This Cloud Service Agreement (this “Agreement”) is an agreement between you (“Customer”) and Lookback Group, Inc. (“Lookback”) (collectively, the “Parties”), and governs your access to and use of Lookback’s SaaS (software-as-a-service) platform and related services. Your use of and access to the Lookback Platform (as defined below) is conditioned upon your compliance with this Agreement and all applicable laws.
By clicking the “Subscribe” button on the checkout flow or by using the Lookback Platform (defined below), you agree to be bound by this Agreement, all exhibits, order forms, and incorporated policies. If you don’t agree to be bound by this Agreement, do not use the Lookback Platform. If you are accessing and using the Lookback Platform on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that entity to this Agreement. In that case, “you,” “your,” or “Customer” will refer to that entity.
1. DEFINITIONS AND BACKGROUND.
1.1 “Authorized User” means a Collaborator or an Observer.
1.2 “Collaborator” means an employee, consultant or independent contractor of Customer (and, if Customer is an agency that provides services to clients, of Customer’s clients) who (i) has received login and password credentials to access and use the Lookback Platform and (ii) is registered online and has created or been assigned to a Collaborator account to access and use the Lookback Platform.
1.3 “Customer Materials” means projects, comments, Sessions and other content uploaded to the Lookback Platform by Customers pursuant to this Agreement.
1.4 “End User” means any individual who accesses the Lookback Platform, including but not limited to Collaborators, Observers, and Participants.
1.5 “Effective Date” means the date on which Customer signs up for the Lookback Platform, including agreeing to the terms of this Agreement and providing a valid payment method.
1.6 “Intellectual Property Rights” means patent rights (including patent applications and disclosures), inventions, copyrights, trade secrets, know-how, data and database rights, mask work rights, and any other intellectual property rights recognized in any country or jurisdiction in the world.
1.7 “Lookback Platform” means the website(s) located at lookback.io including all subdomains, and the Lookback software applications, browser extensions or mobile applications we provide, as well as related services provided by Lookback in accordance with this Agreement.
1.8 “Observer” means an employee, consultant or independent contractor of Customer (and, if Customer is an agency that provides services to clients, of Customer’s clients) who (i) has received login and password credentials to access and use the Lookback Platform and (ii) is registered online and has created or been assigned to an Observer account to access and use the Lookback Platform.
1.9 “Order Form” means the form detailing the purchase the Customer wants to make. For
self-checkout Customers, it refers to the pricing and renewal details described on https://lookback.io/pricing, and for manual purchases it is a separate document
attached to the Customer’s Agreement.
1.10 “Participant” means an individual, authorized by Customer, who, via the Lookback Platform, provides feedback for or participates in a test of an application, website, prototype, or other method of interaction.
1.11 “Session” means a recording or live stream, created or enabled by the Lookback Platform, of a Participant’s interaction with an application, website, prototype, or other software.
1.12 “Upgrades” means with respect to the Lookback Platform, upgrades, updates, bug fixes and releases.
The Lookback Platform is built to help our customers build fantastic user experiences. It does so by letting customers have a better understanding of and visibility into the experiences and emotions of users (called Participants).
Sessions are viewable by customers in real-time and/or after-the-fact through the Lookback Platform. A customer’s “Collaborators” or “Observers” watch and collaborate around the Sessions and add Customer Materials.
2. USE OF THE LOOKBACK PLATFORM.
Customer will promptly notify Lookback of any unauthorized use of or access to the Lookback Platform. Customer acknowledges Lookback’s Copyright Policy, located at https://lookback.io/dmca. Lookback will not be liable for any losses caused by unauthorized use of an Authorized User’s Account.
2.2 Grant of License. Subject to Customer’s compliance with the terms and conditions of this Agreement, including Customer’s payment of all Fees (as defined below) then due and payable under this Agreement, Lookback grants to Customer a non-exclusive, non-assignable, non-transferable (except as specified herein), worldwide, limited license during the Term: (a) to use, and allow Customer’s Authorized Users to use the Lookback Platform for Customer’s internal business purposes; (b) to use the Lookback Platform solely for purposes of enabling Sessions in accordance with the terms of this Agreement; and (c) to allow Participants invited by Customer to participate in Sessions.
2.3 License Restrictions. Except as expressly authorized in this Agreement, Customer will not, nor will it permit any third party, to: (a) copy or modify any part of the Lookback Platform; (b) distribute, transfer, sublicense, lease, lend or rent all or any part of the Lookback Platform to any third party; (c) except as expressly allowed in this Agreement, use the Lookback Platform on behalf of a third party; (d) make the Lookback Platform available to any non-Authorized Users or non-Participants through any means, including, but not limited to, by uploading any part of the Lookback Platform to a network or file-sharing service or through any hosting, application services provider, service bureau, software-as-a-service (SaaS) or any other type of services; (e) download, display, distribute and/or upload Sessions other than via the Lookback Platform, or the Lookback player available from the Lookback website for commercial or any other purposes, to third parties who are not Authorized Users; (f) allow access to or use of the Lookback Platform by anyone other than Authorized Users; (g) allow more than one (1) Authorized User to use or share the same Account; (h) interfere or disrupt the Lookback Platform by transmitting any worms, viruses, spyware, malware or any other code of a destructive or disruptive nature through the Lookback Platform; or (i) disassemble, decompile or reverse engineer the Lookback Platform, except to the extent such restriction is prohibited by applicable law.
2.4 Limited Rights. Customer’s rights in the Lookback Platform will be limited to those expressly granted in this Agreement. Lookback reserves all rights and licenses in and to the Lookback Platform not expressly granted to Customer under this Agreement.
2.5 Feedback. Customer may provide Lookback with feedback, comments and suggestions for improvements to the Lookback Platform (the “Feedback”). All Feedback that Customer provides to Lookback will be the sole and exclusive property of Lookback. Except to the extent the Feedback contains any of Customer’s Confidential Information, Customer hereby grants Lookback a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with Lookback’s business purposes, including, without limitation, the testing, development, maintenance and improvement of the Lookback Platform.
2.6 Ownership. Customer expressly acknowledges that, as between Lookback and Customer, Lookback and its licensors own all worldwide right, title and interest in and to the Lookback Platform, including all worldwide Intellectual Property Rights embodied therein. Customer will not delete or in any manner alter the copyright, trademark or other proprietary rights notices appearing on the Lookback Platform as delivered to Customer. As between Lookback and Customer, Lookback expressly acknowledges that Customer owns all worldwide right, title and interest to the content of the Sessions and Customer Materials, including all worldwide Intellectual Property Rights embodied therein. Customer hereby grants Lookback a non-exclusive, worldwide, royalty-free right and license to use, host, reproduce, display, perform, modify the Customer Materials solely for the purpose of hosting, operating, improving and providing the Lookback Platform. For the avoidance of doubt, unless otherwise mutually agreed to in writing by Lookback and Customer, in no event will Lookback be granted any license, title, or access to the content of the Sessions, nor will Lookback attempt to access the content of the Sessions for any other purpose than resolving issues affecting the Services and/or other Customers.
3.1 Fees. Customer will pay Lookback the non-refundable fees set forth in the applicable Order Form in accordance with the terms therein (“Fees”) and without offset or deduction. Except as otherwise provided in the relevant Order Form, Lookback will issue annual invoices to Customer during the Term, and Customer will pay all amounts set forth on any such invoice no later than thirty (30) days after the date of such invoice. If Customer has signed up for automatic billing, Lookback will charge Customer’s selected payment method (such as a credit card, debit card, gift card/code, or other method available in Customer’s home country) for any Fees on the applicable payment date, including any applicable taxes. If Lookback cannot charge Customer’s selected payment method for any reason (such as expiration or insufficient funds), Customer remains responsible for any uncollected amounts, and Lookback will attempt to charge the payment method again as Customer may update its payment method information. In accordance with local law, Lookback may update information regarding Customer’s selected payment method if provided such information by Customer’s financial institution.
3.2 Payment Terms. Customers are responsible for paying the fees in the Order Form. All payments due to Lookback must be made in U.S. dollars or any other currency agreed upon by the parties. Any charges for add-ons are due within thirty (30) days following the start of each of the successive 3 month periods of the Term or Renewal Term, beginning on the Effective Date. Customer will pay all invoices in full, without reduction or setoff of any kind. Customer’s payment obligations are non-cancelable and Customer’s payments are non-refundable. If Customer fails to make any payment when due, late charges will accrue at the rate of 1.5% per month or, if lower, the highest rate permitted by applicable law and Lookback may suspend Services until all payments are made in full. Customer will reimburse Lookback for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest.
3.3 Taxes. All Fees payable under this Agreement are net amounts and are payable in full, without deduction for taxes or duties of any kind. Customer will be responsible for, and will promptly pay, all taxes and duties of any kind (including, but not limited to, sales, use and withholding taxes) associated with this Agreement or use of the Lookback Platform, as applicable, except for taxes and duties imposed on Lookback’s income. Without limiting the foregoing, in the event that Customer is required to deduct or withhold any taxes from the amounts payable to Lookback hereunder, Customer will pay an additional amount, so that Lookback receives the amounts due to it hereunder in full, as if there were no withholding or deduction.
4.2 Disclaimers. Lookback does not warrant that the Lookback Platform will meet Customer’s requirements or will operate in the combinations that Customer may select for use, that the operation of the Lookback Platform will be error-free or uninterrupted, or that all the Lookback Platform’s errors will be corrected. EXCEPT AS STATED IN THIS AGREEMENT, LOOKBACK EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE OF TRADE. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM LOOKBACK OR ELSEWHERE WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.
5.1 Indemnity by Lookback. Lookback will indemnify, defend and hold Customer and its officers, employees and agents harmless from and against any third-party claims, liabilities, damages, losses and expenses, including without limitation, reasonable attorney’s fees and costs (collectively, the “Losses”), arising out of or in any way connected with any claim or action brought against Customer to the extent that it is based upon a claim that the Lookback Platform, as provided by Lookback to Customer under this Agreement and used within the scope of this Agreement, infringes any Intellectual Property Rights of a third party.
5.2 Indemnity by Customer. Customer agrees to indemnify, defend and hold Lookback
harmless from and against any claims, liabilities, damages, losses and expenses, including without limitation,
reasonable attorney’s fees and costs, arising out of or in any way connected with:
(i) Customer’s, or its Authorized Users’ or Participants’ use of the Lookback Platform, including, without limitation, (A) any claim that the Customer Materials infringe, misappropriate or otherwise violate any third party’s intellectual property, privacy, or other rights; or (B) any claim that the use, provision, transmission, display or storage of Customer Materials violates any applicable law, rule or regulation;
(ii) any of Customer’s products or services developed using the Lookback Platform; and
(iii) use of the Lookback Platform by Customer or its Authorized Users in a manner that is not in accordance with this Agreement including, without limitation, any breach of the license restrictions in Section 2.3.
In each case, Customer will indemnify and hold harmless Lookback against any Losses resulting from such claim.
5.3 Injunctions. If Customer’s use of the Lookback Platform hereunder is, or in Lookback’s opinion is likely to be, enjoined due to the type of claim specified in Section 5.1 above, Lookback will, at its sole option and expense: (a) procure for Customer the right to continue using such Lookback Platform under the terms of this Agreement; (b) replace or modify such part of the Lookback Platform so that it is non-infringing and substantially equivalent in function and performance to the enjoined Lookback Platform; or (c) if options (a) and (b) above cannot be accomplished despite Lookback’s reasonable efforts, then Lookback may terminate Customer’s rights and Lookback’s obligations hereunder with respect to such Lookback Platform.
5.4 Exclusions. Notwithstanding the terms of Section 5.1, Lookback will have no liability for any infringement or misappropriation claim to the extent that it results from: (a) unauthorized modifications to the Lookback Platform made by a party other than Lookback, if a claim would not have occurred but for such modifications; (b) the combination, operation or use of the Lookback Platform with equipment, devices, software or data not supplied by Lookback, if a claim would not have occurred but for such combination, operation or use; (c) Customer’s failure to install, use or accept Upgrades, update or modify the Lookback Platform at no additional charge to avoid a claim; (d) Customer’s use of the Lookback Platform other than in accordance with this Agreement, or (e) Customer’s breach of this Agreement, negligence, willful misconduct or fraud.
5.5 Indemnification Procedures. The party seeking defense and indemnity (the “Indemnified Party”) will promptly (and in any event no later than thirty (30) days after becoming aware of facts or circumstances that could reasonably give rise to any claim) notify the other party (the “Indemnifying Party”) of the claim for which indemnity is being sought, and will reasonably cooperate with the Indemnifying Party in the defense and/or settlement thereof. The Indemnifying Party will have the sole right to conduct the defense of any claim for which the Indemnifying Party is responsible hereunder (provided that the Indemnifying Party may not settle any claim without the Indemnified Party’s prior written approval unless the settlement is for a monetary amount, unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the Indemnified Party, and does not place restrictions upon the Indemnified Party’s business, products or services). The Indemnified Party may participate in the defense or settlement of any such claim at its own expense and with its own choice of counsel or, if the Indemnifying Party refuses to fulfill its obligation of defense, the Indemnified Party may defend itself and seek reimbursement from the Indemnifying Party.
6.1 Definition. “Confidential Information” means any business or technical information of Lookback or Customer that, if disclosed in writing, is marked “confidential” or “proprietary” at the time of disclosure, or, if disclosed orally, is identified as “confidential” or “proprietary” at the time of disclosure, or under the circumstances a person exercising reasonable business judgment would understand to be confidential or proprietary. For clarity, the Lookback Platform will be deemed the Confidential Information of Lookback and the Customer Materials will be deemed the Confidential Information of Customer. The terms and conditions of this Agreement will be deemed the Confidential Information of both parties, but may be disclosed on a confidential basis to a party’s advisors, attorneys, actual or bona fide potential acquirers, investors or other sources of funding (and their respective advisors and attorneys) for due diligence purposes.
6.2 Use and Disclosure Restrictions. Neither party will use the other party’s Confidential Information except as necessary for the performance of this Agreement or will disclose such Confidential Information to any third party except to those of its employees and subcontractors who have a bona fide need to know such Confidential Information for the purpose of performing this Agreement; provided that each such employee and subcontractor is subject to a written agreement that includes binding use and disclosure restrictions that are at least as protective as those set forth herein. Each party will use reasonable efforts to maintain the confidentiality of all such Confidential Information in its possession or control, but in no event less than the efforts that such party ordinarily uses with respect to its own proprietary information of similar nature and importance.
6.3 Exceptions. The obligations and restrictions in Section 6.2 will not apply to any information that: (a) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party; (b) is rightfully known by the receiving party at the time of disclosure of such information by the disclosing party; (c) is independently developed by the receiving party without use of the disclosing party’s Confidential Information; (d) the receiving party rightfully obtains from a third party who has the right to disclose such information without breach of any confidentiality obligation to the disclosing party; (e) is required to be disclosed pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the party required to make such a disclosure gives reasonable notice to the other party to contest such order or requirement; or (f) is required to be disclosed under applicable securities regulations. Further, neither party will be restricted from disclosing the other party’s Confidential Information, on a confidential basis, to (i) its legal or professional financial advisors or (ii) present or future providers of venture capital and/or potential private investors in or acquirers of the receiving party.
7. YOUR DATA.
7.1 Your Data. Although Lookback operates as a data controller for any contact information you upload to create your Customer account, Lookback operates as a “processor” or “service provider” for any personal data you or your Participants upload on the Lookback Platform in connection with this Agreement. Terms applicable to our processing of personal information are included in the Data Protection Addendum, attached to this agreement as Exhibit A.
8. LIMITATION OF LIABILITY.
8.1 Total Liability. EXCEPT FOR BREACHES OF CONFIDENTIALITY AND AMOUNTS OWED TO THIRD PARTIES IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS, IN NO EVENT WILL EITHER PARTY’S TOTAL LIABILITY TO THE OTHER PARTY ARISING OUT OF THIS AGREEMENT FROM ALL CAUSES OF ACTION AND UNDER ALL THEORIES OF LIABILITY EXCEED THE AMOUNT CUSTOMER PAID TO LOOKBACK UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTHS PRECEDING A CLAIM FOR DAMAGES, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED, AND WHETHER OR NOT THE PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
8.2 Exclusion of Damages. EXCEPT FOR BREACHES OF CONFIDENTIALITY AND AMOUNTS OWED TO THIRD PARTIES IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) OR FOR THE COST OF PROCURING SUBSTITUTE PRODUCTS OR SERVICES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
9. TERM AND TERMINATION.
9.1 Term. The Agreement will commence on the Effective Date and will remain in effect for a period of one (1) year thereafter (the “Initial Term”). Such Initial Term will automatically renew for additional, successive one (1) year periods unless terminated via the mechanism described in the applicable Order Form (each, a “Renewal Term”). The Initial Term and the Renewal Term(s) will collectively be referred hereto as the “Term.”
9.2 Termination for Breach. Each party will have the right to terminate this Agreement (or as to Lookback only, any Lookback Platform license) if the other party breaches any material term of this Agreement and fails to cure such breach within thirty (30) days following written notice thereof.
9.3 Effect of Termination. Termination of this Agreement terminates all Lookback Platform access and licenses granted hereunder. Upon termination of this Agreement, each party will promptly destroy or return to the other party all Confidential Information of the other party in its possession or control (except for copies maintained in accordance with such party’s archival backup procedures). No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due or otherwise accrued through the effective date of expiration or termination, or entitle Customer to any refund.
9.4 Survival. The rights and obligations of the parties contained in Sections 1, 2.4, 2.5, 2.6, 4.2, 5, 6, 8, 9.3, 9.4, and 10 will survive any termination or expiration of this Agreement.
10.1 Assignment. Neither party may assign or transfer this Agreement, in whole or in part, by operation of law or otherwise, without the other party’s prior written consent; provided, however, that either party has the right to assign or transfer this Agreement to a non-competitor of the other party, in its sole discretion, without the other party’s prior written consent, to a surviving entity in the case of a merger, acquisition, divestiture, corporate reorganization or sale of all or substantially all of its assets. A merger, change of control or other combination by operation of law will be deemed such an assignment. Subject to the foregoing, this Agreement will bind and inure to the benefit of each party’s permitted successors and assigns.
10.2 Governing Law and Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of California without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Santa Clara County, California, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.
10.3 Non-Exclusive Remedy. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.
10.4 Severability. If for any reason a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible and the other provisions of this Agreement will remain in full force and effect.
10.5 Waiver. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. No waiver of any provision of this Agreement will be effective unless it is in writing and signed by the party granting the waiver.
10.6 Notices. Lookback may provide any notice to Customer under this Agreement by: (i) posting a notice on Lookback’s website and/or mobile application; or (ii) sending a message to the administrative email address(es) then associated with Customer’s Account. Notices Lookback provides by posting on Lookback’s website and/or mobile application will be effective upon posting, and notices Lookback provides by email will be effective on the date the email was sent with without a bounce back message if sent during normal business hours of the receiving party, and on the next business day if sent after normal business hours of the receiving party. It is Customer’s responsibility to keep its email address(es) current. Customer will be deemed to have received any email sent to the email address then associated with Customer’s account when Lookback sends the email, whether or not Customer actually receives the email. If Customer has any questions regarding this Agreement please contact Lookback via email at firstname.lastname@example.org.
10.7 Force Majeure. Neither party will be responsible or liable to the other party for any failure or delay in its performance under this Agreement (except for the payment of money) due to causes beyond its reasonable control, including, but not limited to, labor disputes, strikes, internet outages, lockouts, war, terrorism, riot, or shortage of or inability to obtain energy, raw materials or supplies, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God (each a “Force Majeure”). In the event of a Force Majeure, the party that is unable to perform or whose performance is delayed will promptly notify the other party of the Force Majeure and will use its commercially reasonable efforts to resume performance.
10.8 Relationship of Parties. The parties to this Agreement are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise, or agency between the parties. Neither party will have the power to bind the other or incur obligations on the other’s behalf without the other’s prior written consent. No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations, or liabilities hereunder upon any person other than the parties and their respective successors and assigns.
10.9 Export Control. Customer agrees to comply fully with all relevant export laws and regulations of the United States (“Export Laws”) to ensure that neither the Lookback Platform, nor any direct product thereof are: (a) exported or re-exported directly or indirectly in violation of Export Laws; or (b) used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.
10.10 Publicity. Customer hereby grants Lookback a limited, non-exclusive, royalty-free license to use and display Customer’s name, designated trademarks and associated logos (the “Customer Marks”) during the Term in connection with (i) the hosting, operation and maintenance of the Lookback Platform; and (ii) Lookback’s marketing and promotional efforts for its products and services, including by publicly naming Customer as a customer of Lookback and case studies. All goodwill and improved reputation generated by Lookback’s use of the Customer Marks inures to the exclusive benefit of Customer. Lookback will use the Customer Marks in the form stipulated by Customer and will conform to and observe such standards as Customer prescribes from time to time in connection with the license granted hereunder.
10.11 Entire Agreement. This Agreement constitutes the complete and exclusive understanding and agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous agreements or understandings, written or oral, relating to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the parties. The parties have read, agree to, and have executed this Agreement as of the Effective Date.
10.12 Equitable Relief. Each party agrees that a breach or threatened breach by such party of any of its obligations under Section 6 or, in the case of Customer, Section 2.3, would cause the other party irreparable harm and significant damages for which there may be no adequate remedy under law and that, in the event of such breach or threatened breach, the other party will have the right to seek immediate equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.
10.13 Subcontracting. Lookback may use subcontractors, and other third-party providers (“Subcontractors”) in connection with the performance of its own obligations hereunder as it deems appropriate; provided that Lookback remains responsible for the performance of each such Subcontractor. Notwithstanding anything to the contrary in this Agreement, with respect to any third-party vendors including any hosting (e.g. AWS) or payment vendors (e.g. PayPal), Lookback will use commercially reasonable efforts to guard against any damages or issues arising in connection with such vendors, but will not be liable for the acts or omissions of such third-party vendors except to the extent that it has been finally adjudicated that such damages or issues are caused directly from the gross negligence or willful misconduct of Lookback.
DATA PROTECTION ADDENDUM
This Data Protection Addendum (“Addendum”) forms part of the Cloud Service Agreement (the “Agreement”) between Customer (“Company”) and Lookback (“Service Provider”).
- Subject Matter and Duration.
- Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Data in connection with Service Provider’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
- Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Service Provider will Process Company Personal Data until the relationship terminates as specified in the Agreement.
- “Company Personal Data” means Personal Data Processed by Service Provider on behalf of Company.
- “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).
- “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
- “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data attributable to Service Provider.
- “Services” means the services that Service Provider performs under the Agreement.
- “Subprocessor(s)” means Service Provider’s authorized vendors and third party service providers that Process Company Personal Data.
- Data Use and Processing.
- Documented Instructions. Service Provider shall Process Company Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Service Provider will, unless legally prohibited from doing so, inform Company in writing if it reasonably believes that there is a conflict between Company’s instructions and applicable law or otherwise seeks to Process Company Personal Data in a manner that is inconsistent with Company’s instructions.
- Authorization to Use Subprocessors. To the extent necessary to fulfill Service Provider’s contractual obligations under the Agreement, Company hereby authorizes Service Provider to engage Subprocessors.
- Service Provider and Subprocessor Compliance. Service Provider agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Company Personal Data that imposes on such Subprocessors data protection requirements for Company Personal Data that are consistent with this Addendum; and (ii) remain responsible to Company for Service Provider’s Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Data.
- Right to Object to Subprocessors. Where required by Data Protection Laws, Service Provider will notify Company by updating our website prior to engaging any new Subprocessors that Process Company Personal Data and allow Company ten (10) days to object. If Company has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
- Confidentiality. Any person authorized to Process Company Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
- Personal Data Inquiries and Requests. Where required by Data Protection Laws, Service Provider agrees to provide reasonable assistance and comply with reasonable instructions from Company, at Company’s expense, related to any requests from individuals exercising their rights in Company Personal Data granted to them under Data Protection Laws.
- Sale of Company Personal Data Prohibited. Service Provider shall not sell Company Personal Data as the term "sell" is defined by the CCPA.
- Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Service Provider agrees to provide reasonable assistance at Company’s expense to Company where, in Company’s judgement, the type of Processing performed by Service Provider requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
- Demonstrable Compliance. Service Provider agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Company’s reasonable request.
- Limitation on Disclosure of Company Personal Data. To the extent legally permitted, Service Provider shall: (i) promptly notify Company’s Designated POC in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Company Personal Data to any third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) not disclose Company Personal Data to the third party without providing Company at least forty-eight (48) hours’ notice, so that Company may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure.
- Service Optimization. Where permitted by Data Protection Laws, Service Provider may Process Company Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
- Aggregation and De-Identification. Service Provider may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Company or any data subject to whom Company Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
- Cross-Border Transfers of Personal Data.
- Cross-Border Transfers of Personal Data. Company authorizes Service Provider and its Subprocessors to transfer Company Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
- Standard Contractual Clauses. If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Company to Service Provider in a country that has not been found to provide an adequate level of protection under Data Protection Laws, the parties agree that the terms of the transfer shall be governed by the Standard Contractual Clauses attached hereto as Exhibit A. The parties agree that: (i) the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum; (ii) pursuant to Clause 5(h) and Clause 11 of the Standard Contractual Clauses, Service Provider may engage new Subprocessors in accordance with Section 3(b) – (d) of this Addendum; and (iii) the Subprocessor agreements referenced in Clause 5(j) and certification of deletion referenced in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Company’s written request. Each party’s acceptance of the Agreement shall be considered their consent to be bound by the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
- Technical and Organizational security measures.
- Service Provider’s security policy covers security in human resources, physical security, access control, acceptable use, software development, incident management, device security, and compliance with laws and regulations. It’s approved by management and communicated to the staff. Service Provider has a CISO who is responsible for the policy. The policy is reviewed at least yearly by the security team.
- Written internal policies for safe handling and protection of data.
- Background screening of employees.
- Industry standard protection of servers and networks.
- Applying the principle of least privilege for sensitive data and systems.
- Protected access logs for sensitive data and systems.
- A process to ensure third parties are capable of protecting sensitive data.
- Processes to identify and address security and privacy incidents in a timely fashion.
- A change management process with reviews for networks and systems.
- A risk assessment program where we regularly review the threats to the company and how they can be addressed.
- Personnel security
- All employees undergo training on security and privacy. This training includes device security, password and 2FA management, physical security, malware protection, network security, incident reports and acceptable device use.
- All access to systems are granted based on the principle of least privilege. There are processes to revoke access when it’s no longer needed, be it because of new assignments or because the person is no longer working with Service Provider.
- Before hiring new employees Service Provider performs an identity verification, a financial background check and a criminal record check.
- Service network. Service Provider runs its production systems in a segregated network
AWS VPC. The network is divided in public and private subnets. Ports that are not required to operate
service are closed and administrative access to the servers is only possible from our corporate
All traffic between Service Provider’s systems and client accessible services, like web applications and applications for recording, is encrypted using TLS 1.2 or higher.
- Corporate network. The corporate network is protecting internal resources like databases and servers, etc. It’s accessible via an encrypted VPN tunnel that requires two-factor authentication. Only registered devices with the required security measures installed are allowed to access the corporate network.
- Service network. Service Provider runs its production systems in a segregated network in a AWS VPC. The network is divided in public and private subnets. Ports that are not required to operate the service are closed and administrative access to the servers is only possible from our corporate network.
- Service Provider’s servers run on AWS EC2. They are built and hardened using a standard build program. As part of the hardening Service Provider will typically remove and disable non-essential services, disable default accounts and passwords, disable password based authentication, disable ssh access, setup log forwarding to a centralized logging system, scan for known vulnerabilities, and prevent the applications from spawning additional processes.
- Service Provider will run vulnerability scans daily and can roll out patches for critical vulnerabilities outside of the regular patching schedule. Patches can be tested in an isolated testing environment before being rolled out to production. Employees are signed up to mailing lists regarding new security issues.
- Data and Storage
- Industry standard encryption shall be used for data in transit and at rest.
- Data segregation
- Application level logic is used to determine who can see what data. Data is tied to an organization and if you are not a member of an organization you cannot see any of the organization’s data.
- The database is backed up by the database service provider. Files are backed up by AWS.
- Service Provider will log server events, including authentication, privileged system calls and data access. Logs shall be sent to a centralized environment with limited access. Sensitive logs shall be encrypted, protected from modification and stored at least a year.
- Administrative access
- Login to servers shall require asymmetric keys over SSH, or be disabled.
- Personnel with access to accounts at third party providers such as AWS have individual user accounts with 2FA. Service Provider shall have processes in place to audit and revoke access to the systems within 24 hours of someone leaving their position.
- Workstations at Service Provider are registered and monitored centrally. They are configured according to a standard that includes full disk encryption, secure configuration of VPN, anti malware programs that are centrally managed, secure administrative passwords and screen locking that activates within a few minutes of inactivity.
- Updates are installed automatically by the built in patching mechanism in the OS. Security staff follow mailing lists to be up to date on vulnerabilities and when necessary action is taken to protect the systems, e.g. in case patches for new vulnerabilities haven’t been released yet.
- Development is performed through a process that involves planning, coordination, implementation, review, testing and follow up after deployment.
- The planning and coordination steps involve stakeholders from different departments, including security. Complex systems or complex changes are implemented by more than one developer, and/or reviewed by senior developers. Security related changes are always reviewed.
- Service Provider performs a range of testing depending on the size and complexity of the changes. It involves automated tests, and may also involve testing in an isolated testing environment, as well as internal and external user research/beta testing.
- All code is kept in a secure version management system.
- Technical security testing
- Service Provider will contract third party security firms to perform penetration tests on a yearly basis. It’s a white box test covering applications, systems and networks, including both manual and automatic testing. Any findings are tracked and resolved by the security team.
- Security Incidents.
- Notice. Upon becoming aware of a Security Incident, Service Provider agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Company’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
- Company Audit. Where Data Protection Laws afford Company an audit right, Company (or its appointed representative) may carry out an audit of Service Provider’s policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit must be: (i) conducted during Service Provider’s regular business hours; (ii) with reasonable advance notice to Service Provider; (iii) carried out in a manner that prevents unnecessary disruption to Service Provider’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.
- Data Deletion.
- Data Deletion. At the expiry or termination of the Agreement, Service Provider will, at Company’s option, delete or return all Company Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Service Provider’s data retention schedule), except where Service Provider is required to retain copies under applicable laws, in which case Service Provider will isolate and protect that Company Personal Data from any further Processing except to the extent required by applicable laws.
- Processing Details.
- Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
- Duration. The Processing will continue until the expiration or termination of the Agreement.
- Categories of Data Subjects. Data subjects whose Company Personal Data will be Processed pursuant to the Agreement.
- Nature and Purpose of the Processing. The purpose of the
Processing of Company Personal Data by Service Provider is the performance of the Services.
- Service Provider will process Company Personal Data from Sessions, like video and microphone recordings, on AWS in the EU.
- Service Provider is currently using AWS's datacenter in Ireland, but may use other data centers in the EU in the future.
- Names and email addresses that are Company Personal Data may be processed in the United States.
- Types of Company Personal Data.
- When creating a Session Service Provider may process:
- video from device screens,
- audio from device microphones,
- gestures and touches (or mouse movements and clicks) performed on the device,
- the front facing camera (capturing the user’s face),
- participant’s first name, last name and email address as provided by them,
- metadata about the device used to record with (model, OS version, etc.).
- Service Provider may also process notes, comments and other data related to the recordings that
enters into the Service Provider’s system.
- When creating a Session Service Provider may process:
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: Company (as defined in the Addendum).
(the data exporter)
Name of the data importing organisation: Service Provider (as defined in the Addendum).
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is: Company.
The data importer is: Service Provider.
The personal data transferred concern the following categories of data subjects: As set forth in Section 9(c) of the Addendum.
Categories of data
The personal data transferred concern the following categories of data: As set forth in Section 9(e) of the Addendum.
The personal data transferred will be subject to the following basic processing activities: Processing to carry out the Services pursuant to the Agreement.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
The technical and organisational security measures are described in the Data Protection Addendum’s section 5.