Last updated on February 14, 2020
These Terms of Service (the “Terms”), together with all Order Forms (as defined below), govern Customer’s use of Dealpath Inc. (“Dealpath”)’s proprietary cloud-based collaboration and workflow platform for real estate investment professionals accessible via Dealpath’s website located at www.dealpath.com (the “Site”) and related services, unless Dealpath and Customer (as defined below) have entered into a separate written agreement. These Terms commence upon the Order Form Effective Date of the initial Order Form.
1. DEFINITIONS
“Authorized User” means an individual (i) to whom Customer (or, when applicable, Dealpath at Customer’s request) has assigned a unique username-password combination to access and use the Services; and (ii) who has registered to access and use the Services.
1.1 “Customer” means the company or other legal entity identified as customer in the applicable Order Form.
1.2 “Customer Data” means all data and information input or submitted by Customer or Authorized Users into the Services.
1.3 “Fees” means the fees described in the applicable Order Form.
1.4 “Implementation Services” means the services performed by Dealpath to configure and rollout the Services to Customer, as described in the applicable Order Form.
1.5 “Intellectual Property Rights” means patent rights (including, without limitation, patent applications and disclosures), trademark rights, copyrights, trade secrets, moral rights, know-how, and any other intellectual property rights recognized in any country or jurisdiction in the world.
1.6 “Order Form” means an order form executed by Dealpath and Customer referencing these Terms. Each Order Form shall be deemed incorporated by reference into these Terms upon mutual execution.
1.7 “Order Form Initial Term” means the initial term of an Order Form as set forth therein.
1.8 “Order Form Renewal Period” means the renewal period of an Order Form as set forth therein.
1.9 “Order Form Term” means, with respect to an Order Form, the Order Form Initial Term together with any Order Form Renewal Periods.
1.10 “Service Level Agreement” means service level agreement set forth in Exhibit A.
1.12 “Services” means Dealpath’s proprietary cloud-based collaboration and workflow platform for real estate investment professionals as described in the applicable Order Form.
2. SERVICES
2.1 Services. Dealpath will provide the Services to Customer in accordance with these Terms, including the Service Level Agreement, and the applicable Order Form. Dealpath hereby grants Customer a non-exclusive and worldwide license to access and use the Services during the Order Form Term solely for Customer’s business purposes, and such access and use is expressly limited to: (i) the number of Authorized Users for which Customer has paid the applicable Fees; and (ii) the scope of access and functionality designated in the Order Form for each category of Authorized User.
2.2 Authorized Users. An Authorized User may be an employee, independent contractor, or service provider of Customer; provided that each Authorized User must be an individual and may only use the Service on behalf of the Customer. Customer will at all times be responsible and liable hereunder, for all actions taken by (i) an Authorized User or (ii) under an Authorized User’s account, whether such action was taken by an Authorized User or by another party, and whether or not such action was authorized by an Authorized User. During the Order Form Initial Term or any Order Form Renewal Period, as applicable, Customer may, in its discretion, add additional Authorized Users in accordance with the process and prices described in the relevant Order Form. Upon each Order Form Renewal Period, subject to written notice at least thirty (30) days prior to the start of an Order Form Renewal Period, Customer may decrease its number of Authorized Users for each User Category and the applicable Fees will be adjusted accordingly.
2.3 Implementation Services. If an Order Form includes Implementation Services, Dealpath will provide the Implementation Services to Customer in accordance with these Terms and the applicable Order Form.
2.4 Restrictions. Customer shall not interfere with or disrupt the Site or the Services or attempt to gain access to any systems or networks that connect thereto (except as required to access and use the Services as permitted under these Terms). Customer shall not allow access to or use of the Site or Services by anyone other than Authorized Users, and shall not allow an Authorized User to access the Site or Service beyond the functionality scope set forth for the User Category designated for such Authorized User. Customer shall not: (a) copy, modify or distribute any portion of the Site or Services; (b) rent, lease, or provide access to the Site or Services on a time-share or service bureau basis; or (c) transfer any of its rights hereunder except as set forth in Section 12.8.
2.5 Acceptable Use Policies. Customer acknowledges and agrees that Dealpath does not monitor or police communications or data transmitted through the Site or Services and that Dealpath shall not be responsible for the content of any such communications or transmissions. Customer and its Authorized Users shall use the Site or Services exclusively for authorized and legal purposes, consistent with all applicable laws, regulations and the rights of others. Customer and its Authorized Users shall not use the Site or Services to transmit any bulk unsolicited commercial communications. Customer shall keep confidential and not disclose to any third parties (except for Authorized Users who are employees or contractors), and shall ensure that Authorized Users keep confidential and do not disclose to any third parties (except for Authorized Users who are employees or contractors), any user identifications, account numbers and account profiles.
2.6 Data Protection and Security. Each Party will comply with its obligations set forth in the Data Protection Addendum attached hereto as Exhibit B.
2.7 Privacy Policy. Customer acknowledges and agrees that its use of the Services is subject to Dealpath’s Privacy Policy (“Privacy Policy”), which is accessible at www.dealpath.com.
3. PROFESSIONAL SERVICES. If Customer requests Dealpath to perform any services that are different from or in addition to the Services or Implementation Services (“Professional Services”), and Dealpath is willing to provide such Professional Services, then the parties will mutually agree on the scope of such Professional Services by executing a specific Order Form under these Terms.
4. CUSTOMER OBLIGATIONS
4.1 Cooperation and Assistance. Customer shall at all times provide Dealpath with good faith cooperation and assistance and make available such information, facilities, Customer personnel and equipment as may be reasonably required by Dealpath in order to provide the Services, including, but not limited to, providing Customer Data, security access, information and, as necessary, software interfaces to Customer’s business applications (provided that such cooperation, assistance and resources shall be at all times subject to and in accordance with Customer’s facility, workplace, internet usage, and other internal policies, as then in effect). Additionally, Customer shall be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required to access and use the Services, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing.
4.2 Enforcement. Customer shall ensure that all Authorized Users comply with the terms and conditions of these Terms, including, without limitation, with Customer’s obligations and the restrictions set forth in Sections 2.4 and 2.5. Customer shall promptly notify Dealpath of any reasonable suspicion or reasonably alleged material violation of the terms and conditions of these Terms by Customer or Authorized User and shall reasonably cooperate with Dealpath with respect to: (a) investigation by Dealpath of any such suspected or alleged violation of these Terms and (b) any action by Dealpath to enforce the terms and conditions of these Terms. Dealpath may suspend or terminate any Authorized User’s access to the Services upon notice to Customer in the event that Dealpath reasonably determines that such Authorized User violated these Terms or of any other agreement between Dealpath and such Authorized User pursuant to which such Authorized User is permitted to access and use the Services.
4.3 Customer Data. Customer is responsible for providing all Customer Data in the appropriate format and the means by which the Customer Data was acquired, and for obtaining any necessary rights and licenses to use the Customer Data. Customer represents and warrants that it has, and will continue to have, during the applicable Order Form Term, the legal right and authority to access, use and disclose to Dealpath any Customer Data.
5. FEES; EXPENSES; TAXES
5.1 Fees. In consideration for Dealpath providing the Services and, if applicable, Implementation Services and Professional Services, Customer shall pay to Dealpath the Fees in accordance with the terms set forth in the applicable Order Form.
5.2 Invoices; Payment; Late Payment. Unless otherwise set forth in an Order Form, (a) Dealpath shall invoice Customer annually for all Fees and applicable Taxes (as defined in Section 5.3), and including any related interest and/or penalties, due in that period, and (b) each invoice is due and payable thirty (30) days following Customer’s receipt of a duly issued invoice. If Dealpath has not received payment within thirty (30) days after the due date and Customer has not reasonably disputed an invoice, interest shall accrue on such undisputed past due amounts at the rate of one and one-half percent (1.5%) per month, but in no event greater than the highest rate of interest allowed by applicable law, calculated from the date such amount was due until the date that payment is received by Dealpath.
5.3 Taxes. All Fees and other amounts stated or referred to in these Terms are exclusive of all taxes, duties, levies, tariffs, and other governmental charges (including, without limitation, VAT) (collectively, “Taxes”). Customer shall be responsible for payment of all Taxes and any related interest and/or penalties resulting from Customer’s use of the Services, other than any taxes based on Dealpath’s income.
6. PROPRIETARY RIGHTS.
6.1 Services and Data. Dealpath shall own and retain all right, title and interest in and to: (a) the Services, and all improvements, enhancements or modifications thereto made by or on behalf of Dealpath; (b) any software, applications, inventions or other technology developed by or on behalf of Dealpath in connection with providing Implementation Services or Professional Services; and (c) all Intellectual Property Rights related to any of the foregoing. Customer shall own and retain all right, title and interest in and to the Customer Data; provided that Dealpath may collect, generate, process and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies, including without limitation learnings, analytics, algorithms, data and other information derived therefrom (collectively, “Usage Data”); provided that such Usage Data shall not incorporate any Customer Data and shall be in an aggregated and de-identified form. Subject to Customer’s rights in the Customer Data, Dealpath shall own all right, title and interest in and to Usage Data, and all Intellectual Property Rights therein. Dealpath agrees that it will not use Usage Data for the benefit of a third party in a manner that would permit reverse engineering of Usage Data such that Customer (or its Authorized Users) can be identified as the source of such data.
6.2 Feedback. To the extent that Customer provides to Dealpath any feedback, comments and suggestions for improvements to the Services (“Feedback”), Customer grants Dealpath a non-exclusive, worldwide, perpetual, irrevocable, fully-paid, royalty-free, sublicensable and transferable license under any and all Intellectual Property Rights that Customer owns or controls to use, copy, modify, create derivative works based upon and otherwise exploit the Feedback for any purpose.
6.3 DMCA/Copyright Policy. Dealpath respects copyright law and expects Customer to do the same. It is Dealpath’s policy to terminate in appropriate circumstances access to the Services to customers (and its authorized users) who repeatedly infringe or are believed to be repeatedly infringing the rights of copyright holders. Please see Dealpath’s Copyright Policy at www.dealpath.com, for further information.
7. CONFIDENTIALITY
7.1 Definition. “Confidential Information” means any business or technical information disclosed by one party to the other party that: (i) if disclosed in writing, is marked “confidential” or “proprietary” at the time of disclosure; (ii) if disclosed orally, is identified as “confidential” or “proprietary” at the time of disclosure, and is summarized in a writing sent by the disclosing party to the receiving party within thirty (30) days after any such disclosure; or (iii) under the circumstances, a person exercising reasonable business judgment would understand to be confidential or proprietary. For clarity, and regardless of the circumstances and manner of disclosure, Customer Data is considered to be Confidential Information of Customer, and the Services are Dealpath’s Confidential Information.
7.2 Exclusions. The obligations and restrictions set forth in Section 7.3 will not apply to any information that: (i) is or becomes generally known to the public through no fault of or breach of these Terms by the receiving party; (ii) is rightfully known by the receiving party at the time of disclosure; (iii) is independently developed by the receiving party without access to the disclosing party’s Confidential Information; or (iv) the receiving party rightfully obtains from a third party who, after due inquiry, has the right to disclose such information without breach of any confidentiality obligation to the disclosing party.
7.3 Use and Nondisclosure. A receiving party will not use the disclosing party’s Confidential Information except to perform its obligations and exercise its rights hereunder, and will not disclose such Confidential Information to any third party except to those of its employees and subcontractors who have a bona fide need to know such Confidential Information for the performance or enforcement of these Terms; provided that each such employee and subcontractor is bound by a written agreement that contains use and disclosure restrictions consistent with the terms set forth in this Section 7. Each receiving party will protect the disclosing party’s Confidential Information from unauthorized use and disclosure using efforts equivalent to the efforts that the receiving Party ordinarily uses with respect to its own confidential information of like importance and in no event less than a reasonable standard of care. The provisions of this Section 7.3 will remain in effect for a period of three (3) years after the expiration or termination of these Terms; provided that with respect to Confidential Information that is a trade secret, the provisions of this Section 7.3 will remain in effect for so long as such Confidential Information is deemed a trade secret under applicable law.
7.4 Permitted Disclosures. The provisions of this Section 7 will not restrict either party from disclosing the other party’s Confidential Information: (i) pursuant to the order or requirement of a court, administrative agency, or other governmental body; provided that the party required to make such a disclosure gives reasonable notice to the other party to enable it to contest such order or requirement or limit the scope of such request; (ii) on a confidential basis to its legal or professional financial advisors; or (iii) as required under applicable securities regulations. In addition, either party may disclose the terms and conditions of this Agreement on a confidential basis to present or future providers of venture capital and/or potential private investors in or acquirers of such party.
8. WARRANTY
8.1 Mutual Warranties. Each party hereby represents and warrants to the other party that: (i) it is duly organized, validly existing and in good standing under its jurisdiction of organization and has the right to enter into these Terms and (ii) the execution, delivery and performance of these Terms and the consummation of the transactions contemplated hereby are within the corporate powers of such party and have been duly authorized by all necessary corporate action on the part of such party, and constitute a valid and binding agreement of such party.
8.2 Warranty for Services. Dealpath represents and warrants that the Services will meet the requirements set forth in the Service Level Agreement. Dealpath’s sole and exclusive liability and Customer’s sole and exclusive remedy for any breach of the warranty set forth in this Section 8.2 will be as set forth in the Service Level Agreement.
8.3 Customer Warranty. Customer represents and warrants that it has the right to grant the rights to Customer Data granted hereunder.
8.4 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN SECTION 8, DEALPATH MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHATSOEVER, EXPRESS OR IMPLIED, IN CONNECTION WITH THESE TERMS OR THE SERVICES AND DEALPATH HEREBY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, ACCURACY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. DEALPATH DISCLAIMS ANY WARRANTY THAT THE SERVICES WILL BE ERROR FREE OR UNINTERRUPTED OR THAT ALL ERRORS WILL BE CORRECTED. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM DEALPATH OR ELSEWHERE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS. Customer assumes sole responsibility and liability for results obtained from the use of the Services and for conclusions drawn from such use. Dealpath shall have no liability for any claims, losses, or damages caused by errors or omissions in any Customer Data or other information provided to Dealpath by Customer in connection with the Services or any actions taken by Dealpath at Customer’s direction. Dealpath shall have no liability for any claims, losses or damages arising out of or in connection with Customer’s or any Authorized User’s use of any third-party products, services, software or web sites that are accessed via links from within the Services.
9. TERM AND TERMINATION
9.1 Term. These Terms are effective as of the Order Form Effective of the first Order Form the Customer and Dealpath enter into and, unless earlier terminated in accordance with Section 9.2, continue until all Order Forms have expired or are terminated pursuant to these Terms and applicable Order Forms.
9.2 Termination for Cause. Either party may terminate these Terms (together with all Order Forms) upon written notice if the other party breaches any material term of these Terms and fails to correct the breach within thirty (30) days following written notice from the non-breaching specifying the breach; provided that the cure period for any default with respect to payment shall be ten (10) business days. Either party may terminate an individual Order Form upon written notice if the other party breaches any material term of such Order Form and fails to correct the breach within thirty (30) days following written notice from the non-breaching specifying the breach; provided that the cure period for any default with respect to payment shall be ten (10) business days.
9.3 Rights and Obligations Upon Expiration or Termination. Upon expiration or termination of each Order Form: (i) Customer’s and its Authorized Users’ right to access and use the Services under such Order Form shall immediately terminate; (ii) Customer and its Authorized Users shall immediately cease all use of the Services under such Order Form; (iii) each party shall make no further use of any Confidential Information, materials, or other items (and all copies thereof) belonging to the other party (unless otherwise authorized to do so hereunder based on a separate Order Form); (iv) upon request, Dealpath shall at no additional cost cooperate in the transfer of Customer Data requested by Customer, which shall be promptly delivered to Customer in either text, .xlsx or comma delineated format, or such other format reasonably requested by Customer; and (v) with respect to such Order Form, Dealpath shall, at Customer’s option and upon its written request, promptly return or destroy and erase from all systems it directly or indirectly uses or controls, (1) all originals and copies of all documents and other materials that are Customer’s Confidential Information or (2) solely such specific databases or other collections or articles of Customer’s Confidential Information as Customer may request.
9.4 Effect of Termination. Upon expiration or termination of an Order Form (other than termination pursuant to Section 9.2): (i) any other Order Form that is then-in effect will remain in-effect for the duration of the then-current term of such Order Form; and (ii) these Terms will continue to apply with respect to such Order Forms until expiration or termination of such Order Forms.
9.5 Survival. The rights and obligations of Dealpath and Customer contained in Sections 1 (Definitions), 2.6 (Data Protection and Security), 2.7 (Privacy Policy), 5 (Fees, Expenses and Taxes), 6 (Proprietary Rights), 7 (Confidentiality), 8.3 (Disclaimer) 9.3 (Rights and Obligations Upon Expiration or Termination), 9.4 (Effect of Termination), 9.5 (Survival), 10 (Indemnification), 11 (Limitation of Liability), and 12 (General) shall survive any expiration or termination of these Terms and Order Forms.
10. INDEMNIFICATION
10.1 Indemnification by Dealpath. Dealpath shall defend (or settle), indemnify and hold harmless Customer, its officers, directors and employees (collectively, “Customer Indemnitees”), from and against any court costs, reasonable attorneys’ fees, damages and liabilities awarded in final judgment against Customer Indemnitees, and amounts agreed to in settlement, with respect to each of the foregoing, to the extent arising from any third-party claim or suit against Customer Indemnitees that the Services, as provided by Dealpath to Customer pursuant to these Terms, infringe, misappropriate, or otherwise violate any Intellectual Property Right of any third party. Dealpath’s obligations under this Section 10.1 are contingent upon: (a) Customer providing Dealpath with prompt written notice of such claim (provided that any delay that does not materially prejudice Dealpath’s ability to defend the claim will not relieve Dealpath of its indemnification obligations); (b) Customer providing reasonable cooperation to Dealpath, at Dealpath’s expense, in the defense and settlement of such claim; and (c) Dealpath having sole authority to defend or settle such claim.
10.2 Injunctions. If Customer’s use of the Services is, or in Dealpath’s opinion is likely to be, enjoined due to the type of claim specified in Section 10.1, then Dealpath may at its sole option and expense: (i) replace or modify the Services to make them non-infringing and of equivalent functionality; (ii) procure for Customer the right to continue using the Services under the terms of these Terms; or (iii) if Dealpath is unable to accomplish either (i) or (ii) despite using its reasonable efforts, terminate Customer’s rights and Dealpath’s obligation under these Terms with respect to such Services and refund to Customer a pro-rata portion of the Fees paid for the remaining portion of the Order Form Initial Term or Order Form Renewal Period during which Customer would have had access to the Services.
10.3 Exclusions. Notwithstanding the terms of Section 10.1, Dealpath will have no liability for any infringement or misappropriation claim of any kind to the extent that it results from: (i) the combination, operation or use of the Services with equipment, devices, software or data (including without limitation Customer Data) not supplied by Dealpath, if a claim would not have occurred but for such combination, operation or use; or (ii) Customer’s or an Authorized User’s use of the Services other than in accordance with these Terms.
10.4 Sole Remedy. THE PROVISIONS OF SECTION 10.1, 10.2 AND 10.3 STATE DEALPATH AND ITS LICENSORS SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY ALLEGED OR ACTUAL INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS BY THE SERVICES.
10.5 Indemnification by Customer. Customer shall defend (or settle), indemnify and hold harmless Dealpath, its officers, directors and employees (collectively, “Dealpath Indemnitees”), from and against any court costs, reasonable attorneys’ fees, damages and liabilities awarded in final judgment against Dealpath Indemnitees, and amounts agreed to in settlement, with respect to each of the foregoing, to the extent arising from any third-party claim or suit based on (i) Customer’s or an Authorized User’s use of the Services to the extent such use was not in accordance with these Terms, or (ii) a claim that the Customer Data or Customer’s use of the Services not in accordance with these Terms infringes, misappropriates, or violates any Intellectual Property Rights, privacy rights, or other rights of a third party. Customer’s obligations under this Section 10.5 are contingent upon: (a) Dealpath providing Customer with prompt written notice of such claim (provided that any delay that does not materially prejudice Customer’s ability to defend the claim will not relieve Customer of its indemnification obligations); (b) Dealpath providing reasonable cooperation to Customer, at Customer’s expense, in the defense and settlement of such claim; and (c) Customer having sole authority to defend or settle such claim.
11. LIMITATION OF LIABILITY.
11.1 Exclusion of Damages. EXCEPT FOR LIABILITY ARISING FROM A BREACH OF SECTIONS 2.4, 2.5 OR 7, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR OTHER ECONOMIC LOSS, WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND WHETHER ANY CLAIM FOR RECOVERY IS BASED ON THEORIES OF CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR OTHERWISE.
11.2 Total Liability. NOTWITHSTANDING ANY OTHER PROVISIONS OF THESE TERMS, EXCEPT FOR LIABILITY ARISING FROM A BREACH OF SECTIONS 2.4 OR 2.5AND FOR THE PARTIES’ INDEMNIFICATION OBLIGATIONS IN SECTION 10, NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY AND ANY THIRD PARTY ABOUT THESE TERMS OR CUSTOMER’S ACCESS TO AND USE OF THE SERVICES EXCEED THE TOTAL FEES OWED BY CUSTOMER IN THE TWELVE-MONTH PERIOD PRECEDING THE CLAIM OR ACTION, REGARDLESS OF THE FORM OR THEORY OF THE CLAIM OR ACTION.
11.3 Basis of Bargain. THE LIMITATIONS OF LIABILITY AND EXCLUSIONS OF DAMAGES SET FORTH IN THIS SECTION 11 ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN DEALPATH AND CUSTOMER AND WILL APPLY TO THE MAXIMUM EXTENT ALLOWED UNDER APPLICABLE LAW.
12. GENERAL
12.1 Governing Law. These Terms and all matters arising out of or relating to these Terms shall be governed by the laws of the State of California, without regard to its conflict of law provisions. Any legal action or proceeding relating to these Terms shall be brought exclusively in the state or federal courts located in San Francisco, California. Dealpath and Customer hereby agree to submit to the jurisdiction of, and agree that venue is proper in, those courts in any such legal action or proceeding.
12.2 Waiver. The waiver by either party of any default or breach of these Terms shall not constitute a waiver of any other or subsequent default or breach. No waiver of any provision of these Terms will be effective unless it is in writing and signed by the party granting the waiver.
12.3 Notices. Dealpath may give notice to Customer by means of a general notice through the Services interface, email to Customer’s e-mail address on record with Dealpath, or by written communication sent by first class postage prepaid mail or nationally recognized overnight delivery service to Customer’s address on record with Dealpath. Customer may give notice to Dealpath by written communication sent by first class postage prepaid mail or nationally recognized overnight delivery service addressed to Dealpath, Inc., 300 California Street, Ste 200, San Francisco, CA 94104. Notice shall be deemed to have been given upon receipt or, if earlier, two (2) business days after mailing, as applicable. For notices made by e-mail, the date of receipt will be deemed the date on which such notice is transmitted.
12.4 Severability. In the event any provision of these Terms is held to be invalid or unenforceable, the remaining provisions of these Terms shall remain in full force and effect.
12.5 Force Majeure. Neither party shall be liable hereunder by reason of any failure or delay in the performance of its obligations hereunder (except for the payment of money) on account of events beyond the reasonable control of such party, which may include without limitation denial-of-service attacks, strikes, shortages, riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, governmental action, labor conditions, earthquakes and material shortages (each a “Force Majeure Event”). Upon the occurrence of a Force Majeure Event, the non-performing party will be excused from any further performance of its obligations effected by the Force Majeure Event for so long as the event continues and such party continues to use commercially reasonable efforts to resume performance.
12.6 Compliance with Laws. Each party agrees to comply with all applicable laws and regulations with respect to its activities hereunder, including, but not limited to, any export laws and regulations of the United States.
12.7 Relationship Between the Parties. Nothing in these Terms shall be construed to create a partnership, joint venture or agency relationship between the parties. Neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent.
12.8 Assignment. Neither Party may assign or transfer these Terms, in whole or in part, without the other party’s prior written consent; provided that: (i) Dealpath may assign these Terms without Customer’s prior written consent to a successor entity in connection with a merger, acquisition, or sale of all or substantially all of Dealpath’s assets to which these Terms relate; and (ii) Customer may assign these Terms without Dealpath’s prior written consent to a successor entity who is not a competitor of Dealpath in connection with a merger, acquisition, or sale of all or substantially all of Customer’s assets to which these Terms relate. Any attempted assignment or transfer without such consent will be null and of no effect. Subject to the foregoing, these Terms will bind and inure to the benefit of the parties, their successors and permitted assigns.
12.9 Entire Agreement. These Terms (together with all Order Forms) constitute the complete and exclusive agreement between the parties concerning its subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, concerning the subject matter of these Terms. These Terms may not be modified or amended except in a writing signed by a duly authorized representative of Dealpath and Customer. If there is any inconsistency between the provisions of these Terms and the terms in any Order Form, these Terms shall prevail.
12.10 Non-Exclusive Remedies. Except as set forth in Sections 8.1 and 10.4, the exercise by either party of any remedy under these Terms will be without prejudice to its other remedies under these Terms or otherwise.
12.11 Equitable Relief. Each party acknowledges that a breach by the other party of any confidentiality or proprietary rights provision of these Terms may cause the non-breaching party irreparable damage, for which the award of damages would not be adequate compensation. Consequently, the non-breaching party may institute an action to enjoin the breaching party from any and all acts in violation of those provisions, which remedy shall be cumulative and not exclusive, and a party may seek the entry of an injunction enjoining any breach or threatened breach of those provisions, in addition to any other relief to which the non-breaching party may be entitled at law or in equity.
12.12 No Third-Party Beneficiaries. These Terms are intended for the sole and exclusive benefit of the signatories and is not intended to benefit any third party. Only the parties to these Terms may enforce them.
12.13 Headings. The headings in these Terms are for the convenience of reference only and have no legal effect.
LIST OF EXHIBITS
EXHIBIT A – SERVICE LEVEL AGREEMENT
EXHIBIT B – DATA PROTECTION AGREEMENT
EXHIBIT C – REVISION HISTORY
EXHIBIT A
SERVICE LEVEL AGREEMENT
- Service Availability.
The Services under each Order Form shall be available to Customer with 99.90% platform uptime, measured monthly, excluding Planned Downtime, and emergency maintenance.
- Service Availability Calculation.
The percentage of Services under each Order Form availability will be calculated as follows:
Where:
- Planned Downtime.
(a) Planned Downtime. “Planned Downtime” occurs when Customer or Authorized Users have no access to the Services under an Order Form due to scheduled maintenance.
(b) Scheduled Maintenance. Dealpath will use commercially reasonable efforts to undertake all necessary maintenance in a manner that mitigates impact to Customer and its users and to notify Customer of the required maintenance. Dealpath will use commercially reasonable efforts to provide twenty-four (24) hours’ prior notice for scheduled maintenance not to exceed six (6) hours. Notice provided under this Section will be via email.
- Technical Support
(a) Hours of Support. Dealpath will respond to problems with the Services experienced by Customer or its Authorized Users in accordance with this Section 4. Dealpath will provide coverage parameters specific to the service(s) covered in these Terms as follows:
- Telephone support: Dealpath will designate a dedicated account manager who will provide phone support to Customer during normal business hours on weekdays during the hours of 9:00 a.m. – 5:00 p.m. Pacific Time with the exclusion of Federal Holidays. Dealpath will use commercially reasonable efforts to respond to all support requests within 1 business day.
(b) Problem Severity Level Definitions. Problems reported by Customer to Dealpath support will be assigned a Severity Level in accordance with the following:
Impact Severity Levels |
Severity 1 |
Critical Failure – actual failure of Service where the Service is unavailable to the Customer. |
Severity 2 |
Major Degradation – Critical problem causing loss of data or loss of service to a core Service functionality. Services are functioning but in a significantly reduced capacity, may affect multiple users. |
Severity 3 |
Minor Service/Application Degradation – does not affect core Service functionality. |
(c) Problem Response Times. Dealpath will use commercially reasonable efforts to meet or exceed the target response and problem resolution times for each Severity Level as set forth in the following:
Severity Level |
Response Time Objective |
Restoration
Resolution Objective |
Customer Update Frequency |
1
|
4 Hours |
24 hours to resolve or provide work around |
Daily |
2 |
4 Hours |
3 Business Days to resolve or provide work around |
Daily |
3 |
1 Day |
20 Business Days to resolve or provide work around |
Weekly |
(*) “Business Days” are defined as non-weekend and non-US holiday days.
- Service Level Credits
(a) Any downtime resulting from outages of third party connections or utilities or other reasons beyond Dealpath’s control will be excluded from any calculation of downtime. Customer’s sole and exclusive remedy, and Dealpath’s entire liability, in connection with Services availability shall be that for each period of downtime lasting longer than one hour, Dealpath will credit Customer 5% of Fees due for the Services for the month in question under the applicable Order Form for each period of 30 or more consecutive minutes of downtime for the Services under such Order Form; provided that no more than one such credit will accrue per day. If the Fees for the Services are paid on an annual basis, the downtime credit will be calculated based on one-twelfth (1/12th) of the annual Fees. Downtime shall begin to accrue at the earliest of (i) as soon as Customer (with notice to Dealpath) recognizes that downtime is taking place, or (ii) Dealpath otherwise becomes aware that downtime is taking place, and continues until the availability of the Services is restored. In order to receive downtime credit, Customer must notify Dealpath in writing within twenty-four (24) hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit. Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Fees under the applicable Order Form in any one (1) calendar month in any event. Dealpath will only apply a credit to the month in which the incident occurred, or, if the Fees for the Services are paid on an annual basis, Dealpath will credit the downtime credit at the end of the applicable annual period. Dealpath’s blocking of data communications or other portions of the Services in accordance with its policies shall not be deemed to be a failure of Dealpath to provide adequate service levels under these Terms.
EXHIBIT B – DATA PROTECTION ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Terms between Customer and Dealpath.
- Subject Matter and Duration.
- Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Dealpath’s execution of the Services under the Terms. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Terms. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Terms, this Addendum shall control.
- Duration and Survival. This Addendum will become legally binding upon the Order Form Effective Date of the initial Order Form, or upon the date that the parties enter into this Addendum if it is completed after the effective such Order Form Effective Date. Dealpath will Process Customer Personal Data until the relationship terminates as specified in the Terms. Dealpath’s obligations and Customer’s rights under this Addendum will continue in effect so long as Dealpath Processes Customer Personal Data.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
- “Customer Personal Data” means Personal Data Processed by Dealpath on behalf of Customer.
- “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).
- “Personal Data” shall have the meaning assigned to the terms “personal data” and/or “personal information” under applicable Data Protection Laws.
- “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Dealpath.
- “Services” means any and all services that Dealpath performs under the Terms.
- “Subprocessor” means Dealpath’s authorized vendors and third-party service providers that Process Customer Personal Data.
- Data Use and Processing.
- Documented Instructions. Dealpath and its Subprocessors shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this Addendum, the Terms, or any applicable Statement of Work. Dealpath will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
- Authorization to Use Subprocessors. To the extent necessary to fulfill Dealpath’s contractual obligations under the Terms or any Statement of Work, Customer hereby authorizes Dealpath to engage Subprocessors.
- Dealpath and Subprocessor Compliance. Dealpath agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection and security requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for Dealpath’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
- Right to Object to New Subprocessors. Where required by Data Protection Laws, Dealpath will notify Customer’s POC (defined below) via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
- Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
- Personal Data Inquiries and Requests. Dealpath agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
- Sale of Customer Personal Data Prohibited. Dealpath shall not sell Customer Personal Data as the term “sell” is defined by the CCPA.
- Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Dealpath agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Dealpath requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
- Demonstrable Compliance. Dealpath agrees to provide reasonable information necessary to demonstrate compliance with this Addendum to Customer upon reasonable request.
- Cross-Border Transfers of Personal Data.
- Cross-Border Transfers of Personal Data. Customer authorizes Dealpath to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Where required, cross-border transfers of Customer Personal Data must be supported by an approved adequacy mechanism.
- Privacy Shield Certification. Dealpath is in the process of becoming, or Dealpath is currently, Privacy Shield certified, will maintain its Privacy Shield certification during the term of the Terms and will Process the Customer Personal Data in accordance with the Privacy Shield principles. Dealpath will provide written notification to Customer’s POC before it withdraws from or otherwise no longer maintains a current certification to Privacy Shield.
- Standard Contractual Clauses. To the extent Dealpath is not currently Privacy Shield certified or if Privacy Shield is invalidated, Customer and Dealpath will use the Standard Contractual Clauses in this Attachment 1 to Exhibit B as the adequacy mechanism supporting the transfer of Customer Personal Data. The parties agree that: (i) the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum; (ii) Pursuant to Clause 5(h) of the Standard Contractual Clauses, Dealpath may engage new Subprocessors in accordance with Section 3(b) – (d) of this Addendum; and (iii) the subprocessor agreements referenced in Clause 5(j) and certification of deletion referenced in Clause 12(1) of the Standard Contractual Clauses shall be provided by Dealpath only upon Customer’s written request. Each party’s signature to the Terms shall be considered a signature to the Standard Contractual Clauses to the extent the Standard Contractual Clauses apply hereunder.
- Information Security Program.
- Dealpath agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data in accordance with Data Protection Laws, as described in Appendix 2 to this Attachment 1 to Exhibit B.
- Security Incidents.
- Notice. Upon becoming aware of a Security Incident, Dealpath agrees to provide notice via e-mail without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
- Investigation. Dealpath will investigate the Security Incident and provide Customer with information concerning the scope, cause, impact of, and mitigation measures referenced in (c) below taken with respect to such Security Incident upon the initial notification referenced in (a) above, or, if not available at such time, promptly thereafter.
- Mitigation. Dealpath will take reasonable steps to mitigate the effects of the Security Incident.
-
- Audits. The parties acknowledge that Dealpath uses third party auditors to verify the adequacy of its Processing of Customer Personal Data. The audit: (i) is performed annually; (ii) is performed against the SOC 2 Type 2 framework; (iii) is performed by an independent third-party security professional at Dealpath’s selection and expense; and (iv) will result in the generation of an audit report affirming that Dealpath’s security controls are compliant with SOC 2 Type 2 (“Report”). Upon request, Dealpath will provide Customer with a copy of its then current Report. If Customer demonstrates that the information contained in the Report is not sufficient for its compliance purposes, then Customer may carry out a follow up audit to ensure Dealpath’s compliance with the terms of this Addendum by having Dealpath complete a data protection questionnaire of reasonable length. Any provision of the Report to, or audit carried out by Customer shall be subject to reasonable confidentiality procedures.
- Data Deletion.
- Data Deletion. At the expiry or termination of the Terms, Dealpath will, upon Customer’s request, delete or return all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Dealpath’s data retention schedule), except where Dealpath is required to retain copies under applicable laws, in which case Dealpath will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
- Customer can choose to engage Dealpath’s Professional Services at any point to request an export of all Customer Personal Data and any other of Customer’s Services account information (such as tasks, files, comments, and deal activity logs). The requested information will be exported and delivered to the Customer contact specified in writing by Customer (email accepted) in a common file format.
- Processing Details.
- Subject Matter. The subject matter of the Processing is the Services pursuant to the Terms.
- Duration. The Processing will continue until the expiration or termination of the Terms.
- Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Terms.
- Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Dealpath is the performance of the Services.
- Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Terms.
- Contact Information. Customer and Dealpath agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are set forth in the applicable Order Form.
Attachment 1 to Exhibit B
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: Customer (as defined in the Addendum).
……………………………………………………………
(the data exporter)
And
Name of the data importing organisation: Dealpath (as defined in the Addendum).
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is: Customer.
Data importer
The data importer is: Dealpath.
Data subjects
The personal data transferred concern the following categories of data subjects: As set forth in Section 9 of the Addendum.
Categories of data
The personal data transferred concern the following categories of data: As set forth in Section 9 of the Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: N/A.
Processing operations
The personal data transferred will be subject to the following basic processing activities: Processing to carry out the Services pursuant to the Terms.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Dealpath will maintain the following technical, organizational, and physical safeguards designed to protect the security, confidentiality, integrity, and availability of Customer Personal Data. Dealpath will not materially decrease the overall security of the Services during the Agreement.
- SOC-2 Compliance. Dealpath is SOC 2 Type 2 certified and will remain certified for the duration of the Agreement.
- Password Protection. Customer’s and its Authorized Users’ Services accounts are password protected with verification and notifications through Customer’s corporate email account.
- Encryption. The Services are delivered and accessible using non-obsolete encryption and hash standards, with all data being encrypted at rest, using AES (reversible encryption) and SHA-2 (irreversible hashing) or better, and in encrypted in transit using HTTPS with Transport Layer Security 1.2 or better.
- Physical and Logical Security. Dealpath shall use commercially reasonable efforts to restrict logical access to Dealpath’s equipment and/or media containing Customer Personal Data to authorized individuals as required in the applicable Service Schedule. Dealpath shall carry out commercially reasonable measures to limit physical access to Customer Personal Data in its custody or control, which may include use of electronic access control; CCTV; intrusion detection systems; implementing visitor entry control procedures; securing offices, rooms, and facilities; protecting against reasonably anticipated external and environmental threats; and controlling all access points including delivery and loading areas.
- Software and Virus Protection. Dealpath shall regularly review and update, as necessary, all software, firmware, firewalls and hardware used on Dealpath’s systems in accordance with industry standard practices. Dealpath shall install and maintain commercially reasonable anti-virus software on its systems and update such anti-virus software on a regular basis in accordance with relevant industry practice. Dealpath shall notify the Customer promptly in the event it becomes aware of the actual or potential transmission of any identified computer virus by Dealpath to the Customer.
- Disaster Recovery. Dealpath shall maintain and implement disaster recovery and avoidance procedures designed to restore, in a commercially reasonable manner, Dealpath’s critical business applications and critical infrastructure at data centers in the event of a disaster event at Dealpath’s facilities (“Disaster Recovery Plan”). On at least an annual basis, Dealpath shall review and update, if necessary, its Disaster Recovery Plan.
EXHIBIT C
Revision History
Terms of Service – Revision – Aug 2019