum

During the course of the Agreement, and from time to time, Customer may provide Chili Piper, or provide access to Customer Personal Information for the purposes of Processing pursuant to the Agreement and this Addendum.

3. Roles of the Parties

  1. The Parties acknowledge and agree that when Chili Piper Processes Customer Personal Information under the Agreement and this Addendum, Customer operates as the Controller and Chili Piper operates as the Processor.
  2. Customer represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instructions to Chili Piper concerning the Processing of Customer Personal Information pursuant to the Agreement or the Parties’ business relationship and this Addendum.

4. Data Protection Law Compliance

 4.1. Chili Piper and Customer agree to comply with all Applicable Data Protection Laws as it relates to the Processing of Customer Personal Information under the Agreement or the Parties’ business relationship and this Addendum.

4.2. For the avoidance of doubt, and to the extent applicable, Chili Piper agrees to comply with all applicable obligations under the CCPA and provide the same level of privacy protections to applicable Personal Information as required under the CCPA.  

4.3. In the event Chili Piper cannot comply with the CCPA, Chili Piper shall notify Customer that it can no longer meet the CCPA’s obligations. To the extent Chili Piper cannot comply with its obligations under the CCPA, Customer may take reasonable and appropriate steps to help ensure that Chili Piper uses Personal Information provided under the Agreement or as part of the business relationship in a manner consistent with the Customer’s obligations under the CCPA.

5. Processing of Customer Personal Information

5.1. Instructions

5.1.1. Chili Piper shall only Process Customer Personal Information for the purpose of the provision of the Services and in accordance with Customer’s documented instructions, unless additional Processing is required by Applicable Data Protection Laws, in which case Chili Piper shall Process Customer Personal Information to the extent permitted by the Applicable Data Protection Laws.

5.1.2. Customer hereby instructs Chili Piper, and authorizes Chili Piper to instruct each Sub-Processor, to Process Customer Personal Information in accordance with the Agreement or the business relationship between the Parties and this Addendum, and to comply with all documented instructions provided by Customer where such instructions are consistent with the terms of the Agreement, the business relationship between the Parties, this Addendum, and Applicable Data Protection Laws.

5.1.3. To the extent Chili Piper considers an instruction from Customer to be infringing upon any Applicable Data Protection Laws, Chili Piper shall immediately notify Customer of said infringement.

5.2. Details of Processing

5.2.1 The subject-matter of the Processing of Customer Personal Information is the performance of the Services set forth in the Agreement or the business relationship between the Parties, including meeting automation. The duration of the Processing is for the term of the Agreement or the duration of the business relationship between the Parties. The nature and purpose of the Processing includes providing the Services set forth in the Agreement or performing the business relationship between the Parties, including to facilitate meeting creation, updating, re-scheduling, deletion, and reminders. The types of Customer Personal Information being Processed includes meeting date and time, title, description, guest list, and names and email addresses. The types of data subjects include: (i) Customer’s representatives and end-users; (ii) Customer’s employees, contractors, and vendors; and (iii) individuals attempting to communicate or transfer Customer Personal Information to users of the Services. 

5.2.2. The Parties agree that any transfer, disclosure, or making available of Customer Personal Information by Customer to Chili Piper under the Agreement or during the course of the Parties’ business relationship and this Addendum is not intended to be a Sale.

5.2.3. Chili Piper is prohibited from Selling Customer Personal Information it receives or has access to under the Agreement or the Parties’ business relationship and this Addendum. Chili Piper is further prohibited from retaining, using, disclosing, or sharing Customer Personal Information it receives from Customer for any purpose other than to perform the Services.

5.2.4. Chili Piper certifies that it understands and will comply with the restrictions set forth in this section.

5.3. Sub-Processors

5.3.1. If permissible under the Agreement or the Parties’ business relationship, Chili Piper may engage Sub-Processors in connection with the provision of the Services, including but not limited to for the Processing of Customer Personal Information.

5.3.2. When requested by Customer, Chili Piper shall make available to Customer an up-to-date list of all Sub-Processors used for the Processing of Customer Personal Information.

5.3.3. Chili Piper shall provide reasonable prior written notice to Customer of the appointment of any new Sub-Processor, including details of the Processing to be undertaken by the Sub-Processor. If, within fifteen (15) calendar days of receipt of that notice, Customer notifies Chili Piper in writing of any reasonable objections to the proposed appointment, Chili Piper shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of the proposed Sub-Processor.

5.3.4. Chili Piper has or shall enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Addendum. Chili Piper shall be responsible for the acts of its Sub-Processor as it relates to the provision of Services under this Agreement or through the Parties’ business relationship and the Processing of Customer Personal Information. Upon reasonable written request, Chili Piper shall provide CUSTOMER with a copy of any SubProcessor agreements, subject to protections of confidentiality, trade secrets, and other lawfully protected information.

5.4. Personnel

5.4.1. Chili Piper agrees to take all reasonable steps to ensure that persons authorized to Process Customer Personal Information under the Agreement or through the Parties’ business relationship and this Addendum are: (i) bound by appropriate contractual obligations or are under appropriate statutory obligations of confidentiality, data protection, and data security; and (ii) Process Customer Personal Information only upon the instructions of Customer, unless required to do pursuant to Applicable Data Protection Laws.

5.4.2. Chili Piper agrees to limit access to Customer Personal Information to those individuals who need to know / access the relevant Customer Personal Information to perform the Services.

5.5. Certification. Chili Piper certifies it understands and will comply with the restrictions set forth in this Section 5.

6. Security Measures

Chili Piper shall implement and maintain appropriate and reasonable technical, physical, and organizational safeguards appropriate to the sensitivity of the Customer Personal Information being Processed under the Agreement or through the Parties’ business relationship and this Addendum, and in accordance with Applicable Data Protection Laws (“Security Measures”).

7. Data Security Incident

7.1. In the event of a Data Security Incident, Chili Piper shall promptly notify Customer at the earliest opportunity upon becoming aware of the Data Security Incident. In any such notification, Chili Piper shall provide Customer with sufficient information, as available at the time of notification, to assist Customer in assessing the Data Security Incident.

7.2. Unless required by Applicable Data Protection Laws or other applicable legal obligation (statute, court order, contract), Chili Piper will promptly notify Customer of any third-party legal process relating to a Data Security Incident of which Chili Piper is aware.

7.3. With notice to Chili Piper, to the extent there is unauthorized use of Personal Information, Customer may take reasonable and appropriate steps to stop and remediate such unauthorized use of Personal Information.

8. Data Protection Impact Assessment and Prior Consultations

Upon reasonable written request, Chili Piper will reasonably cooperate with and provide reasonable assistance to Customer as it relates to Customer’s undertaking of any data protection impact assessments and/or prior consultations with any appropriate authority under Applicable Data Protection Laws.

9. Audit

9.1. Chili Piper shall make available to Customer, upon reasonable written request, information reasonably necessary to demonstrate Chili Piper’s compliance with the Agreement or the Parties’ business relationship and this Addendum, and shall allow for audits by Customer, or an auditor mandated by Customer, in relation to the Processing of Customer Personal Information under the Agreement or the Parties’ business relationship and this Addendum.

9.2. Customer shall provide Chili Piper at least thirty (30) calendar days’ written notice in advance of any audit to be conducted under this section. The audit must be conducted during Chili Piper’s regular business hours and shall not unreasonably interfere with Chili Piper’s business activities.

9.3. If the requested audit scope is addressed in a third-party audit or certification of Chili Piper’s privacy and security controls reasonably acceptable to Customer (“Third Party Audit”) issued within the prior twelve (12) months and Chili Piper provides such report to Customer confirming there are no known material changes in the controls audited, then Customer agrees to accept the findings presented in the Third Party Audit in lieu of requesting an audit of the same controls covered by the Third Party Audit. Any Third Party Audit shall constitute confidential information consistent with the Agreement and this Addendum.

9.4. Customer shall be fully responsible for any costs and/or fees associated with any auditor appointed by Customer to execute an audit under this section.

9.5. Customer shall promptly notify Chili Piper, and no later than fourteen (14) calendar days following the close of an audit under this section, about any alleged non-compliance with the Agreement and/or this Addendum discovered during the course of the audit.

10. Return or Destruction of Customer Personal Information

10.1. Chili Piper will stop Processing Customer Personal Information within ten (10) business days after termination of the Agreement, or earlier pursuant to written agreement by the Parties.

10.2. Upon reasonable written request by Customer, and at Customer’s election, Chili Piper will return or delete all Customer Personal Information in its possession no later than ninety (90) calendar days after termination of the Agreement.

11. Data Subject Requests

11.1. Chili Piper shall comply with any reasonable request by Customer to correct, amend, restrict Processing, or delete Customer Personal Information, as required by Applicable Data Protection Laws, to the extent Chili Piper is legally permitted to do so.

11.2. To the extent possible, Chili Piper shall reasonably assist Customer in implementing appropriate technical and organizational measures for the fulfillment of Customer’s obligations, as reasonably understood by Chili Piper, to respond to requests by Data Subjects under Applicable Data Protection Laws.

12. Transfer of Data

12.1. The Parties agree that any Customer Personal Information provided by Customer to Chili Piper under the Agreement and this Addendum shall be hosted within the territorial boundaries of the United States of America (US).

12.2. Applicable Standard Contractual Clauses

          12.2.1. EU-SCCs. To the extent the Applicable Data Protection Laws apply to the transfer of Customer Personal Information from a Member State within the European Economic Area (“EEA”) and/or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of such Applicable Data Protection Laws, Customer and Chili Piper hereby incorporate the unmodified the European Union Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 attached as Schedule 1 (“EU-SCCs”)

          12.2.2. UK-SCCs. To the extent the Applicable Data Protection Laws apply to the transfer of Customer Personal Information from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of such Applicable Data Protection Laws, Customer and Chili Piper hereby incorporate the unmodified Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 and attached as Schedule 2 (“UK-SCCs”).

 12.3. The Standard Contractual Clauses shall not apply to any cross-border transfer of Customer Personal Information unless legally necessary under the Applicable Data Protection Laws, together with other reasonably practicable protections as applicable, to permit the relevant cross-border transfer to take place without breach of any Applicable Data Protection Laws (“Restricted Transfer”).

12.4. The Annexes provided in Schedule 3 shall apply to both the respective EU-SCCs and UK-SCCs.

12.5. Chili Piper agrees that before it commences a Restricted Transfer to a Sub-Processor, it shall ensure that one of the following is in place: (i) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Chili Piper on the one hand and a Sub-Processor on the other; (ii) that Sub-Processor enters into an agreement incorporating the Standard Contractual Clauses with Customer; or that (iii) Chili Piper’s entry into the Standard Contractual Clauses, as an agent for and on behalf of the Sub-Processor, will have been duly and effectively authorized (or subsequently ratified) by that Sub-Processor.

12.6. In the event of a conflict between the Agreement and this Addendum and any Standard Contractual Clause entered into by the Parties, the Standard Contractual Clauses shall prevail.

SCHEDULE 1 - EU-SCCs (The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021)

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country.

(b) The Parties:

(i)  the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 – Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9 – Clause 9(a), (c), (d) and (e);

(iv) Clause 12 –Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 – Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.  

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1  Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2  Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3  Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4  Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5  Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6  Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7  Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8  Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9  Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (8) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

         (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

        (ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:


     (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

     (ii) (the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (12);

     (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1  Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

     (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

     (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the

duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2  Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

      (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; 

     (ii) the data importer is in substantial or persistent breach of these Clauses; or

     (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph

(e) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(f) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of a Member State to be agreed upon between the Parties, and based on the location of the data subject.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

SCHEDULE 2 - UK-SCCs

Table 1: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module Module in
operation
Clause 7
(Docking Clause)
Clause 11
(Option)
Clause 9a
(Prior Authorisation
or General Authorisation)
Clause 9a
(Time period)
Is personal data received
from the Importer
combined with personal data
collected by the Exporter?
1
2 Yes Yes Yes Yes 10 days
3
4

Entering into this Addendum

1.  Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2.  Although Schedule 3, Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum 

3.  Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 1, including the Appendix Information.
Appendix Information As set out in Table 3
Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are provided in Schedule 3 below.
ICO The Information Commissioner.
Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
UK The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR As defined in section 3 of the Data Protection Act 2018.

4.  This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards. 

5.  If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6.  If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7.  If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. 

8.  Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. 

Hierarchy 

9.  Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

10.  Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11.  Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12.  This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

          a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; 

          b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

          c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13.  Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

14.  No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

15.  The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made: 

          a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

          b. In Clause 2, delete the words:

                    “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

          c. Clause 6 (Description of the transfer(s)) is replaced with:

                   “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Schedule 3, Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

          d. Clause 8.7(i) of Module 1 is replaced with:

                   “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

          e. Clause 8.8(i) of Modules 2 and 3 is replaced with:

                   “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

          f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

          g. References to Regulation (EU) 2018/1725 are removed;

          h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

          i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

          j. Clause 13(a) and Part C of Annex I of Schedule 3, are not used; 

          k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

          l. In Clause 16(e), subsection (i) is replaced with:

                   “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

          m. Clause 17 is replaced with:

                   “These Clauses are governed by the laws of England and Wales.”;

          n. Clause 18 is replaced with:

                   “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

          o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11. 

Amendments to this Addendum 

16.  The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

17.  If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18.  From time to time, the ICO may issue a revised Approved Addendum which: 

          a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

          b. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified. 

19.  If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: 

          a. its direct costs of performing its obligations under the Addendum; and/or 

          b. its risk under the Addendum, 

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20.  The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

SCHEDULE 3 - ANNEX I

A.  LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1.

Name: …

Address: …

Contact person’s name, position and contact details: …

Activities relevant to the data transferred under these Clauses: …

Signature and date: …

Role (controller/processor): …

2.

Data importer(s):

Name: Chili Piper, Inc.

Address: 228 Park Ave S # 78136 New York, New York 10003-1502 United States

Contact person’s name, position and contact details: Scott Haney, Head of Operations, scott@chilipiper.com

Activities relevant to the data transferred under these Clauses: Chili Piper’s provisions of services pursuant to the Master Subscription Agreement.

Signature and date: Effective date of the Master Subscription Agreement.

Role (controller/processor): Processor.

B.  DESCRIPTION OF TRANSFER

  1. Categories of data subjects whose personal data is transferred:

Data subjects include the data exporter’s customer’s representatives and end-users, including employees, contractors, vendors, and customers of the data exporter.

  1. Categories of personal data transferred:

The personal data transferred includes meeting date and time, title, description, guest list, including names and email addresses in an electronic form all in the context of the Services.

  1. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

None.

  1. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous.

  1. Nature of the processing:

Cloud based, server-to-server API access, chrome extension and/or outlook add-in.

  1. Purpose(s) of the data transfer and further processing:

Facilitate meeting creation, update, re-scheduling, deletion and reminders.

  1. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the term of the Master Subscription Agreement between Chili Piper and Customer.

  1. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The nature of any processing by sub-processors is to facilitate the Services. The duration is for the term of the Master Subscription Agreement between Chili Piper and Customer.

C.  COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

The supervisory authorities in the states in which the data subjects reside.

SCHEDULE 3 - ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer will implement and maintain appropriate security standards which take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to ensure a level of security appropriate to the nature of the information.

The safeguards implemented include the following:

  1. data importer utilizes the Google Cloud Platform, using Google’s encryption for data both at rest and in transit.
  2. data importer leverages third party partners to conduct regular vulnerability scanning of the data importer’s network and environment and undergoes regular penetration testing of the same.
  3. data importer limits access to sensitive information to only those persons with a need to know.
  4. data importer maintains an incident response plan, and regularly tests that plan through the use of table top exercises.
  5. data importer takes appropriate steps to secure its physical and digital properties, networks, devices, and databases against unlawful and unauthorized access and intrusion.
  6. data importer takes steps to ensure sensitive information is transmitted, stored, and disposed of in a reasonably secure manner.
  7. data importer implements procedures to reasonably and appropriately deploy security patches and updates and address vulnerabilities as they arise.
  8. data importer implements personnel security and integrity procedures and practices appropriate to the personnel who may have access to certain information.
  9. data importer appropriate trains its personnel on implementing appropriate security throughout the data importer’s environment.

SCHEDULE 3 - ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

1.

Name: Google Cloud Engine

Address: US Central Council Bluffs, IA 51501

Contact person’s name, position and contact details: Martin Plouy, CTO, martin.plouy@chilipiper.com

Description of processing: Provide cloud based services to allow Chili Piper to provide the Services as set forth in the Master Subscription Agreement between Chili Piper and Customer.

2.

Name: Amazon AWS

Address: US East 6685 Crosby Ct, Plain City, OH 43064

Contact person’s name, position and contact details: Martin Plouy, CTO, martin.plouy@chilipiper.com

Description of processing: Provide cloud based services to allow Chili Piper to provide the Services as set forth in the Master Subscription Agreement between Chili Piper and Customer